{"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T15:30:55Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T15:30:55Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T15:30:55Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T15:30:55Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T15:30:55Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T15:30:55Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T15:30:55Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T15:30:55Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T15:30:55Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T15:30:55Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T15:30:55Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T15:30:55Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T15:30:55Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T15:30:55Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T15:30:55Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T15:30:55Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"error","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T15:30:55Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:30:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-11T15:30:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T15:30:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"} {"level":"info","ts":"2026-06-11T15:30:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-06-11T15:30:56Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bdf9275c-8108-40e3-9712-1c0a805a47ca","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52598","PortSpecifier":{"PortValue":52598}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"bdf9275c-8108-40e3-9712-1c0a805a47ca","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bdf9275c-8108-40e3-9712-1c0a805a47ca","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52598","PortSpecifier":{"PortValue":52598}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191882,"nanos":2871689},"http":{"id":"bdf9275c-8108-40e3-9712-1c0a805a47ca","method":"POST","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"bdf9275c-8108-40e3-9712-1c0a805a47ca","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192181,"groups":["Engineering","Project-Alpha"],"iat":1781191881,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:872eb85f-f6bd-fe38-3288-80acfc81392f","preferred_username":"alice_lead","scope":"email profile","sid":"Gaxrvf7wBsm5SfFkCeLeYW7z","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"bdf9275c-8108-40e3-9712-1c0a805a47ca","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192181,"groups":["Engineering","Project-Alpha"],"iat":1781191881,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:872eb85f-f6bd-fe38-3288-80acfc81392f","preferred_username":"alice_lead","scope":"email profile","sid":"Gaxrvf7wBsm5SfFkCeLeYW7z","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bdf9275c-8108-40e3-9712-1c0a805a47ca","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bdf9275c-8108-40e3-9712-1c0a805a47ca","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bdf9275c-8108-40e3-9712-1c0a805a47ca","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"bdf9275c-8108-40e3-9712-1c0a805a47ca","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bdf9275c-8108-40e3-9712-1c0a805a47ca","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bdf9275c-8108-40e3-9712-1c0a805a47ca","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bdf9275c-8108-40e3-9712-1c0a805a47ca","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bdf9275c-8108-40e3-9712-1c0a805a47ca","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f2a3f320-5cb9-48bf-a7fd-853c4fe6185b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52610","PortSpecifier":{"PortValue":52610}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f2a3f320-5cb9-48bf-a7fd-853c4fe6185b","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f2a3f320-5cb9-48bf-a7fd-853c4fe6185b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52610","PortSpecifier":{"PortValue":52610}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191882,"nanos":123280417},"http":{"id":"f2a3f320-5cb9-48bf-a7fd-853c4fe6185b","method":"POST","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"f2a3f320-5cb9-48bf-a7fd-853c4fe6185b","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"f2a3f320-5cb9-48bf-a7fd-853c4fe6185b","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"f2a3f320-5cb9-48bf-a7fd-853c4fe6185b","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f2a3f320-5cb9-48bf-a7fd-853c4fe6185b","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f2a3f320-5cb9-48bf-a7fd-853c4fe6185b","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bb6a962e-b574-465d-a6c3-304d640d65b5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52614","PortSpecifier":{"PortValue":52614}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"bb6a962e-b574-465d-a6c3-304d640d65b5","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bb6a962e-b574-465d-a6c3-304d640d65b5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52614","PortSpecifier":{"PortValue":52614}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191882,"nanos":165315204},"http":{"id":"bb6a962e-b574-465d-a6c3-304d640d65b5","method":"POST","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.11","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdGZiemgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.32~maas-default-gateway-openshift-default-687ff6996-tfbzh.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.11","x-forwarded-host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"bb6a962e-b574-465d-a6c3-304d640d65b5"},"path":"/maas-api/v1/api-keys","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"metadata_context":{}}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"bb6a962e-b574-465d-a6c3-304d640d65b5","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bb6a962e-b574-465d-a6c3-304d640d65b5","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bb6a962e-b574-465d-a6c3-304d640d65b5","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c6805224-0056-43ea-9e0d-668ab8d0551e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52626","PortSpecifier":{"PortValue":52626}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c6805224-0056-43ea-9e0d-668ab8d0551e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c6805224-0056-43ea-9e0d-668ab8d0551e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52626","PortSpecifier":{"PortValue":52626}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191882,"nanos":191335644},"http":{"id":"c6805224-0056-43ea-9e0d-668ab8d0551e","method":"POST","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.11","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdGZiemgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.32~maas-default-gateway-openshift-default-687ff6996-tfbzh.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.11","x-forwarded-host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"c6805224-0056-43ea-9e0d-668ab8d0551e"},"path":"/maas-api/v1/api-keys","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"metadata_context":{}}} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c6805224-0056-43ea-9e0d-668ab8d0551e","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c6805224-0056-43ea-9e0d-668ab8d0551e","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d5b0a254-4a19-4bf8-bd3c-5d83f6bcf1a7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52632","PortSpecifier":{"PortValue":52632}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d5b0a254-4a19-4bf8-bd3c-5d83f6bcf1a7","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d5b0a254-4a19-4bf8-bd3c-5d83f6bcf1a7","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52632","PortSpecifier":{"PortValue":52632}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191882,"nanos":570366324},"http":{"id":"d5b0a254-4a19-4bf8-bd3c-5d83f6bcf1a7","method":"POST","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d5b0a254-4a19-4bf8-bd3c-5d83f6bcf1a7","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192182,"groups":["Site-Reliability"],"iat":1781191882,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0da87ba1-f500-3575-27b3-6a49aa8cf519","preferred_username":"bob_sre","scope":"email profile","sid":"fiAwo9ik8PkowikGh_-MgiD3","sub":"b4cdbf10-9ecf-4b59-bed3-a343764b7135","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d5b0a254-4a19-4bf8-bd3c-5d83f6bcf1a7","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192182,"groups":["Site-Reliability"],"iat":1781191882,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0da87ba1-f500-3575-27b3-6a49aa8cf519","preferred_username":"bob_sre","scope":"email profile","sid":"fiAwo9ik8PkowikGh_-MgiD3","sub":"b4cdbf10-9ecf-4b59-bed3-a343764b7135","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d5b0a254-4a19-4bf8-bd3c-5d83f6bcf1a7","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d5b0a254-4a19-4bf8-bd3c-5d83f6bcf1a7","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d5b0a254-4a19-4bf8-bd3c-5d83f6bcf1a7","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d5b0a254-4a19-4bf8-bd3c-5d83f6bcf1a7","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d5b0a254-4a19-4bf8-bd3c-5d83f6bcf1a7","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d5b0a254-4a19-4bf8-bd3c-5d83f6bcf1a7","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d5b0a254-4a19-4bf8-bd3c-5d83f6bcf1a7","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d5b0a254-4a19-4bf8-bd3c-5d83f6bcf1a7","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5dacfbfb-6e4f-4a37-be20-e289dc38d6e4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52640","PortSpecifier":{"PortValue":52640}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5dacfbfb-6e4f-4a37-be20-e289dc38d6e4","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5dacfbfb-6e4f-4a37-be20-e289dc38d6e4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52640","PortSpecifier":{"PortValue":52640}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191882,"nanos":793119856},"http":{"id":"5dacfbfb-6e4f-4a37-be20-e289dc38d6e4","method":"POST","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5dacfbfb-6e4f-4a37-be20-e289dc38d6e4","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192182,"groups":["Engineering","Project-Alpha"],"iat":1781191882,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:66b24461-bff2-3a6c-6f3b-777fed68057b","preferred_username":"alice_lead","scope":"email profile","sid":"wTrl-ZmMfA9UaoPg1a_wslsE","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5dacfbfb-6e4f-4a37-be20-e289dc38d6e4","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192182,"groups":["Engineering","Project-Alpha"],"iat":1781191882,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:66b24461-bff2-3a6c-6f3b-777fed68057b","preferred_username":"alice_lead","scope":"email profile","sid":"wTrl-ZmMfA9UaoPg1a_wslsE","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5dacfbfb-6e4f-4a37-be20-e289dc38d6e4","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5dacfbfb-6e4f-4a37-be20-e289dc38d6e4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5dacfbfb-6e4f-4a37-be20-e289dc38d6e4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5dacfbfb-6e4f-4a37-be20-e289dc38d6e4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5dacfbfb-6e4f-4a37-be20-e289dc38d6e4","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5dacfbfb-6e4f-4a37-be20-e289dc38d6e4","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5dacfbfb-6e4f-4a37-be20-e289dc38d6e4","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5dacfbfb-6e4f-4a37-be20-e289dc38d6e4","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c5b9a933-1150-4ccf-ab6b-dbcae69cd534","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52648","PortSpecifier":{"PortValue":52648}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c5b9a933-1150-4ccf-ab6b-dbcae69cd534","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c5b9a933-1150-4ccf-ab6b-dbcae69cd534","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52648","PortSpecifier":{"PortValue":52648}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191882,"nanos":824458607},"http":{"id":"c5b9a933-1150-4ccf-ab6b-dbcae69cd534","method":"GET","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c5b9a933-1150-4ccf-ab6b-dbcae69cd534","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1ETvzMNIE8P0DrIYr_nMJogg3lHYX4mw7hCCIZMxwo9pJ55iRawXd6qgYPTf7"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c5b9a933-1150-4ccf-ab6b-dbcae69cd534","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1ETvzMNIE8P0DrIYr_nMJogg3lHYX4mw7hCCIZMxwo9pJ55iRawXd6qgYPTf7\"}"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c5b9a933-1150-4ccf-ab6b-dbcae69cd534","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c5b9a933-1150-4ccf-ab6b-dbcae69cd534","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c5b9a933-1150-4ccf-ab6b-dbcae69cd534","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c5b9a933-1150-4ccf-ab6b-dbcae69cd534","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c5b9a933-1150-4ccf-ab6b-dbcae69cd534","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c5b9a933-1150-4ccf-ab6b-dbcae69cd534","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c5b9a933-1150-4ccf-ab6b-dbcae69cd534","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c5b9a933-1150-4ccf-ab6b-dbcae69cd534","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c5b9a933-1150-4ccf-ab6b-dbcae69cd534","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c5b9a933-1150-4ccf-ab6b-dbcae69cd534","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c5b9a933-1150-4ccf-ab6b-dbcae69cd534","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.37:53446","PortSpecifier":{"PortValue":53446}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.37:53446","PortSpecifier":{"PortValue":53446}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191882,"nanos":844189475},"http":{"id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1ETvzMNIE8P0DrIYr_nMJogg3lHYX4mw7hCCIZMxwo9pJ55iRawXd6qgYPTf7"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1ETvzMNIE8P0DrIYr_nMJogg3lHYX4mw7hCCIZMxwo9pJ55iRawXd6qgYPTf7\"}"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","config":"subscription-info","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1ETvzMNIE8P0DrIYr_nMJogg3lHYX4mw7hCCIZMxwo9pJ55iRawXd6qgYPTf7","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.37","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdGZiemgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.32~maas-default-gateway-openshift-default-687ff6996-tfbzh.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.37","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":844189475,"seconds":1781191882},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.37:53446","port":53446}}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"a1842b8d-384e-4a94-bf9b-ab4d5bd79558","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"99e88aad-1f0f-40d9-b8d5-789d07fc0250","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52662","PortSpecifier":{"PortValue":52662}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52662","PortSpecifier":{"PortValue":52662}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191882,"nanos":876906772},"http":{"id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","method":"POST","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1ETvzMNIE8P0DrIYr_nMJogg3lHYX4mw7hCCIZMxwo9pJ55iRawXd6qgYPTf7"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1ETvzMNIE8P0DrIYr_nMJogg3lHYX4mw7hCCIZMxwo9pJ55iRawXd6qgYPTf7\"}"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","config":"subscription-info","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"a1842b8d-384e-4a94-bf9b-ab4d5bd79558","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f95b8364-f7ba-45f8-a943-563fecc2b0b3","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8efd2b5f-ad93-4e63-abbc-b8c48d327d50","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52674","PortSpecifier":{"PortValue":52674}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8efd2b5f-ad93-4e63-abbc-b8c48d327d50","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8efd2b5f-ad93-4e63-abbc-b8c48d327d50","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52674","PortSpecifier":{"PortValue":52674}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191882,"nanos":982412204},"http":{"id":"8efd2b5f-ad93-4e63-abbc-b8c48d327d50","method":"POST","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8efd2b5f-ad93-4e63-abbc-b8c48d327d50","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192182,"groups":["Engineering","Project-Alpha"],"iat":1781191882,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6f4c21cf-2bcd-32f9-5026-f6dfeada0f87","preferred_username":"alice_lead","scope":"email profile","sid":"1hI8JKCoRweRHRO83XRD4BgQ","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8efd2b5f-ad93-4e63-abbc-b8c48d327d50","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192182,"groups":["Engineering","Project-Alpha"],"iat":1781191882,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6f4c21cf-2bcd-32f9-5026-f6dfeada0f87","preferred_username":"alice_lead","scope":"email profile","sid":"1hI8JKCoRweRHRO83XRD4BgQ","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8efd2b5f-ad93-4e63-abbc-b8c48d327d50","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8efd2b5f-ad93-4e63-abbc-b8c48d327d50","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8efd2b5f-ad93-4e63-abbc-b8c48d327d50","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"8efd2b5f-ad93-4e63-abbc-b8c48d327d50","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8efd2b5f-ad93-4e63-abbc-b8c48d327d50","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8efd2b5f-ad93-4e63-abbc-b8c48d327d50","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8efd2b5f-ad93-4e63-abbc-b8c48d327d50","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:22Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8efd2b5f-ad93-4e63-abbc-b8c48d327d50","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4ae74846-b834-41da-a8c8-66940a49f227","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52680","PortSpecifier":{"PortValue":52680}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4ae74846-b834-41da-a8c8-66940a49f227","method":"DELETE","path":"/maas-api/v1/api-keys/10c78100-5cb5-45cd-a552-a51555afd45f","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4ae74846-b834-41da-a8c8-66940a49f227","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52680","PortSpecifier":{"PortValue":52680}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191883,"nanos":16644920},"http":{"id":"4ae74846-b834-41da-a8c8-66940a49f227","method":"DELETE","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/10c78100-5cb5-45cd-a552-a51555afd45f",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:23Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4ae74846-b834-41da-a8c8-66940a49f227","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192182,"groups":["Engineering","Project-Alpha"],"iat":1781191882,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6f4c21cf-2bcd-32f9-5026-f6dfeada0f87","preferred_username":"alice_lead","scope":"email profile","sid":"1hI8JKCoRweRHRO83XRD4BgQ","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:31:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4ae74846-b834-41da-a8c8-66940a49f227","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192182,"groups":["Engineering","Project-Alpha"],"iat":1781191882,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6f4c21cf-2bcd-32f9-5026-f6dfeada0f87","preferred_username":"alice_lead","scope":"email profile","sid":"1hI8JKCoRweRHRO83XRD4BgQ","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/10c78100-5cb5-45cd-a552-a51555afd45f",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4ae74846-b834-41da-a8c8-66940a49f227","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4ae74846-b834-41da-a8c8-66940a49f227","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4ae74846-b834-41da-a8c8-66940a49f227","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"4ae74846-b834-41da-a8c8-66940a49f227","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:31:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4ae74846-b834-41da-a8c8-66940a49f227","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T15:31:23Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4ae74846-b834-41da-a8c8-66940a49f227","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T15:31:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4ae74846-b834-41da-a8c8-66940a49f227","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4ae74846-b834-41da-a8c8-66940a49f227","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"092bc017-d18a-4d17-8ad3-3e9b7e0b861b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52684","PortSpecifier":{"PortValue":52684}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"092bc017-d18a-4d17-8ad3-3e9b7e0b861b","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"092bc017-d18a-4d17-8ad3-3e9b7e0b861b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52684","PortSpecifier":{"PortValue":52684}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191886,"nanos":54834447},"http":{"id":"092bc017-d18a-4d17-8ad3-3e9b7e0b861b","method":"GET","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"092bc017-d18a-4d17-8ad3-3e9b7e0b861b","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1OxM5MOwQ9h65QtHN_cmFeYqYE8ykt8xDr90EzGoLcgZO9mN2wJJAj9ex6fAb"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"092bc017-d18a-4d17-8ad3-3e9b7e0b861b","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1OxM5MOwQ9h65QtHN_cmFeYqYE8ykt8xDr90EzGoLcgZO9mN2wJJAj9ex6fAb\"}"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"092bc017-d18a-4d17-8ad3-3e9b7e0b861b","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"092bc017-d18a-4d17-8ad3-3e9b7e0b861b","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"092bc017-d18a-4d17-8ad3-3e9b7e0b861b","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"092bc017-d18a-4d17-8ad3-3e9b7e0b861b","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"092bc017-d18a-4d17-8ad3-3e9b7e0b861b","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e93315f6-8001-4cd9-be90-12243a03bdca","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52700","PortSpecifier":{"PortValue":52700}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e93315f6-8001-4cd9-be90-12243a03bdca","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e93315f6-8001-4cd9-be90-12243a03bdca","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52700","PortSpecifier":{"PortValue":52700}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191886,"nanos":185721821},"http":{"id":"e93315f6-8001-4cd9-be90-12243a03bdca","method":"POST","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"e93315f6-8001-4cd9-be90-12243a03bdca","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"e93315f6-8001-4cd9-be90-12243a03bdca","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"e93315f6-8001-4cd9-be90-12243a03bdca","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e93315f6-8001-4cd9-be90-12243a03bdca","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e93315f6-8001-4cd9-be90-12243a03bdca","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d8bbd33e-fca5-4337-b892-aae80ee701cf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52706","PortSpecifier":{"PortValue":52706}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d8bbd33e-fca5-4337-b892-aae80ee701cf","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d8bbd33e-fca5-4337-b892-aae80ee701cf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52706","PortSpecifier":{"PortValue":52706}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191886,"nanos":346161395},"http":{"id":"d8bbd33e-fca5-4337-b892-aae80ee701cf","method":"POST","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d8bbd33e-fca5-4337-b892-aae80ee701cf","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192186,"groups":["Engineering","Project-Alpha"],"iat":1781191886,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:fda43612-85ba-8b0f-fa01-5d06ea02a3da","preferred_username":"alice_lead","scope":"email profile","sid":"5iunNp5zdFksJF_RraGzylQY","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d8bbd33e-fca5-4337-b892-aae80ee701cf","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192186,"groups":["Engineering","Project-Alpha"],"iat":1781191886,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:fda43612-85ba-8b0f-fa01-5d06ea02a3da","preferred_username":"alice_lead","scope":"email profile","sid":"5iunNp5zdFksJF_RraGzylQY","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d8bbd33e-fca5-4337-b892-aae80ee701cf","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d8bbd33e-fca5-4337-b892-aae80ee701cf","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d8bbd33e-fca5-4337-b892-aae80ee701cf","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d8bbd33e-fca5-4337-b892-aae80ee701cf","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d8bbd33e-fca5-4337-b892-aae80ee701cf","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d8bbd33e-fca5-4337-b892-aae80ee701cf","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d8bbd33e-fca5-4337-b892-aae80ee701cf","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d8bbd33e-fca5-4337-b892-aae80ee701cf","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8ee91024-f08d-490c-9395-43b9f4903b74","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52714","PortSpecifier":{"PortValue":52714}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8ee91024-f08d-490c-9395-43b9f4903b74","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8ee91024-f08d-490c-9395-43b9f4903b74","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52714","PortSpecifier":{"PortValue":52714}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191886,"nanos":381714697},"http":{"id":"8ee91024-f08d-490c-9395-43b9f4903b74","method":"POST","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8ee91024-f08d-490c-9395-43b9f4903b74","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192186,"groups":["Site-Reliability"],"iat":1781191886,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:cffa08d1-b095-88e0-8f8f-37c87d48c8a7","preferred_username":"bob_sre","scope":"email profile","sid":"NsPk6gVhOgZ4-7hFHn3kRZAy","sub":"b4cdbf10-9ecf-4b59-bed3-a343764b7135","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8ee91024-f08d-490c-9395-43b9f4903b74","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192186,"groups":["Site-Reliability"],"iat":1781191886,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:cffa08d1-b095-88e0-8f8f-37c87d48c8a7","preferred_username":"bob_sre","scope":"email profile","sid":"NsPk6gVhOgZ4-7hFHn3kRZAy","sub":"b4cdbf10-9ecf-4b59-bed3-a343764b7135","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8ee91024-f08d-490c-9395-43b9f4903b74","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8ee91024-f08d-490c-9395-43b9f4903b74","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8ee91024-f08d-490c-9395-43b9f4903b74","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"8ee91024-f08d-490c-9395-43b9f4903b74","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8ee91024-f08d-490c-9395-43b9f4903b74","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8ee91024-f08d-490c-9395-43b9f4903b74","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8ee91024-f08d-490c-9395-43b9f4903b74","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8ee91024-f08d-490c-9395-43b9f4903b74","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5954a665-2738-45bc-9c9d-fb1cd3c30772","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52722","PortSpecifier":{"PortValue":52722}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5954a665-2738-45bc-9c9d-fb1cd3c30772","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5954a665-2738-45bc-9c9d-fb1cd3c30772","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52722","PortSpecifier":{"PortValue":52722}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191886,"nanos":490130331},"http":{"id":"5954a665-2738-45bc-9c9d-fb1cd3c30772","method":"POST","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5954a665-2738-45bc-9c9d-fb1cd3c30772","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192186,"groups":["Engineering","Project-Alpha"],"iat":1781191886,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b9da9519-0559-1cb9-6b77-6eee30161679","preferred_username":"alice_lead","scope":"email profile","sid":"DGcUy0WjfpcEziGR_egBvL-Q","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5954a665-2738-45bc-9c9d-fb1cd3c30772","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192186,"groups":["Engineering","Project-Alpha"],"iat":1781191886,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b9da9519-0559-1cb9-6b77-6eee30161679","preferred_username":"alice_lead","scope":"email profile","sid":"DGcUy0WjfpcEziGR_egBvL-Q","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5954a665-2738-45bc-9c9d-fb1cd3c30772","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5954a665-2738-45bc-9c9d-fb1cd3c30772","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5954a665-2738-45bc-9c9d-fb1cd3c30772","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5954a665-2738-45bc-9c9d-fb1cd3c30772","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5954a665-2738-45bc-9c9d-fb1cd3c30772","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5954a665-2738-45bc-9c9d-fb1cd3c30772","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5954a665-2738-45bc-9c9d-fb1cd3c30772","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5954a665-2738-45bc-9c9d-fb1cd3c30772","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"774540d9-568d-4f0e-b44f-e660692170cc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52738","PortSpecifier":{"PortValue":52738}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"774540d9-568d-4f0e-b44f-e660692170cc","method":"DELETE","path":"/maas-api/v1/api-keys/c1d9d2c4-8295-4d88-a7e0-a1c15d194b18","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"774540d9-568d-4f0e-b44f-e660692170cc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52738","PortSpecifier":{"PortValue":52738}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191886,"nanos":520832302},"http":{"id":"774540d9-568d-4f0e-b44f-e660692170cc","method":"DELETE","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/c1d9d2c4-8295-4d88-a7e0-a1c15d194b18",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"774540d9-568d-4f0e-b44f-e660692170cc","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192186,"groups":["Engineering","Project-Alpha"],"iat":1781191886,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b9da9519-0559-1cb9-6b77-6eee30161679","preferred_username":"alice_lead","scope":"email profile","sid":"DGcUy0WjfpcEziGR_egBvL-Q","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"774540d9-568d-4f0e-b44f-e660692170cc","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192186,"groups":["Engineering","Project-Alpha"],"iat":1781191886,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b9da9519-0559-1cb9-6b77-6eee30161679","preferred_username":"alice_lead","scope":"email profile","sid":"DGcUy0WjfpcEziGR_egBvL-Q","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/c1d9d2c4-8295-4d88-a7e0-a1c15d194b18",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"774540d9-568d-4f0e-b44f-e660692170cc","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"774540d9-568d-4f0e-b44f-e660692170cc","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"774540d9-568d-4f0e-b44f-e660692170cc","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"774540d9-568d-4f0e-b44f-e660692170cc","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"774540d9-568d-4f0e-b44f-e660692170cc","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"774540d9-568d-4f0e-b44f-e660692170cc","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"774540d9-568d-4f0e-b44f-e660692170cc","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"774540d9-568d-4f0e-b44f-e660692170cc","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f2f76d82-6fec-4db8-b80d-612dfea94b8f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52748","PortSpecifier":{"PortValue":52748}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f2f76d82-6fec-4db8-b80d-612dfea94b8f","method":"DELETE","path":"/maas-api/v1/api-keys/c1d9d2c4-8295-4d88-a7e0-a1c15d194b18","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f2f76d82-6fec-4db8-b80d-612dfea94b8f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52748","PortSpecifier":{"PortValue":52748}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191886,"nanos":550684956},"http":{"id":"f2f76d82-6fec-4db8-b80d-612dfea94b8f","method":"DELETE","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/c1d9d2c4-8295-4d88-a7e0-a1c15d194b18",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f2f76d82-6fec-4db8-b80d-612dfea94b8f","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192186,"groups":["Engineering","Project-Alpha"],"iat":1781191886,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b9da9519-0559-1cb9-6b77-6eee30161679","preferred_username":"alice_lead","scope":"email profile","sid":"DGcUy0WjfpcEziGR_egBvL-Q","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f2f76d82-6fec-4db8-b80d-612dfea94b8f","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192186,"groups":["Engineering","Project-Alpha"],"iat":1781191886,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b9da9519-0559-1cb9-6b77-6eee30161679","preferred_username":"alice_lead","scope":"email profile","sid":"DGcUy0WjfpcEziGR_egBvL-Q","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/c1d9d2c4-8295-4d88-a7e0-a1c15d194b18",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f2f76d82-6fec-4db8-b80d-612dfea94b8f","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f2f76d82-6fec-4db8-b80d-612dfea94b8f","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f2f76d82-6fec-4db8-b80d-612dfea94b8f","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f2f76d82-6fec-4db8-b80d-612dfea94b8f","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f2f76d82-6fec-4db8-b80d-612dfea94b8f","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f2f76d82-6fec-4db8-b80d-612dfea94b8f","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f2f76d82-6fec-4db8-b80d-612dfea94b8f","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f2f76d82-6fec-4db8-b80d-612dfea94b8f","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f9c77c48-dd14-46b4-89c0-1d46ddac4470","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52764","PortSpecifier":{"PortValue":52764}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f9c77c48-dd14-46b4-89c0-1d46ddac4470","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f9c77c48-dd14-46b4-89c0-1d46ddac4470","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52764","PortSpecifier":{"PortValue":52764}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191886,"nanos":647314701},"http":{"id":"f9c77c48-dd14-46b4-89c0-1d46ddac4470","method":"POST","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f9c77c48-dd14-46b4-89c0-1d46ddac4470","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192186,"groups":["Engineering","Project-Alpha"],"iat":1781191886,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f653e886-de43-79c4-fe5d-dfb5dcd35d48","preferred_username":"alice_lead","scope":"email profile","sid":"oZaRfZyl9mU05r0m28TA_TGS","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f9c77c48-dd14-46b4-89c0-1d46ddac4470","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192186,"groups":["Engineering","Project-Alpha"],"iat":1781191886,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f653e886-de43-79c4-fe5d-dfb5dcd35d48","preferred_username":"alice_lead","scope":"email profile","sid":"oZaRfZyl9mU05r0m28TA_TGS","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f9c77c48-dd14-46b4-89c0-1d46ddac4470","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f9c77c48-dd14-46b4-89c0-1d46ddac4470","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f9c77c48-dd14-46b4-89c0-1d46ddac4470","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f9c77c48-dd14-46b4-89c0-1d46ddac4470","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f9c77c48-dd14-46b4-89c0-1d46ddac4470","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f9c77c48-dd14-46b4-89c0-1d46ddac4470","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f9c77c48-dd14-46b4-89c0-1d46ddac4470","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f9c77c48-dd14-46b4-89c0-1d46ddac4470","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8b80b596-741a-4eec-b3ec-1350d160b702","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52770","PortSpecifier":{"PortValue":52770}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8b80b596-741a-4eec-b3ec-1350d160b702","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8b80b596-741a-4eec-b3ec-1350d160b702","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52770","PortSpecifier":{"PortValue":52770}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191886,"nanos":675281877},"http":{"id":"8b80b596-741a-4eec-b3ec-1350d160b702","method":"GET","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8b80b596-741a-4eec-b3ec-1350d160b702","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-TM11N2IuqYMtTC7J_w1tU7iMJAkfnBScpwguv1on2uJ9745AKcXoWEU35R0z"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"8b80b596-741a-4eec-b3ec-1350d160b702","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-TM11N2IuqYMtTC7J_w1tU7iMJAkfnBScpwguv1on2uJ9745AKcXoWEU35R0z\"}"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"8b80b596-741a-4eec-b3ec-1350d160b702","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8b80b596-741a-4eec-b3ec-1350d160b702","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8b80b596-741a-4eec-b3ec-1350d160b702","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8b80b596-741a-4eec-b3ec-1350d160b702","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8b80b596-741a-4eec-b3ec-1350d160b702","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8b80b596-741a-4eec-b3ec-1350d160b702","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8b80b596-741a-4eec-b3ec-1350d160b702","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8b80b596-741a-4eec-b3ec-1350d160b702","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"8b80b596-741a-4eec-b3ec-1350d160b702","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8b80b596-741a-4eec-b3ec-1350d160b702","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8b80b596-741a-4eec-b3ec-1350d160b702","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.37:53446","PortSpecifier":{"PortValue":53446}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.37:53446","PortSpecifier":{"PortValue":53446}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191886,"nanos":683120510},"http":{"id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-TM11N2IuqYMtTC7J_w1tU7iMJAkfnBScpwguv1on2uJ9745AKcXoWEU35R0z"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-TM11N2IuqYMtTC7J_w1tU7iMJAkfnBScpwguv1on2uJ9745AKcXoWEU35R0z\"}"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","config":"subscription-info","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-TM11N2IuqYMtTC7J_w1tU7iMJAkfnBScpwguv1on2uJ9745AKcXoWEU35R0z","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.37","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdGZiemgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.32~maas-default-gateway-openshift-default-687ff6996-tfbzh.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.37","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"8560cd99-54cf-4fd9-b8e1-9c7090963299"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":683120510,"seconds":1781191886},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.37:53446","port":53446}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"92540be9-aeda-4c0b-bc61-727fe3de48a5","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8560cd99-54cf-4fd9-b8e1-9c7090963299","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"928027bc-f8ef-4f93-91e9-17b0042a2cf1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52780","PortSpecifier":{"PortValue":52780}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"928027bc-f8ef-4f93-91e9-17b0042a2cf1","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"928027bc-f8ef-4f93-91e9-17b0042a2cf1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52780","PortSpecifier":{"PortValue":52780}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191886,"nanos":796627168},"http":{"id":"928027bc-f8ef-4f93-91e9-17b0042a2cf1","method":"POST","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"928027bc-f8ef-4f93-91e9-17b0042a2cf1","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192186,"groups":["Engineering","Project-Alpha"],"iat":1781191886,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3ae4b97f-7f93-08ec-5cb0-d7aadcf56b02","preferred_username":"alice_lead","scope":"email profile","sid":"CY-qH6aOiW_gR531MX-IwD2-","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"928027bc-f8ef-4f93-91e9-17b0042a2cf1","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192186,"groups":["Engineering","Project-Alpha"],"iat":1781191886,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3ae4b97f-7f93-08ec-5cb0-d7aadcf56b02","preferred_username":"alice_lead","scope":"email profile","sid":"CY-qH6aOiW_gR531MX-IwD2-","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"928027bc-f8ef-4f93-91e9-17b0042a2cf1","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"928027bc-f8ef-4f93-91e9-17b0042a2cf1","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"928027bc-f8ef-4f93-91e9-17b0042a2cf1","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"928027bc-f8ef-4f93-91e9-17b0042a2cf1","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"928027bc-f8ef-4f93-91e9-17b0042a2cf1","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"928027bc-f8ef-4f93-91e9-17b0042a2cf1","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"928027bc-f8ef-4f93-91e9-17b0042a2cf1","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"928027bc-f8ef-4f93-91e9-17b0042a2cf1","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ea142839-83e5-4c5c-bf6c-0b67d80349ad","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52786","PortSpecifier":{"PortValue":52786}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ea142839-83e5-4c5c-bf6c-0b67d80349ad","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ea142839-83e5-4c5c-bf6c-0b67d80349ad","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52786","PortSpecifier":{"PortValue":52786}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191886,"nanos":825326049},"http":{"id":"ea142839-83e5-4c5c-bf6c-0b67d80349ad","method":"GET","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ea142839-83e5-4c5c-bf6c-0b67d80349ad","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-dRMGYdIYWphwiQBa_vDyPfTWnffaMbH3sHiatXjT7OvOJYdiQPowp9RdEGEj"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ea142839-83e5-4c5c-bf6c-0b67d80349ad","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-dRMGYdIYWphwiQBa_vDyPfTWnffaMbH3sHiatXjT7OvOJYdiQPowp9RdEGEj\"}"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ea142839-83e5-4c5c-bf6c-0b67d80349ad","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ea142839-83e5-4c5c-bf6c-0b67d80349ad","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ea142839-83e5-4c5c-bf6c-0b67d80349ad","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ea142839-83e5-4c5c-bf6c-0b67d80349ad","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ea142839-83e5-4c5c-bf6c-0b67d80349ad","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ea142839-83e5-4c5c-bf6c-0b67d80349ad","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ea142839-83e5-4c5c-bf6c-0b67d80349ad","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ea142839-83e5-4c5c-bf6c-0b67d80349ad","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ea142839-83e5-4c5c-bf6c-0b67d80349ad","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ea142839-83e5-4c5c-bf6c-0b67d80349ad","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ea142839-83e5-4c5c-bf6c-0b67d80349ad","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6150857e-fd5e-4850-92e5-6f56a16183bb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52798","PortSpecifier":{"PortValue":52798}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6150857e-fd5e-4850-92e5-6f56a16183bb","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6150857e-fd5e-4850-92e5-6f56a16183bb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52798","PortSpecifier":{"PortValue":52798}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191886,"nanos":861700562},"http":{"id":"6150857e-fd5e-4850-92e5-6f56a16183bb","method":"GET","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6150857e-fd5e-4850-92e5-6f56a16183bb","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-dRMGYdIYWphwiQBa_vDyPfTWnffaMbH3sHiatXjT7OvOJYdiQPowp9RdEGEj"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6150857e-fd5e-4850-92e5-6f56a16183bb","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-dRMGYdIYWphwiQBa_vDyPfTWnffaMbH3sHiatXjT7OvOJYdiQPowp9RdEGEj\"}"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6150857e-fd5e-4850-92e5-6f56a16183bb","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6150857e-fd5e-4850-92e5-6f56a16183bb","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6150857e-fd5e-4850-92e5-6f56a16183bb","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6150857e-fd5e-4850-92e5-6f56a16183bb","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6150857e-fd5e-4850-92e5-6f56a16183bb","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6150857e-fd5e-4850-92e5-6f56a16183bb","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6150857e-fd5e-4850-92e5-6f56a16183bb","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6150857e-fd5e-4850-92e5-6f56a16183bb","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"6150857e-fd5e-4850-92e5-6f56a16183bb","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6150857e-fd5e-4850-92e5-6f56a16183bb","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6150857e-fd5e-4850-92e5-6f56a16183bb","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.37:53446","PortSpecifier":{"PortValue":53446}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.37:53446","PortSpecifier":{"PortValue":53446}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191886,"nanos":869583449},"http":{"id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-dRMGYdIYWphwiQBa_vDyPfTWnffaMbH3sHiatXjT7OvOJYdiQPowp9RdEGEj"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-dRMGYdIYWphwiQBa_vDyPfTWnffaMbH3sHiatXjT7OvOJYdiQPowp9RdEGEj\"}"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","config":"subscription-info","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-dRMGYdIYWphwiQBa_vDyPfTWnffaMbH3sHiatXjT7OvOJYdiQPowp9RdEGEj","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.37","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdGZiemgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.32~maas-default-gateway-openshift-default-687ff6996-tfbzh.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.37","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":869583449,"seconds":1781191886},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.37:53446","port":53446}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"d47fb5ab-e31b-41f9-adef-8b9388ba653d","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ae4170a8-8a65-4f3d-a457-56e1ecc398d3","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ed2eaf1a-9549-4f94-bd1a-a82628941ee9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52810","PortSpecifier":{"PortValue":52810}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ed2eaf1a-9549-4f94-bd1a-a82628941ee9","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ed2eaf1a-9549-4f94-bd1a-a82628941ee9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52810","PortSpecifier":{"PortValue":52810}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191886,"nanos":963952712},"http":{"id":"ed2eaf1a-9549-4f94-bd1a-a82628941ee9","method":"POST","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ed2eaf1a-9549-4f94-bd1a-a82628941ee9","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192186,"groups":["Engineering","Project-Alpha"],"iat":1781191886,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:fee1a387-b31b-0660-9a5d-7c61804b022d","preferred_username":"alice_lead","scope":"email profile","sid":"pL2QAH68lfiMB-VP0qN_cm98","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ed2eaf1a-9549-4f94-bd1a-a82628941ee9","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192186,"groups":["Engineering","Project-Alpha"],"iat":1781191886,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:fee1a387-b31b-0660-9a5d-7c61804b022d","preferred_username":"alice_lead","scope":"email profile","sid":"pL2QAH68lfiMB-VP0qN_cm98","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ed2eaf1a-9549-4f94-bd1a-a82628941ee9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ed2eaf1a-9549-4f94-bd1a-a82628941ee9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ed2eaf1a-9549-4f94-bd1a-a82628941ee9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ed2eaf1a-9549-4f94-bd1a-a82628941ee9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ed2eaf1a-9549-4f94-bd1a-a82628941ee9","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ed2eaf1a-9549-4f94-bd1a-a82628941ee9","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ed2eaf1a-9549-4f94-bd1a-a82628941ee9","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ed2eaf1a-9549-4f94-bd1a-a82628941ee9","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"26c9f477-8f07-442b-9125-a6af435a9cc5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52818","PortSpecifier":{"PortValue":52818}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"26c9f477-8f07-442b-9125-a6af435a9cc5","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"26c9f477-8f07-442b-9125-a6af435a9cc5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52818","PortSpecifier":{"PortValue":52818}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191886,"nanos":995704895},"http":{"id":"26c9f477-8f07-442b-9125-a6af435a9cc5","method":"GET","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"26c9f477-8f07-442b-9125-a6af435a9cc5","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-kxRkGRyXc7Rk98sN_Sb5TcYR3pOs4l8pOUUELO3LRJDUUxl4be5dHLzCh1JU"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"26c9f477-8f07-442b-9125-a6af435a9cc5","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-kxRkGRyXc7Rk98sN_Sb5TcYR3pOs4l8pOUUELO3LRJDUUxl4be5dHLzCh1JU\"}"} {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"26c9f477-8f07-442b-9125-a6af435a9cc5","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:26Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"26c9f477-8f07-442b-9125-a6af435a9cc5","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"26c9f477-8f07-442b-9125-a6af435a9cc5","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"26c9f477-8f07-442b-9125-a6af435a9cc5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"26c9f477-8f07-442b-9125-a6af435a9cc5","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"26c9f477-8f07-442b-9125-a6af435a9cc5","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"26c9f477-8f07-442b-9125-a6af435a9cc5","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"26c9f477-8f07-442b-9125-a6af435a9cc5","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"26c9f477-8f07-442b-9125-a6af435a9cc5","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"26c9f477-8f07-442b-9125-a6af435a9cc5","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"26c9f477-8f07-442b-9125-a6af435a9cc5","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.37:53446","PortSpecifier":{"PortValue":53446}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.37:53446","PortSpecifier":{"PortValue":53446}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191887,"nanos":3655002},"http":{"id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-kxRkGRyXc7Rk98sN_Sb5TcYR3pOs4l8pOUUELO3LRJDUUxl4be5dHLzCh1JU"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-kxRkGRyXc7Rk98sN_Sb5TcYR3pOs4l8pOUUELO3LRJDUUxl4be5dHLzCh1JU\"}"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","config":"subscription-info","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-kxRkGRyXc7Rk98sN_Sb5TcYR3pOs4l8pOUUELO3LRJDUUxl4be5dHLzCh1JU","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.37","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdGZiemgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.32~maas-default-gateway-openshift-default-687ff6996-tfbzh.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.37","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":3655002,"seconds":1781191887},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.37:53446","port":53446}}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"f3f35a9c-b0e3-45e6-9d16-934a03f9c7b6","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f3c93390-99a3-42c4-b8fd-24bc9129e9c1","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b1ea178d-b041-4c2a-ab33-fb696e5c42ee","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52820","PortSpecifier":{"PortValue":52820}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b1ea178d-b041-4c2a-ab33-fb696e5c42ee","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b1ea178d-b041-4c2a-ab33-fb696e5c42ee","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52820","PortSpecifier":{"PortValue":52820}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191887,"nanos":33945993},"http":{"id":"b1ea178d-b041-4c2a-ab33-fb696e5c42ee","method":"GET","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b1ea178d-b041-4c2a-ab33-fb696e5c42ee","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-kxRkGRyXc7Rk98sN_Sb5TcYR3pOs4l8pOUUELO3LRJDUUxl4be5dHLzCh1JU"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b1ea178d-b041-4c2a-ab33-fb696e5c42ee","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-kxRkGRyXc7Rk98sN_Sb5TcYR3pOs4l8pOUUELO3LRJDUUxl4be5dHLzCh1JU\"}"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b1ea178d-b041-4c2a-ab33-fb696e5c42ee","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b1ea178d-b041-4c2a-ab33-fb696e5c42ee","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b1ea178d-b041-4c2a-ab33-fb696e5c42ee","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b1ea178d-b041-4c2a-ab33-fb696e5c42ee","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b1ea178d-b041-4c2a-ab33-fb696e5c42ee","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b1ea178d-b041-4c2a-ab33-fb696e5c42ee","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b1ea178d-b041-4c2a-ab33-fb696e5c42ee","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b1ea178d-b041-4c2a-ab33-fb696e5c42ee","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b1ea178d-b041-4c2a-ab33-fb696e5c42ee","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b1ea178d-b041-4c2a-ab33-fb696e5c42ee","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b1ea178d-b041-4c2a-ab33-fb696e5c42ee","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.37:53446","PortSpecifier":{"PortValue":53446}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.37:53446","PortSpecifier":{"PortValue":53446}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191887,"nanos":41998071},"http":{"id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-kxRkGRyXc7Rk98sN_Sb5TcYR3pOs4l8pOUUELO3LRJDUUxl4be5dHLzCh1JU"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","config":"apiKeyValidation","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-kxRkGRyXc7Rk98sN_Sb5TcYR3pOs4l8pOUUELO3LRJDUUxl4be5dHLzCh1JU\"}"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","config":"subscription-info","method":"POST","url":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.redhat-ai-gateway-infra.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-kxRkGRyXc7Rk98sN_Sb5TcYR3pOs4l8pOUUELO3LRJDUUxl4be5dHLzCh1JU","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.134.0.37","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtdGZiemgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.134.0.32~maas-default-gateway-openshift-default-687ff6996-tfbzh.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.134.0.37","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"1168f105-cbd7-43b5-aec7-96af0d7cba93"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":41998071,"seconds":1781191887},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.134.0.37:53446","port":53446}}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"f3f35a9c-b0e3-45e6-9d16-934a03f9c7b6","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1168f105-cbd7-43b5-aec7-96af0d7cba93","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"62d9790b-1b79-4d58-b413-afc281bcd2c5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52830","PortSpecifier":{"PortValue":52830}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"62d9790b-1b79-4d58-b413-afc281bcd2c5","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"62d9790b-1b79-4d58-b413-afc281bcd2c5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.11:52830","PortSpecifier":{"PortValue":52830}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781191887,"nanos":141528098},"http":{"id":"62d9790b-1b79-4d58-b413-afc281bcd2c5","method":"POST","headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"62d9790b-1b79-4d58-b413-afc281bcd2c5","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192187,"groups":["Engineering","Project-Alpha"],"iat":1781191887,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8ca9c463-3cda-bf21-f562-e56bc29ddef3","preferred_username":"alice_lead","scope":"email profile","sid":"kqPy2RYe89bKZdtcidIrWKIM","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"62d9790b-1b79-4d58-b413-afc281bcd2c5","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781192187,"groups":["Engineering","Project-Alpha"],"iat":1781191887,"iss":"https://keycloak.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8ca9c463-3cda-bf21-f562-e56bc29ddef3","preferred_username":"alice_lead","scope":"email profile","sid":"kqPy2RYe89bKZdtcidIrWKIM","sub":"5dd323cd-841c-4e92-9b4a-c67575d40b6b","typ":"Bearer"}},"context":{"context_extensions":{"host":"36a57cb26c1f3baa754055a5b21729579f55f7d59e2035fdb41cf938a33d7612"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.d8001610-ecd5-414d-88be-526a23d39bd9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"62d9790b-1b79-4d58-b413-afc281bcd2c5","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"62d9790b-1b79-4d58-b413-afc281bcd2c5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"62d9790b-1b79-4d58-b413-afc281bcd2c5","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"62d9790b-1b79-4d58-b413-afc281bcd2c5","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"62d9790b-1b79-4d58-b413-afc281bcd2c5","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"62d9790b-1b79-4d58-b413-afc281bcd2c5","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"62d9790b-1b79-4d58-b413-afc281bcd2c5","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T15:31:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"62d9790b-1b79-4d58-b413-afc281bcd2c5","authorized":true,"response":"OK"}