{"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-11T17:01:35Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-11T17:01:35Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"debug","ts":"2026-06-11T17:01:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-11T17:01:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"} {"level":"debug","ts":"2026-06-11T17:01:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-11T17:01:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"info","ts":"2026-06-11T17:01:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-06-11T17:01:36Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1b592d64-a59a-45ba-8769-8c75f5771994","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:34980","PortSpecifier":{"PortValue":34980}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1b592d64-a59a-45ba-8769-8c75f5771994","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1b592d64-a59a-45ba-8769-8c75f5771994","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:34980","PortSpecifier":{"PortValue":34980}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197322,"nanos":791587425},"http":{"id":"1b592d64-a59a-45ba-8769-8c75f5771994","method":"POST","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"1b592d64-a59a-45ba-8769-8c75f5771994","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197622,"groups":["Engineering","Project-Alpha"],"iat":1781197322,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c4875145-2e3d-f60c-1a0c-119afcf55b68","preferred_username":"alice_lead","scope":"profile email","sid":"UIdsBW8ycx790dIHDkfyN_P9","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"1b592d64-a59a-45ba-8769-8c75f5771994","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197622,"groups":["Engineering","Project-Alpha"],"iat":1781197322,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:c4875145-2e3d-f60c-1a0c-119afcf55b68","preferred_username":"alice_lead","scope":"profile email","sid":"UIdsBW8ycx790dIHDkfyN_P9","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1b592d64-a59a-45ba-8769-8c75f5771994","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1b592d64-a59a-45ba-8769-8c75f5771994","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1b592d64-a59a-45ba-8769-8c75f5771994","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"1b592d64-a59a-45ba-8769-8c75f5771994","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1b592d64-a59a-45ba-8769-8c75f5771994","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1b592d64-a59a-45ba-8769-8c75f5771994","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1b592d64-a59a-45ba-8769-8c75f5771994","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1b592d64-a59a-45ba-8769-8c75f5771994","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3a932bdd-b197-46c2-a198-4b62b32462df","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:34988","PortSpecifier":{"PortValue":34988}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3a932bdd-b197-46c2-a198-4b62b32462df","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3a932bdd-b197-46c2-a198-4b62b32462df","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:34988","PortSpecifier":{"PortValue":34988}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197322,"nanos":900629853},"http":{"id":"3a932bdd-b197-46c2-a198-4b62b32462df","method":"POST","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"3a932bdd-b197-46c2-a198-4b62b32462df","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"3a932bdd-b197-46c2-a198-4b62b32462df","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"3a932bdd-b197-46c2-a198-4b62b32462df","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3a932bdd-b197-46c2-a198-4b62b32462df","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3a932bdd-b197-46c2-a198-4b62b32462df","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b3cebc85-8311-4cdf-a296-19e7b0bb4454","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:34994","PortSpecifier":{"PortValue":34994}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b3cebc85-8311-4cdf-a296-19e7b0bb4454","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b3cebc85-8311-4cdf-a296-19e7b0bb4454","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:34994","PortSpecifier":{"PortValue":34994}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197322,"nanos":939673022},"http":{"id":"b3cebc85-8311-4cdf-a296-19e7b0bb4454","method":"POST","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.134.0.9","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtcTd4cHgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.44~maas-default-gateway-openshift-default-687ff6996-q7xpx.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.134.0.9","x-forwarded-host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"b3cebc85-8311-4cdf-a296-19e7b0bb4454"},"path":"/maas-api/v1/api-keys","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"b3cebc85-8311-4cdf-a296-19e7b0bb4454","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"} {"level":"info","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b3cebc85-8311-4cdf-a296-19e7b0bb4454","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b3cebc85-8311-4cdf-a296-19e7b0bb4454","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2f0527d7-3a01-4e23-86ba-281596033b1d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35000","PortSpecifier":{"PortValue":35000}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2f0527d7-3a01-4e23-86ba-281596033b1d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2f0527d7-3a01-4e23-86ba-281596033b1d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35000","PortSpecifier":{"PortValue":35000}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197322,"nanos":965424942},"http":{"id":"2f0527d7-3a01-4e23-86ba-281596033b1d","method":"POST","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.134.0.9","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtcTd4cHgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.44~maas-default-gateway-openshift-default-687ff6996-q7xpx.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.134.0.9","x-forwarded-host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"2f0527d7-3a01-4e23-86ba-281596033b1d"},"path":"/maas-api/v1/api-keys","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"info","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2f0527d7-3a01-4e23-86ba-281596033b1d","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T17:02:02Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2f0527d7-3a01-4e23-86ba-281596033b1d","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ce9d1ee3-49d0-4e33-b0c0-63afda83ec0a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35014","PortSpecifier":{"PortValue":35014}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ce9d1ee3-49d0-4e33-b0c0-63afda83ec0a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ce9d1ee3-49d0-4e33-b0c0-63afda83ec0a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35014","PortSpecifier":{"PortValue":35014}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197323,"nanos":324202345},"http":{"id":"ce9d1ee3-49d0-4e33-b0c0-63afda83ec0a","method":"POST","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ce9d1ee3-49d0-4e33-b0c0-63afda83ec0a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197623,"groups":["Site-Reliability"],"iat":1781197323,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:be1beea0-9753-4cb3-30b3-dc9496f5a996","preferred_username":"bob_sre","scope":"profile email","sid":"W6JkTTFyDR4C1hN9aN8_8dMM","sub":"7017cc5f-aeec-4f48-ada2-630e5adca7bf","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ce9d1ee3-49d0-4e33-b0c0-63afda83ec0a","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197623,"groups":["Site-Reliability"],"iat":1781197323,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:be1beea0-9753-4cb3-30b3-dc9496f5a996","preferred_username":"bob_sre","scope":"profile email","sid":"W6JkTTFyDR4C1hN9aN8_8dMM","sub":"7017cc5f-aeec-4f48-ada2-630e5adca7bf","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce9d1ee3-49d0-4e33-b0c0-63afda83ec0a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce9d1ee3-49d0-4e33-b0c0-63afda83ec0a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce9d1ee3-49d0-4e33-b0c0-63afda83ec0a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ce9d1ee3-49d0-4e33-b0c0-63afda83ec0a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce9d1ee3-49d0-4e33-b0c0-63afda83ec0a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce9d1ee3-49d0-4e33-b0c0-63afda83ec0a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"info","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ce9d1ee3-49d0-4e33-b0c0-63afda83ec0a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ce9d1ee3-49d0-4e33-b0c0-63afda83ec0a","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a09021b8-4de3-4ce0-9f53-7e59a609c10e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35020","PortSpecifier":{"PortValue":35020}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a09021b8-4de3-4ce0-9f53-7e59a609c10e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a09021b8-4de3-4ce0-9f53-7e59a609c10e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35020","PortSpecifier":{"PortValue":35020}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197323,"nanos":535829899},"http":{"id":"a09021b8-4de3-4ce0-9f53-7e59a609c10e","method":"POST","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a09021b8-4de3-4ce0-9f53-7e59a609c10e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197623,"groups":["Engineering","Project-Alpha"],"iat":1781197323,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3537d98f-aa6e-bd2e-437f-e7ac6e7dd1e8","preferred_username":"alice_lead","scope":"profile email","sid":"KnXeXy4SvOh-otIeU8vEpW6_","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a09021b8-4de3-4ce0-9f53-7e59a609c10e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197623,"groups":["Engineering","Project-Alpha"],"iat":1781197323,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3537d98f-aa6e-bd2e-437f-e7ac6e7dd1e8","preferred_username":"alice_lead","scope":"profile email","sid":"KnXeXy4SvOh-otIeU8vEpW6_","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a09021b8-4de3-4ce0-9f53-7e59a609c10e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a09021b8-4de3-4ce0-9f53-7e59a609c10e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a09021b8-4de3-4ce0-9f53-7e59a609c10e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a09021b8-4de3-4ce0-9f53-7e59a609c10e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a09021b8-4de3-4ce0-9f53-7e59a609c10e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a09021b8-4de3-4ce0-9f53-7e59a609c10e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a09021b8-4de3-4ce0-9f53-7e59a609c10e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a09021b8-4de3-4ce0-9f53-7e59a609c10e","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"024f1e9f-58e3-426e-86fd-eef717ac291d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35026","PortSpecifier":{"PortValue":35026}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"024f1e9f-58e3-426e-86fd-eef717ac291d","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"024f1e9f-58e3-426e-86fd-eef717ac291d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35026","PortSpecifier":{"PortValue":35026}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197323,"nanos":569292208},"http":{"id":"024f1e9f-58e3-426e-86fd-eef717ac291d","method":"GET","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"024f1e9f-58e3-426e-86fd-eef717ac291d","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-73T8aDx6likqLUfD_MA8eR1fgfOVyzqR3YMl5apofiR25KkPrghY2zcM7DDr"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"024f1e9f-58e3-426e-86fd-eef717ac291d","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-73T8aDx6likqLUfD_MA8eR1fgfOVyzqR3YMl5apofiR25KkPrghY2zcM7DDr\"}"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"024f1e9f-58e3-426e-86fd-eef717ac291d","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"024f1e9f-58e3-426e-86fd-eef717ac291d","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"024f1e9f-58e3-426e-86fd-eef717ac291d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"024f1e9f-58e3-426e-86fd-eef717ac291d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"024f1e9f-58e3-426e-86fd-eef717ac291d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"024f1e9f-58e3-426e-86fd-eef717ac291d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"024f1e9f-58e3-426e-86fd-eef717ac291d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"024f1e9f-58e3-426e-86fd-eef717ac291d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"024f1e9f-58e3-426e-86fd-eef717ac291d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"024f1e9f-58e3-426e-86fd-eef717ac291d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"024f1e9f-58e3-426e-86fd-eef717ac291d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8f938193-f502-4e36-b101-af623cc1eb60","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.50:51194","PortSpecifier":{"PortValue":51194}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8f938193-f502-4e36-b101-af623cc1eb60","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8f938193-f502-4e36-b101-af623cc1eb60","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.50:51194","PortSpecifier":{"PortValue":51194}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197323,"nanos":586176164},"http":{"id":"8f938193-f502-4e36-b101-af623cc1eb60","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8f938193-f502-4e36-b101-af623cc1eb60","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-73T8aDx6likqLUfD_MA8eR1fgfOVyzqR3YMl5apofiR25KkPrghY2zcM7DDr"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"8f938193-f502-4e36-b101-af623cc1eb60","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-73T8aDx6likqLUfD_MA8eR1fgfOVyzqR3YMl5apofiR25KkPrghY2zcM7DDr\"}"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"8f938193-f502-4e36-b101-af623cc1eb60","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"8f938193-f502-4e36-b101-af623cc1eb60","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"8f938193-f502-4e36-b101-af623cc1eb60","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8f938193-f502-4e36-b101-af623cc1eb60","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-73T8aDx6likqLUfD_MA8eR1fgfOVyzqR3YMl5apofiR25KkPrghY2zcM7DDr","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.50","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtcTd4cHgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.44~maas-default-gateway-openshift-default-687ff6996-q7xpx.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.50","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"8f938193-f502-4e36-b101-af623cc1eb60"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"8f938193-f502-4e36-b101-af623cc1eb60","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":586176164,"seconds":1781197323},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.50:51194","port":51194}}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8f938193-f502-4e36-b101-af623cc1eb60","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8f938193-f502-4e36-b101-af623cc1eb60","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8f938193-f502-4e36-b101-af623cc1eb60","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8f938193-f502-4e36-b101-af623cc1eb60","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8f938193-f502-4e36-b101-af623cc1eb60","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8f938193-f502-4e36-b101-af623cc1eb60","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8f938193-f502-4e36-b101-af623cc1eb60","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8f938193-f502-4e36-b101-af623cc1eb60","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"842dad28-d3c5-4774-bc7c-9b17d030bc09","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8f938193-f502-4e36-b101-af623cc1eb60","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8f938193-f502-4e36-b101-af623cc1eb60","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35034","PortSpecifier":{"PortValue":35034}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35034","PortSpecifier":{"PortValue":35034}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197323,"nanos":618871017},"http":{"id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","method":"POST","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-73T8aDx6likqLUfD_MA8eR1fgfOVyzqR3YMl5apofiR25KkPrghY2zcM7DDr"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-73T8aDx6likqLUfD_MA8eR1fgfOVyzqR3YMl5apofiR25KkPrghY2zcM7DDr\"}"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"842dad28-d3c5-4774-bc7c-9b17d030bc09","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d0b9a9bc-9d81-4c4a-91af-a474664c011f","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"03163104-754f-4da1-8ef4-f676b39dcee8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35036","PortSpecifier":{"PortValue":35036}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"03163104-754f-4da1-8ef4-f676b39dcee8","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"03163104-754f-4da1-8ef4-f676b39dcee8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35036","PortSpecifier":{"PortValue":35036}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197323,"nanos":719191654},"http":{"id":"03163104-754f-4da1-8ef4-f676b39dcee8","method":"POST","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"03163104-754f-4da1-8ef4-f676b39dcee8","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197623,"groups":["Engineering","Project-Alpha"],"iat":1781197323,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0002c1bb-2bda-511a-8639-07a9e9f3e0e4","preferred_username":"alice_lead","scope":"profile email","sid":"WIxcAbx4gvqmr192fZtyDpTa","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"03163104-754f-4da1-8ef4-f676b39dcee8","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197623,"groups":["Engineering","Project-Alpha"],"iat":1781197323,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0002c1bb-2bda-511a-8639-07a9e9f3e0e4","preferred_username":"alice_lead","scope":"profile email","sid":"WIxcAbx4gvqmr192fZtyDpTa","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"03163104-754f-4da1-8ef4-f676b39dcee8","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"03163104-754f-4da1-8ef4-f676b39dcee8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"03163104-754f-4da1-8ef4-f676b39dcee8","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"03163104-754f-4da1-8ef4-f676b39dcee8","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"03163104-754f-4da1-8ef4-f676b39dcee8","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"03163104-754f-4da1-8ef4-f676b39dcee8","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"03163104-754f-4da1-8ef4-f676b39dcee8","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"03163104-754f-4da1-8ef4-f676b39dcee8","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"927ee6ad-3ea3-4eea-934f-60e2d96bced9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35048","PortSpecifier":{"PortValue":35048}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"927ee6ad-3ea3-4eea-934f-60e2d96bced9","method":"DELETE","path":"/maas-api/v1/api-keys/efca85b8-dca9-40d6-82c6-f8324ae4fdd4","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"927ee6ad-3ea3-4eea-934f-60e2d96bced9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35048","PortSpecifier":{"PortValue":35048}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197323,"nanos":751188274},"http":{"id":"927ee6ad-3ea3-4eea-934f-60e2d96bced9","method":"DELETE","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/efca85b8-dca9-40d6-82c6-f8324ae4fdd4",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"927ee6ad-3ea3-4eea-934f-60e2d96bced9","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197623,"groups":["Engineering","Project-Alpha"],"iat":1781197323,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0002c1bb-2bda-511a-8639-07a9e9f3e0e4","preferred_username":"alice_lead","scope":"profile email","sid":"WIxcAbx4gvqmr192fZtyDpTa","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"927ee6ad-3ea3-4eea-934f-60e2d96bced9","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197623,"groups":["Engineering","Project-Alpha"],"iat":1781197323,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0002c1bb-2bda-511a-8639-07a9e9f3e0e4","preferred_username":"alice_lead","scope":"profile email","sid":"WIxcAbx4gvqmr192fZtyDpTa","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/efca85b8-dca9-40d6-82c6-f8324ae4fdd4",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"927ee6ad-3ea3-4eea-934f-60e2d96bced9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"927ee6ad-3ea3-4eea-934f-60e2d96bced9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"927ee6ad-3ea3-4eea-934f-60e2d96bced9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"927ee6ad-3ea3-4eea-934f-60e2d96bced9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"927ee6ad-3ea3-4eea-934f-60e2d96bced9","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"927ee6ad-3ea3-4eea-934f-60e2d96bced9","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"927ee6ad-3ea3-4eea-934f-60e2d96bced9","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:03Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"927ee6ad-3ea3-4eea-934f-60e2d96bced9","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8659aba1-9184-4984-a9b8-7692cbbd8f0a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35054","PortSpecifier":{"PortValue":35054}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8659aba1-9184-4984-a9b8-7692cbbd8f0a","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8659aba1-9184-4984-a9b8-7692cbbd8f0a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35054","PortSpecifier":{"PortValue":35054}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197326,"nanos":786837053},"http":{"id":"8659aba1-9184-4984-a9b8-7692cbbd8f0a","method":"GET","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:06Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8659aba1-9184-4984-a9b8-7692cbbd8f0a","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-u6SOrBAy02tQZgy0_IOwgCitpZ7XMBJYjIFYqxgOFQlZWhd2ERnjcZH67Xgt"} {"level":"debug","ts":"2026-06-11T17:02:06Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"8659aba1-9184-4984-a9b8-7692cbbd8f0a","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-u6SOrBAy02tQZgy0_IOwgCitpZ7XMBJYjIFYqxgOFQlZWhd2ERnjcZH67Xgt\"}"} {"level":"debug","ts":"2026-06-11T17:02:06Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"8659aba1-9184-4984-a9b8-7692cbbd8f0a","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}} {"level":"debug","ts":"2026-06-11T17:02:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8659aba1-9184-4984-a9b8-7692cbbd8f0a","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8659aba1-9184-4984-a9b8-7692cbbd8f0a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:06Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"8659aba1-9184-4984-a9b8-7692cbbd8f0a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-11T17:02:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8659aba1-9184-4984-a9b8-7692cbbd8f0a","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-11T17:02:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8659aba1-9184-4984-a9b8-7692cbbd8f0a","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}} {"level":"info","ts":"2026-06-11T17:02:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"46ecce25-d844-44ef-982d-cd868319a8b1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35066","PortSpecifier":{"PortValue":35066}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"46ecce25-d844-44ef-982d-cd868319a8b1","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:06Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"46ecce25-d844-44ef-982d-cd868319a8b1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35066","PortSpecifier":{"PortValue":35066}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197326,"nanos":914271122},"http":{"id":"46ecce25-d844-44ef-982d-cd868319a8b1","method":"POST","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:06Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"46ecce25-d844-44ef-982d-cd868319a8b1","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-11T17:02:06Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"46ecce25-d844-44ef-982d-cd868319a8b1","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-11T17:02:06Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"46ecce25-d844-44ef-982d-cd868319a8b1","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-11T17:02:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"46ecce25-d844-44ef-982d-cd868319a8b1","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-11T17:02:06Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"46ecce25-d844-44ef-982d-cd868319a8b1","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d696b1f5-6c75-47a6-855a-bf48fb3ed511","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35080","PortSpecifier":{"PortValue":35080}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d696b1f5-6c75-47a6-855a-bf48fb3ed511","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d696b1f5-6c75-47a6-855a-bf48fb3ed511","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35080","PortSpecifier":{"PortValue":35080}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":66883493},"http":{"id":"d696b1f5-6c75-47a6-855a-bf48fb3ed511","method":"POST","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d696b1f5-6c75-47a6-855a-bf48fb3ed511","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197626,"groups":["Engineering","Project-Alpha"],"iat":1781197326,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7fe48f45-2f57-c729-7f65-cb001d2a1cb4","preferred_username":"alice_lead","scope":"profile email","sid":"HV_96K8K5bsX7aEu2ZYeyeWA","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d696b1f5-6c75-47a6-855a-bf48fb3ed511","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197626,"groups":["Engineering","Project-Alpha"],"iat":1781197326,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7fe48f45-2f57-c729-7f65-cb001d2a1cb4","preferred_username":"alice_lead","scope":"profile email","sid":"HV_96K8K5bsX7aEu2ZYeyeWA","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d696b1f5-6c75-47a6-855a-bf48fb3ed511","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d696b1f5-6c75-47a6-855a-bf48fb3ed511","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d696b1f5-6c75-47a6-855a-bf48fb3ed511","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d696b1f5-6c75-47a6-855a-bf48fb3ed511","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d696b1f5-6c75-47a6-855a-bf48fb3ed511","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d696b1f5-6c75-47a6-855a-bf48fb3ed511","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d696b1f5-6c75-47a6-855a-bf48fb3ed511","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d696b1f5-6c75-47a6-855a-bf48fb3ed511","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"870caa93-2542-4ca5-b917-71071d7a2423","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35082","PortSpecifier":{"PortValue":35082}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"870caa93-2542-4ca5-b917-71071d7a2423","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"870caa93-2542-4ca5-b917-71071d7a2423","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35082","PortSpecifier":{"PortValue":35082}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":96715614},"http":{"id":"870caa93-2542-4ca5-b917-71071d7a2423","method":"POST","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"870caa93-2542-4ca5-b917-71071d7a2423","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197627,"groups":["Site-Reliability"],"iat":1781197327,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:24edf92e-f4f9-2908-6e9b-8b60a0cab6e6","preferred_username":"bob_sre","scope":"profile email","sid":"DZ4Rl4kDTSEWc7Y3Y43aDOp1","sub":"7017cc5f-aeec-4f48-ada2-630e5adca7bf","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"870caa93-2542-4ca5-b917-71071d7a2423","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197627,"groups":["Site-Reliability"],"iat":1781197327,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:24edf92e-f4f9-2908-6e9b-8b60a0cab6e6","preferred_username":"bob_sre","scope":"profile email","sid":"DZ4Rl4kDTSEWc7Y3Y43aDOp1","sub":"7017cc5f-aeec-4f48-ada2-630e5adca7bf","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"870caa93-2542-4ca5-b917-71071d7a2423","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"870caa93-2542-4ca5-b917-71071d7a2423","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"870caa93-2542-4ca5-b917-71071d7a2423","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"870caa93-2542-4ca5-b917-71071d7a2423","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"870caa93-2542-4ca5-b917-71071d7a2423","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"870caa93-2542-4ca5-b917-71071d7a2423","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"870caa93-2542-4ca5-b917-71071d7a2423","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"870caa93-2542-4ca5-b917-71071d7a2423","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"364c8d13-3a9d-47ab-9b08-e769c0be1f16","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35094","PortSpecifier":{"PortValue":35094}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"364c8d13-3a9d-47ab-9b08-e769c0be1f16","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"364c8d13-3a9d-47ab-9b08-e769c0be1f16","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35094","PortSpecifier":{"PortValue":35094}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":182055958},"http":{"id":"364c8d13-3a9d-47ab-9b08-e769c0be1f16","method":"POST","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"364c8d13-3a9d-47ab-9b08-e769c0be1f16","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197627,"groups":["Engineering","Project-Alpha"],"iat":1781197327,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5571cffe-649d-5483-7728-af0158a3bba3","preferred_username":"alice_lead","scope":"profile email","sid":"BVUeVPEIF8I4K2_WAOCDJhM6","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"364c8d13-3a9d-47ab-9b08-e769c0be1f16","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197627,"groups":["Engineering","Project-Alpha"],"iat":1781197327,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5571cffe-649d-5483-7728-af0158a3bba3","preferred_username":"alice_lead","scope":"profile email","sid":"BVUeVPEIF8I4K2_WAOCDJhM6","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"364c8d13-3a9d-47ab-9b08-e769c0be1f16","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"364c8d13-3a9d-47ab-9b08-e769c0be1f16","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"364c8d13-3a9d-47ab-9b08-e769c0be1f16","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"364c8d13-3a9d-47ab-9b08-e769c0be1f16","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"364c8d13-3a9d-47ab-9b08-e769c0be1f16","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"364c8d13-3a9d-47ab-9b08-e769c0be1f16","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"364c8d13-3a9d-47ab-9b08-e769c0be1f16","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"364c8d13-3a9d-47ab-9b08-e769c0be1f16","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0c26e119-1647-478b-9608-117670252c5a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35098","PortSpecifier":{"PortValue":35098}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0c26e119-1647-478b-9608-117670252c5a","method":"DELETE","path":"/maas-api/v1/api-keys/a4a5c4a6-264f-4cef-b7d7-2f73e8939e8f","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0c26e119-1647-478b-9608-117670252c5a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35098","PortSpecifier":{"PortValue":35098}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":209872621},"http":{"id":"0c26e119-1647-478b-9608-117670252c5a","method":"DELETE","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/a4a5c4a6-264f-4cef-b7d7-2f73e8939e8f",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0c26e119-1647-478b-9608-117670252c5a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197627,"groups":["Engineering","Project-Alpha"],"iat":1781197327,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5571cffe-649d-5483-7728-af0158a3bba3","preferred_username":"alice_lead","scope":"profile email","sid":"BVUeVPEIF8I4K2_WAOCDJhM6","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0c26e119-1647-478b-9608-117670252c5a","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197627,"groups":["Engineering","Project-Alpha"],"iat":1781197327,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5571cffe-649d-5483-7728-af0158a3bba3","preferred_username":"alice_lead","scope":"profile email","sid":"BVUeVPEIF8I4K2_WAOCDJhM6","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/a4a5c4a6-264f-4cef-b7d7-2f73e8939e8f",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0c26e119-1647-478b-9608-117670252c5a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0c26e119-1647-478b-9608-117670252c5a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0c26e119-1647-478b-9608-117670252c5a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"0c26e119-1647-478b-9608-117670252c5a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0c26e119-1647-478b-9608-117670252c5a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0c26e119-1647-478b-9608-117670252c5a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0c26e119-1647-478b-9608-117670252c5a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0c26e119-1647-478b-9608-117670252c5a","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a4784612-8ef0-47ed-a9f9-e78be13f7901","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35114","PortSpecifier":{"PortValue":35114}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a4784612-8ef0-47ed-a9f9-e78be13f7901","method":"DELETE","path":"/maas-api/v1/api-keys/a4a5c4a6-264f-4cef-b7d7-2f73e8939e8f","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a4784612-8ef0-47ed-a9f9-e78be13f7901","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35114","PortSpecifier":{"PortValue":35114}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":237935119},"http":{"id":"a4784612-8ef0-47ed-a9f9-e78be13f7901","method":"DELETE","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/a4a5c4a6-264f-4cef-b7d7-2f73e8939e8f",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a4784612-8ef0-47ed-a9f9-e78be13f7901","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197627,"groups":["Engineering","Project-Alpha"],"iat":1781197327,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5571cffe-649d-5483-7728-af0158a3bba3","preferred_username":"alice_lead","scope":"profile email","sid":"BVUeVPEIF8I4K2_WAOCDJhM6","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a4784612-8ef0-47ed-a9f9-e78be13f7901","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197627,"groups":["Engineering","Project-Alpha"],"iat":1781197327,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5571cffe-649d-5483-7728-af0158a3bba3","preferred_username":"alice_lead","scope":"profile email","sid":"BVUeVPEIF8I4K2_WAOCDJhM6","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/a4a5c4a6-264f-4cef-b7d7-2f73e8939e8f",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a4784612-8ef0-47ed-a9f9-e78be13f7901","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a4784612-8ef0-47ed-a9f9-e78be13f7901","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a4784612-8ef0-47ed-a9f9-e78be13f7901","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"a4784612-8ef0-47ed-a9f9-e78be13f7901","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a4784612-8ef0-47ed-a9f9-e78be13f7901","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a4784612-8ef0-47ed-a9f9-e78be13f7901","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a4784612-8ef0-47ed-a9f9-e78be13f7901","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a4784612-8ef0-47ed-a9f9-e78be13f7901","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"73aa58cc-8f2f-4504-9f01-de748d7ddf02","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35122","PortSpecifier":{"PortValue":35122}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"73aa58cc-8f2f-4504-9f01-de748d7ddf02","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"73aa58cc-8f2f-4504-9f01-de748d7ddf02","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35122","PortSpecifier":{"PortValue":35122}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":323409043},"http":{"id":"73aa58cc-8f2f-4504-9f01-de748d7ddf02","method":"POST","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"73aa58cc-8f2f-4504-9f01-de748d7ddf02","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197627,"groups":["Engineering","Project-Alpha"],"iat":1781197327,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6141702e-9e8e-da6e-2abd-4d0463661977","preferred_username":"alice_lead","scope":"profile email","sid":"AjnTAC9CUqUv4smhvNQclxwD","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"73aa58cc-8f2f-4504-9f01-de748d7ddf02","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197627,"groups":["Engineering","Project-Alpha"],"iat":1781197327,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6141702e-9e8e-da6e-2abd-4d0463661977","preferred_username":"alice_lead","scope":"profile email","sid":"AjnTAC9CUqUv4smhvNQclxwD","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"73aa58cc-8f2f-4504-9f01-de748d7ddf02","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"73aa58cc-8f2f-4504-9f01-de748d7ddf02","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"73aa58cc-8f2f-4504-9f01-de748d7ddf02","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"73aa58cc-8f2f-4504-9f01-de748d7ddf02","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"73aa58cc-8f2f-4504-9f01-de748d7ddf02","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"73aa58cc-8f2f-4504-9f01-de748d7ddf02","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"73aa58cc-8f2f-4504-9f01-de748d7ddf02","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"73aa58cc-8f2f-4504-9f01-de748d7ddf02","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"345f9938-c1db-46cd-bd55-bb252c5ca163","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35136","PortSpecifier":{"PortValue":35136}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"345f9938-c1db-46cd-bd55-bb252c5ca163","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"345f9938-c1db-46cd-bd55-bb252c5ca163","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35136","PortSpecifier":{"PortValue":35136}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":356256479},"http":{"id":"345f9938-c1db-46cd-bd55-bb252c5ca163","method":"GET","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"345f9938-c1db-46cd-bd55-bb252c5ca163","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-7htWjScn976p5ElK_dxAreOyHPEZYlbG8nhtdX5tfVJy7XGaeLwCHdEKjYK6"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"345f9938-c1db-46cd-bd55-bb252c5ca163","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-7htWjScn976p5ElK_dxAreOyHPEZYlbG8nhtdX5tfVJy7XGaeLwCHdEKjYK6\"}"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"345f9938-c1db-46cd-bd55-bb252c5ca163","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"345f9938-c1db-46cd-bd55-bb252c5ca163","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"345f9938-c1db-46cd-bd55-bb252c5ca163","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"345f9938-c1db-46cd-bd55-bb252c5ca163","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"345f9938-c1db-46cd-bd55-bb252c5ca163","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"345f9938-c1db-46cd-bd55-bb252c5ca163","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"345f9938-c1db-46cd-bd55-bb252c5ca163","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"345f9938-c1db-46cd-bd55-bb252c5ca163","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"345f9938-c1db-46cd-bd55-bb252c5ca163","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"345f9938-c1db-46cd-bd55-bb252c5ca163","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"345f9938-c1db-46cd-bd55-bb252c5ca163","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.50:51194","PortSpecifier":{"PortValue":51194}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.50:51194","PortSpecifier":{"PortValue":51194}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":363823281},"http":{"id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-7htWjScn976p5ElK_dxAreOyHPEZYlbG8nhtdX5tfVJy7XGaeLwCHdEKjYK6"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-7htWjScn976p5ElK_dxAreOyHPEZYlbG8nhtdX5tfVJy7XGaeLwCHdEKjYK6\"}"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-7htWjScn976p5ElK_dxAreOyHPEZYlbG8nhtdX5tfVJy7XGaeLwCHdEKjYK6","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.50","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtcTd4cHgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.44~maas-default-gateway-openshift-default-687ff6996-q7xpx.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.50","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"71c35440-1d71-4060-aca5-2cd4e0d798b2"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":363823281,"seconds":1781197327},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.50:51194","port":51194}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"28ec4d23-6cd4-466c-ae1d-7f81454b5753","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"71c35440-1d71-4060-aca5-2cd4e0d798b2","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"dc4b19c3-7d05-4248-964a-3d768dd7e779","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35150","PortSpecifier":{"PortValue":35150}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"dc4b19c3-7d05-4248-964a-3d768dd7e779","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"dc4b19c3-7d05-4248-964a-3d768dd7e779","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35150","PortSpecifier":{"PortValue":35150}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":452728514},"http":{"id":"dc4b19c3-7d05-4248-964a-3d768dd7e779","method":"POST","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"dc4b19c3-7d05-4248-964a-3d768dd7e779","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197627,"groups":["Engineering","Project-Alpha"],"iat":1781197327,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:1d70ab71-3969-4dad-07d9-7149a9922670","preferred_username":"alice_lead","scope":"profile email","sid":"M8VKwtKhABEXRx_z-ADV8oMR","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"dc4b19c3-7d05-4248-964a-3d768dd7e779","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197627,"groups":["Engineering","Project-Alpha"],"iat":1781197327,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:1d70ab71-3969-4dad-07d9-7149a9922670","preferred_username":"alice_lead","scope":"profile email","sid":"M8VKwtKhABEXRx_z-ADV8oMR","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dc4b19c3-7d05-4248-964a-3d768dd7e779","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dc4b19c3-7d05-4248-964a-3d768dd7e779","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dc4b19c3-7d05-4248-964a-3d768dd7e779","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"dc4b19c3-7d05-4248-964a-3d768dd7e779","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dc4b19c3-7d05-4248-964a-3d768dd7e779","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dc4b19c3-7d05-4248-964a-3d768dd7e779","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"dc4b19c3-7d05-4248-964a-3d768dd7e779","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"dc4b19c3-7d05-4248-964a-3d768dd7e779","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e7139a12-48c8-4fe5-b44a-d134638eb545","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35156","PortSpecifier":{"PortValue":35156}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e7139a12-48c8-4fe5-b44a-d134638eb545","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e7139a12-48c8-4fe5-b44a-d134638eb545","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35156","PortSpecifier":{"PortValue":35156}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":479142119},"http":{"id":"e7139a12-48c8-4fe5-b44a-d134638eb545","method":"GET","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e7139a12-48c8-4fe5-b44a-d134638eb545","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1FeqnXgslzz1yjmjS_OHxIEQRi7URe3LDDylZonJeC4LDmIlxLhbFn2nIQNu6"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e7139a12-48c8-4fe5-b44a-d134638eb545","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1FeqnXgslzz1yjmjS_OHxIEQRi7URe3LDDylZonJeC4LDmIlxLhbFn2nIQNu6\"}"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e7139a12-48c8-4fe5-b44a-d134638eb545","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e7139a12-48c8-4fe5-b44a-d134638eb545","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e7139a12-48c8-4fe5-b44a-d134638eb545","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e7139a12-48c8-4fe5-b44a-d134638eb545","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e7139a12-48c8-4fe5-b44a-d134638eb545","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e7139a12-48c8-4fe5-b44a-d134638eb545","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e7139a12-48c8-4fe5-b44a-d134638eb545","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e7139a12-48c8-4fe5-b44a-d134638eb545","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e7139a12-48c8-4fe5-b44a-d134638eb545","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e7139a12-48c8-4fe5-b44a-d134638eb545","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e7139a12-48c8-4fe5-b44a-d134638eb545","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f91db78c-3930-4037-8a47-ae60df8399ef","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35172","PortSpecifier":{"PortValue":35172}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f91db78c-3930-4037-8a47-ae60df8399ef","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f91db78c-3930-4037-8a47-ae60df8399ef","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35172","PortSpecifier":{"PortValue":35172}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":505838881},"http":{"id":"f91db78c-3930-4037-8a47-ae60df8399ef","method":"GET","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f91db78c-3930-4037-8a47-ae60df8399ef","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1FeqnXgslzz1yjmjS_OHxIEQRi7URe3LDDylZonJeC4LDmIlxLhbFn2nIQNu6"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f91db78c-3930-4037-8a47-ae60df8399ef","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1FeqnXgslzz1yjmjS_OHxIEQRi7URe3LDDylZonJeC4LDmIlxLhbFn2nIQNu6\"}"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f91db78c-3930-4037-8a47-ae60df8399ef","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f91db78c-3930-4037-8a47-ae60df8399ef","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f91db78c-3930-4037-8a47-ae60df8399ef","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f91db78c-3930-4037-8a47-ae60df8399ef","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f91db78c-3930-4037-8a47-ae60df8399ef","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f91db78c-3930-4037-8a47-ae60df8399ef","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f91db78c-3930-4037-8a47-ae60df8399ef","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f91db78c-3930-4037-8a47-ae60df8399ef","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f91db78c-3930-4037-8a47-ae60df8399ef","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f91db78c-3930-4037-8a47-ae60df8399ef","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f91db78c-3930-4037-8a47-ae60df8399ef","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.50:51194","PortSpecifier":{"PortValue":51194}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.50:51194","PortSpecifier":{"PortValue":51194}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":512069739},"http":{"id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1FeqnXgslzz1yjmjS_OHxIEQRi7URe3LDDylZonJeC4LDmIlxLhbFn2nIQNu6"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1FeqnXgslzz1yjmjS_OHxIEQRi7URe3LDDylZonJeC4LDmIlxLhbFn2nIQNu6\"}"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1FeqnXgslzz1yjmjS_OHxIEQRi7URe3LDDylZonJeC4LDmIlxLhbFn2nIQNu6","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.50","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtcTd4cHgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.44~maas-default-gateway-openshift-default-687ff6996-q7xpx.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.50","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"f9eb2424-9daa-4490-b9d6-40097f5624ad"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":512069739,"seconds":1781197327},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.50:51194","port":51194}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"1d4f57d1-900c-4cc8-be64-5e5e96b1cc8b","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f9eb2424-9daa-4490-b9d6-40097f5624ad","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e5a670ce-2d65-43ba-9439-12c40b80f99b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35186","PortSpecifier":{"PortValue":35186}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e5a670ce-2d65-43ba-9439-12c40b80f99b","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e5a670ce-2d65-43ba-9439-12c40b80f99b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35186","PortSpecifier":{"PortValue":35186}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":600623347},"http":{"id":"e5a670ce-2d65-43ba-9439-12c40b80f99b","method":"POST","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e5a670ce-2d65-43ba-9439-12c40b80f99b","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197627,"groups":["Engineering","Project-Alpha"],"iat":1781197327,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:cd4b2554-637a-8871-9585-1f28c6832e43","preferred_username":"alice_lead","scope":"profile email","sid":"zKCS1GDGWmXqRhF3N09-VOf_","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e5a670ce-2d65-43ba-9439-12c40b80f99b","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197627,"groups":["Engineering","Project-Alpha"],"iat":1781197327,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:cd4b2554-637a-8871-9585-1f28c6832e43","preferred_username":"alice_lead","scope":"profile email","sid":"zKCS1GDGWmXqRhF3N09-VOf_","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e5a670ce-2d65-43ba-9439-12c40b80f99b","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e5a670ce-2d65-43ba-9439-12c40b80f99b","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e5a670ce-2d65-43ba-9439-12c40b80f99b","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e5a670ce-2d65-43ba-9439-12c40b80f99b","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e5a670ce-2d65-43ba-9439-12c40b80f99b","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e5a670ce-2d65-43ba-9439-12c40b80f99b","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e5a670ce-2d65-43ba-9439-12c40b80f99b","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e5a670ce-2d65-43ba-9439-12c40b80f99b","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4411911f-9230-4080-bf75-869421ee0ab5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35198","PortSpecifier":{"PortValue":35198}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4411911f-9230-4080-bf75-869421ee0ab5","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4411911f-9230-4080-bf75-869421ee0ab5","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35198","PortSpecifier":{"PortValue":35198}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":627005359},"http":{"id":"4411911f-9230-4080-bf75-869421ee0ab5","method":"GET","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4411911f-9230-4080-bf75-869421ee0ab5","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-o6ip2wapvyRlAgXq_L3bzMXoeDNDVYBi45wTRkO1ndL4fsXGCjm9oYZzv6Kd"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"4411911f-9230-4080-bf75-869421ee0ab5","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-o6ip2wapvyRlAgXq_L3bzMXoeDNDVYBi45wTRkO1ndL4fsXGCjm9oYZzv6Kd\"}"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"4411911f-9230-4080-bf75-869421ee0ab5","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4411911f-9230-4080-bf75-869421ee0ab5","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4411911f-9230-4080-bf75-869421ee0ab5","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4411911f-9230-4080-bf75-869421ee0ab5","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4411911f-9230-4080-bf75-869421ee0ab5","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4411911f-9230-4080-bf75-869421ee0ab5","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4411911f-9230-4080-bf75-869421ee0ab5","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"4411911f-9230-4080-bf75-869421ee0ab5","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4411911f-9230-4080-bf75-869421ee0ab5","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4411911f-9230-4080-bf75-869421ee0ab5","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4411911f-9230-4080-bf75-869421ee0ab5","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.50:51194","PortSpecifier":{"PortValue":51194}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.50:51194","PortSpecifier":{"PortValue":51194}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":633295476},"http":{"id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-o6ip2wapvyRlAgXq_L3bzMXoeDNDVYBi45wTRkO1ndL4fsXGCjm9oYZzv6Kd"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-o6ip2wapvyRlAgXq_L3bzMXoeDNDVYBi45wTRkO1ndL4fsXGCjm9oYZzv6Kd\"}"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-o6ip2wapvyRlAgXq_L3bzMXoeDNDVYBi45wTRkO1ndL4fsXGCjm9oYZzv6Kd","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.50","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtcTd4cHgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.44~maas-default-gateway-openshift-default-687ff6996-q7xpx.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.50","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":633295476,"seconds":1781197327},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.50:51194","port":51194}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"e7942628-1647-4786-8d05-076bbd9050cb","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ba500f0c-cb02-4a46-b29b-0e7c025cd69f","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3d8bbd25-97f0-4d50-aa73-65de6d618552","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35210","PortSpecifier":{"PortValue":35210}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3d8bbd25-97f0-4d50-aa73-65de6d618552","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3d8bbd25-97f0-4d50-aa73-65de6d618552","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35210","PortSpecifier":{"PortValue":35210}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":666089104},"http":{"id":"3d8bbd25-97f0-4d50-aa73-65de6d618552","method":"GET","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3d8bbd25-97f0-4d50-aa73-65de6d618552","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-o6ip2wapvyRlAgXq_L3bzMXoeDNDVYBi45wTRkO1ndL4fsXGCjm9oYZzv6Kd"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"3d8bbd25-97f0-4d50-aa73-65de6d618552","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-o6ip2wapvyRlAgXq_L3bzMXoeDNDVYBi45wTRkO1ndL4fsXGCjm9oYZzv6Kd\"}"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"3d8bbd25-97f0-4d50-aa73-65de6d618552","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3d8bbd25-97f0-4d50-aa73-65de6d618552","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3d8bbd25-97f0-4d50-aa73-65de6d618552","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3d8bbd25-97f0-4d50-aa73-65de6d618552","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3d8bbd25-97f0-4d50-aa73-65de6d618552","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3d8bbd25-97f0-4d50-aa73-65de6d618552","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3d8bbd25-97f0-4d50-aa73-65de6d618552","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3d8bbd25-97f0-4d50-aa73-65de6d618552","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3d8bbd25-97f0-4d50-aa73-65de6d618552","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3d8bbd25-97f0-4d50-aa73-65de6d618552","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3d8bbd25-97f0-4d50-aa73-65de6d618552","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.50:51194","PortSpecifier":{"PortValue":51194}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"cfe35885-18cc-4225-bbc3-d30a37d86914","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.50:51194","PortSpecifier":{"PortValue":51194}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":672627848},"http":{"id":"cfe35885-18cc-4225-bbc3-d30a37d86914","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-o6ip2wapvyRlAgXq_L3bzMXoeDNDVYBi45wTRkO1ndL4fsXGCjm9oYZzv6Kd"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-o6ip2wapvyRlAgXq_L3bzMXoeDNDVYBi45wTRkO1ndL4fsXGCjm9oYZzv6Kd\"}"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-o6ip2wapvyRlAgXq_L3bzMXoeDNDVYBi45wTRkO1ndL4fsXGCjm9oYZzv6Kd","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.50","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtcTd4cHgKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.133.0.44~maas-default-gateway-openshift-default-687ff6996-q7xpx.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.50","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"cfe35885-18cc-4225-bbc3-d30a37d86914"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"cfe35885-18cc-4225-bbc3-d30a37d86914","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":672627848,"seconds":1781197327},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.50:51194","port":51194}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"e7942628-1647-4786-8d05-076bbd9050cb","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cfe35885-18cc-4225-bbc3-d30a37d86914","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"51d2c713-5754-4dfe-8ce9-f7370e7d908e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35218","PortSpecifier":{"PortValue":35218}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"51d2c713-5754-4dfe-8ce9-f7370e7d908e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"51d2c713-5754-4dfe-8ce9-f7370e7d908e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.9:35218","PortSpecifier":{"PortValue":35218}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.44:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781197327,"nanos":768642195},"http":{"id":"51d2c713-5754-4dfe-8ce9-f7370e7d908e","method":"POST","headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"51d2c713-5754-4dfe-8ce9-f7370e7d908e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197627,"groups":["Engineering","Project-Alpha"],"iat":1781197327,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8eb7297f-978c-de9f-43af-5f9c09d9ce4b","preferred_username":"alice_lead","scope":"profile email","sid":"GDmMyV1KyL6_4QZYWtFsyrLZ","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"51d2c713-5754-4dfe-8ce9-f7370e7d908e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781197627,"groups":["Engineering","Project-Alpha"],"iat":1781197327,"iss":"https://keycloak.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:8eb7297f-978c-de9f-43af-5f9c09d9ce4b","preferred_username":"alice_lead","scope":"profile email","sid":"GDmMyV1KyL6_4QZYWtFsyrLZ","sub":"d04f81d3-1153-4ecb-bdf0-9d97ce80b0f4","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.44:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.343d7d37-825b-4dab-9294-56ff0488db34.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"51d2c713-5754-4dfe-8ce9-f7370e7d908e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"51d2c713-5754-4dfe-8ce9-f7370e7d908e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"51d2c713-5754-4dfe-8ce9-f7370e7d908e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"51d2c713-5754-4dfe-8ce9-f7370e7d908e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"userid","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"51d2c713-5754-4dfe-8ce9-f7370e7d908e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"51d2c713-5754-4dfe-8ce9-f7370e7d908e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"51d2c713-5754-4dfe-8ce9-f7370e7d908e","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-11T17:02:07Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"51d2c713-5754-4dfe-8ce9-f7370e7d908e","authorized":true,"response":"OK"}