{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/01918e70442d2cb18c94316131b0e0a241b4a5d12df5b1e1981a3bef420bbdb5"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-15T08:21:52Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-15T08:21:52Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-15T08:21:52Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-15T08:21:52Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"}
{"level":"debug","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-15T08:21:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"info","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e9b487ed-9494-441f-ba66-b067a6bc5acc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37532","PortSpecifier":{"PortValue":37532}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e9b487ed-9494-441f-ba66-b067a6bc5acc","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e9b487ed-9494-441f-ba66-b067a6bc5acc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37532","PortSpecifier":{"PortValue":37532}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511747,"nanos":629488706},"http":{"id":"e9b487ed-9494-441f-ba66-b067a6bc5acc","method":"POST","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e9b487ed-9494-441f-ba66-b067a6bc5acc","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512047,"groups":["Engineering","Project-Alpha"],"iat":1781511747,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:d8f17807-8984-4814-917a-38befbb78536","preferred_username":"alice_lead","scope":"profile email","sid":"Gtcj4u1RUxWConIrIWWUL_FG","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e9b487ed-9494-441f-ba66-b067a6bc5acc","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512047,"groups":["Engineering","Project-Alpha"],"iat":1781511747,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:d8f17807-8984-4814-917a-38befbb78536","preferred_username":"alice_lead","scope":"profile email","sid":"Gtcj4u1RUxWConIrIWWUL_FG","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e9b487ed-9494-441f-ba66-b067a6bc5acc","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e9b487ed-9494-441f-ba66-b067a6bc5acc","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e9b487ed-9494-441f-ba66-b067a6bc5acc","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e9b487ed-9494-441f-ba66-b067a6bc5acc","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e9b487ed-9494-441f-ba66-b067a6bc5acc","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e9b487ed-9494-441f-ba66-b067a6bc5acc","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e9b487ed-9494-441f-ba66-b067a6bc5acc","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e9b487ed-9494-441f-ba66-b067a6bc5acc","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e9b487ed-9494-441f-ba66-b067a6bc5acc","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"36b9e681-1986-4664-b27e-917c59778c3f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37544","PortSpecifier":{"PortValue":37544}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"36b9e681-1986-4664-b27e-917c59778c3f","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"36b9e681-1986-4664-b27e-917c59778c3f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37544","PortSpecifier":{"PortValue":37544}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511747,"nanos":789847399},"http":{"id":"36b9e681-1986-4664-b27e-917c59778c3f","method":"POST","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"36b9e681-1986-4664-b27e-917c59778c3f","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"36b9e681-1986-4664-b27e-917c59778c3f","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"36b9e681-1986-4664-b27e-917c59778c3f","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"36b9e681-1986-4664-b27e-917c59778c3f","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"36b9e681-1986-4664-b27e-917c59778c3f","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"08156c46-b81d-4e3f-ae70-7ac9a1253207","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37550","PortSpecifier":{"PortValue":37550}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"08156c46-b81d-4e3f-ae70-7ac9a1253207","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"08156c46-b81d-4e3f-ae70-7ac9a1253207","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37550","PortSpecifier":{"PortValue":37550}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511747,"nanos":836120521},"http":{"id":"08156c46-b81d-4e3f-ae70-7ac9a1253207","method":"POST","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=52.71.36.72;host=maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.8","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtbDhmeDIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.41~maas-default-gateway-openshift-default-687ff6996-l8fx2.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"52.71.36.72,10.132.0.8","x-forwarded-host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"08156c46-b81d-4e3f-ae70-7ac9a1253207"},"path":"/maas-api/v1/api-keys","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"08156c46-b81d-4e3f-ae70-7ac9a1253207","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"}
{"level":"info","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"08156c46-b81d-4e3f-ae70-7ac9a1253207","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"08156c46-b81d-4e3f-ae70-7ac9a1253207","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1a78a46e-e272-4c45-ace6-58a3f8d9fe91","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37562","PortSpecifier":{"PortValue":37562}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1a78a46e-e272-4c45-ace6-58a3f8d9fe91","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1a78a46e-e272-4c45-ace6-58a3f8d9fe91","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37562","PortSpecifier":{"PortValue":37562}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511747,"nanos":863635191},"http":{"id":"1a78a46e-e272-4c45-ace6-58a3f8d9fe91","method":"POST","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=52.71.36.72;host=maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.8","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtbDhmeDIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.41~maas-default-gateway-openshift-default-687ff6996-l8fx2.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"52.71.36.72,10.132.0.8","x-forwarded-host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"1a78a46e-e272-4c45-ace6-58a3f8d9fe91"},"path":"/maas-api/v1/api-keys","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"info","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1a78a46e-e272-4c45-ace6-58a3f8d9fe91","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-15T08:22:27Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1a78a46e-e272-4c45-ace6-58a3f8d9fe91","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"dcd60ab4-a6c4-4a5f-b02a-d02176bef56a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37568","PortSpecifier":{"PortValue":37568}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"dcd60ab4-a6c4-4a5f-b02a-d02176bef56a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"dcd60ab4-a6c4-4a5f-b02a-d02176bef56a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37568","PortSpecifier":{"PortValue":37568}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511748,"nanos":519900050},"http":{"id":"dcd60ab4-a6c4-4a5f-b02a-d02176bef56a","method":"POST","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"dcd60ab4-a6c4-4a5f-b02a-d02176bef56a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512048,"groups":["Site-Reliability"],"iat":1781511748,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a8da08ed-6533-0014-79d0-8e337a60c5cf","preferred_username":"bob_sre","scope":"profile email","sid":"UioaRTloQZjQbmui_H9E-5c8","sub":"fecd0fa2-9ed8-4495-bf4c-7c67299b8b87","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"dcd60ab4-a6c4-4a5f-b02a-d02176bef56a","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512048,"groups":["Site-Reliability"],"iat":1781511748,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a8da08ed-6533-0014-79d0-8e337a60c5cf","preferred_username":"bob_sre","scope":"profile email","sid":"UioaRTloQZjQbmui_H9E-5c8","sub":"fecd0fa2-9ed8-4495-bf4c-7c67299b8b87","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dcd60ab4-a6c4-4a5f-b02a-d02176bef56a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dcd60ab4-a6c4-4a5f-b02a-d02176bef56a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dcd60ab4-a6c4-4a5f-b02a-d02176bef56a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"dcd60ab4-a6c4-4a5f-b02a-d02176bef56a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dcd60ab4-a6c4-4a5f-b02a-d02176bef56a","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dcd60ab4-a6c4-4a5f-b02a-d02176bef56a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dcd60ab4-a6c4-4a5f-b02a-d02176bef56a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"info","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"dcd60ab4-a6c4-4a5f-b02a-d02176bef56a","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"dcd60ab4-a6c4-4a5f-b02a-d02176bef56a","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"413945c2-376f-407d-bbdb-f344f1bc82d4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37574","PortSpecifier":{"PortValue":37574}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"413945c2-376f-407d-bbdb-f344f1bc82d4","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"413945c2-376f-407d-bbdb-f344f1bc82d4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37574","PortSpecifier":{"PortValue":37574}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511748,"nanos":906257021},"http":{"id":"413945c2-376f-407d-bbdb-f344f1bc82d4","method":"POST","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"413945c2-376f-407d-bbdb-f344f1bc82d4","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512048,"groups":["Engineering","Project-Alpha"],"iat":1781511748,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b50a3b8a-a075-3dbf-b9ee-d90ee71b9907","preferred_username":"alice_lead","scope":"profile email","sid":"e0_kVui4ukxpZKbWwynyjIBS","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"413945c2-376f-407d-bbdb-f344f1bc82d4","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512048,"groups":["Engineering","Project-Alpha"],"iat":1781511748,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b50a3b8a-a075-3dbf-b9ee-d90ee71b9907","preferred_username":"alice_lead","scope":"profile email","sid":"e0_kVui4ukxpZKbWwynyjIBS","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"413945c2-376f-407d-bbdb-f344f1bc82d4","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"413945c2-376f-407d-bbdb-f344f1bc82d4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"413945c2-376f-407d-bbdb-f344f1bc82d4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"413945c2-376f-407d-bbdb-f344f1bc82d4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"413945c2-376f-407d-bbdb-f344f1bc82d4","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"413945c2-376f-407d-bbdb-f344f1bc82d4","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"413945c2-376f-407d-bbdb-f344f1bc82d4","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"413945c2-376f-407d-bbdb-f344f1bc82d4","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"413945c2-376f-407d-bbdb-f344f1bc82d4","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9bab8e16-f959-40ea-baf5-f7554b52b309","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37586","PortSpecifier":{"PortValue":37586}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9bab8e16-f959-40ea-baf5-f7554b52b309","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9bab8e16-f959-40ea-baf5-f7554b52b309","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37586","PortSpecifier":{"PortValue":37586}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511748,"nanos":934960392},"http":{"id":"9bab8e16-f959-40ea-baf5-f7554b52b309","method":"GET","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9bab8e16-f959-40ea-baf5-f7554b52b309","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-hoJYH92MFLtvM8TL_UdHI7rJmARbL75fsM34WK0qwa76hHzVKxXU38t2KGJT"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"9bab8e16-f959-40ea-baf5-f7554b52b309","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-hoJYH92MFLtvM8TL_UdHI7rJmARbL75fsM34WK0qwa76hHzVKxXU38t2KGJT\"}"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"9bab8e16-f959-40ea-baf5-f7554b52b309","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9bab8e16-f959-40ea-baf5-f7554b52b309","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9bab8e16-f959-40ea-baf5-f7554b52b309","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9bab8e16-f959-40ea-baf5-f7554b52b309","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9bab8e16-f959-40ea-baf5-f7554b52b309","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9bab8e16-f959-40ea-baf5-f7554b52b309","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9bab8e16-f959-40ea-baf5-f7554b52b309","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9bab8e16-f959-40ea-baf5-f7554b52b309","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9bab8e16-f959-40ea-baf5-f7554b52b309","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9bab8e16-f959-40ea-baf5-f7554b52b309","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9bab8e16-f959-40ea-baf5-f7554b52b309","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9bab8e16-f959-40ea-baf5-f7554b52b309","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:44112","PortSpecifier":{"PortValue":44112}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:44112","PortSpecifier":{"PortValue":44112}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511748,"nanos":942194765},"http":{"id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-hoJYH92MFLtvM8TL_UdHI7rJmARbL75fsM34WK0qwa76hHzVKxXU38t2KGJT"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-hoJYH92MFLtvM8TL_UdHI7rJmARbL75fsM34WK0qwa76hHzVKxXU38t2KGJT\"}"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-hoJYH92MFLtvM8TL_UdHI7rJmARbL75fsM34WK0qwa76hHzVKxXU38t2KGJT","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.34","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtbDhmeDIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.41~maas-default-gateway-openshift-default-687ff6996-l8fx2.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.34","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":942194765,"seconds":1781511748},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.34:44112","port":44112}}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"991a074d-7692-4781-a506-0faa4b3baf6f","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a4d0cac5-13c1-4f90-96f1-de3ad4337b63","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37588","PortSpecifier":{"PortValue":37588}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37588","PortSpecifier":{"PortValue":37588}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511748,"nanos":972946694},"http":{"id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","method":"POST","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-hoJYH92MFLtvM8TL_UdHI7rJmARbL75fsM34WK0qwa76hHzVKxXU38t2KGJT"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-hoJYH92MFLtvM8TL_UdHI7rJmARbL75fsM34WK0qwa76hHzVKxXU38t2KGJT\"}"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"991a074d-7692-4781-a506-0faa4b3baf6f","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:28Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"eb9fc9a8-dc03-4fad-9f8d-29fd0a1533d3","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"469098e1-4b5e-4a8c-9443-5b10b6798c57","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37600","PortSpecifier":{"PortValue":37600}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"469098e1-4b5e-4a8c-9443-5b10b6798c57","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"469098e1-4b5e-4a8c-9443-5b10b6798c57","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37600","PortSpecifier":{"PortValue":37600}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511749,"nanos":131841013},"http":{"id":"469098e1-4b5e-4a8c-9443-5b10b6798c57","method":"POST","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"469098e1-4b5e-4a8c-9443-5b10b6798c57","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512049,"groups":["Engineering","Project-Alpha"],"iat":1781511749,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:33579ad5-8ee2-0410-555f-d0912bee8681","preferred_username":"alice_lead","scope":"profile email","sid":"YGlMwsOsFHyG7hFFsqdItFVK","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"469098e1-4b5e-4a8c-9443-5b10b6798c57","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512049,"groups":["Engineering","Project-Alpha"],"iat":1781511749,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:33579ad5-8ee2-0410-555f-d0912bee8681","preferred_username":"alice_lead","scope":"profile email","sid":"YGlMwsOsFHyG7hFFsqdItFVK","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"469098e1-4b5e-4a8c-9443-5b10b6798c57","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"469098e1-4b5e-4a8c-9443-5b10b6798c57","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"469098e1-4b5e-4a8c-9443-5b10b6798c57","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"469098e1-4b5e-4a8c-9443-5b10b6798c57","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"469098e1-4b5e-4a8c-9443-5b10b6798c57","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"469098e1-4b5e-4a8c-9443-5b10b6798c57","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"469098e1-4b5e-4a8c-9443-5b10b6798c57","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"469098e1-4b5e-4a8c-9443-5b10b6798c57","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"469098e1-4b5e-4a8c-9443-5b10b6798c57","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2cc5455e-de6a-4272-aa91-f43239cb306d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37606","PortSpecifier":{"PortValue":37606}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2cc5455e-de6a-4272-aa91-f43239cb306d","method":"DELETE","path":"/maas-api/v1/api-keys/691b792f-92e4-49ff-9405-103c661c32cb","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2cc5455e-de6a-4272-aa91-f43239cb306d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37606","PortSpecifier":{"PortValue":37606}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511749,"nanos":163810719},"http":{"id":"2cc5455e-de6a-4272-aa91-f43239cb306d","method":"DELETE","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/691b792f-92e4-49ff-9405-103c661c32cb",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"2cc5455e-de6a-4272-aa91-f43239cb306d","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512049,"groups":["Engineering","Project-Alpha"],"iat":1781511749,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:33579ad5-8ee2-0410-555f-d0912bee8681","preferred_username":"alice_lead","scope":"profile email","sid":"YGlMwsOsFHyG7hFFsqdItFVK","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"2cc5455e-de6a-4272-aa91-f43239cb306d","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512049,"groups":["Engineering","Project-Alpha"],"iat":1781511749,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:33579ad5-8ee2-0410-555f-d0912bee8681","preferred_username":"alice_lead","scope":"profile email","sid":"YGlMwsOsFHyG7hFFsqdItFVK","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/691b792f-92e4-49ff-9405-103c661c32cb",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2cc5455e-de6a-4272-aa91-f43239cb306d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2cc5455e-de6a-4272-aa91-f43239cb306d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2cc5455e-de6a-4272-aa91-f43239cb306d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"2cc5455e-de6a-4272-aa91-f43239cb306d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2cc5455e-de6a-4272-aa91-f43239cb306d","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2cc5455e-de6a-4272-aa91-f43239cb306d","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2cc5455e-de6a-4272-aa91-f43239cb306d","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2cc5455e-de6a-4272-aa91-f43239cb306d","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:29Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2cc5455e-de6a-4272-aa91-f43239cb306d","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bca84732-b2e6-4272-bc25-adb9f9d30c14","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37614","PortSpecifier":{"PortValue":37614}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"bca84732-b2e6-4272-bc25-adb9f9d30c14","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bca84732-b2e6-4272-bc25-adb9f9d30c14","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37614","PortSpecifier":{"PortValue":37614}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511752,"nanos":197026347},"http":{"id":"bca84732-b2e6-4272-bc25-adb9f9d30c14","method":"GET","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"bca84732-b2e6-4272-bc25-adb9f9d30c14","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-12oyLBH7QjTnlFvGZ_FHYU7Bv6ZmWtEe8PXjikoLFJvCrScQEjcsPbDouBKlL"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"bca84732-b2e6-4272-bc25-adb9f9d30c14","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-12oyLBH7QjTnlFvGZ_FHYU7Bv6ZmWtEe8PXjikoLFJvCrScQEjcsPbDouBKlL\"}"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"bca84732-b2e6-4272-bc25-adb9f9d30c14","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"bca84732-b2e6-4272-bc25-adb9f9d30c14","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bca84732-b2e6-4272-bc25-adb9f9d30c14","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"bca84732-b2e6-4272-bc25-adb9f9d30c14","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"}
{"level":"info","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bca84732-b2e6-4272-bc25-adb9f9d30c14","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bca84732-b2e6-4272-bc25-adb9f9d30c14","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}}
{"level":"info","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"efe48b42-66d9-4226-9129-137c4f94df79","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37616","PortSpecifier":{"PortValue":37616}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"efe48b42-66d9-4226-9129-137c4f94df79","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"efe48b42-66d9-4226-9129-137c4f94df79","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37616","PortSpecifier":{"PortValue":37616}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511752,"nanos":380692202},"http":{"id":"efe48b42-66d9-4226-9129-137c4f94df79","method":"POST","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"efe48b42-66d9-4226-9129-137c4f94df79","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"efe48b42-66d9-4226-9129-137c4f94df79","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"efe48b42-66d9-4226-9129-137c4f94df79","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"efe48b42-66d9-4226-9129-137c4f94df79","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"efe48b42-66d9-4226-9129-137c4f94df79","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}}
{"level":"info","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5633ce60-7c70-47c1-8fb0-c24838d26747","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37632","PortSpecifier":{"PortValue":37632}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5633ce60-7c70-47c1-8fb0-c24838d26747","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5633ce60-7c70-47c1-8fb0-c24838d26747","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37632","PortSpecifier":{"PortValue":37632}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511752,"nanos":681405805},"http":{"id":"5633ce60-7c70-47c1-8fb0-c24838d26747","method":"POST","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5633ce60-7c70-47c1-8fb0-c24838d26747","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512052,"groups":["Engineering","Project-Alpha"],"iat":1781511752,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:4c4d5c49-19be-0a35-9f4a-2574668a1ef8","preferred_username":"alice_lead","scope":"profile email","sid":"fZ_Dq_RtBACDSuWzwGhrLvmg","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5633ce60-7c70-47c1-8fb0-c24838d26747","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512052,"groups":["Engineering","Project-Alpha"],"iat":1781511752,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:4c4d5c49-19be-0a35-9f4a-2574668a1ef8","preferred_username":"alice_lead","scope":"profile email","sid":"fZ_Dq_RtBACDSuWzwGhrLvmg","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5633ce60-7c70-47c1-8fb0-c24838d26747","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5633ce60-7c70-47c1-8fb0-c24838d26747","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5633ce60-7c70-47c1-8fb0-c24838d26747","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5633ce60-7c70-47c1-8fb0-c24838d26747","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5633ce60-7c70-47c1-8fb0-c24838d26747","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5633ce60-7c70-47c1-8fb0-c24838d26747","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5633ce60-7c70-47c1-8fb0-c24838d26747","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5633ce60-7c70-47c1-8fb0-c24838d26747","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5633ce60-7c70-47c1-8fb0-c24838d26747","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8f540a6a-64f0-4ee1-b646-64d0c8570ae3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37640","PortSpecifier":{"PortValue":37640}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"8f540a6a-64f0-4ee1-b646-64d0c8570ae3","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"8f540a6a-64f0-4ee1-b646-64d0c8570ae3","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37640","PortSpecifier":{"PortValue":37640}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511752,"nanos":712393914},"http":{"id":"8f540a6a-64f0-4ee1-b646-64d0c8570ae3","method":"POST","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"8f540a6a-64f0-4ee1-b646-64d0c8570ae3","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512052,"groups":["Site-Reliability"],"iat":1781511752,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:87ecb663-d4b9-ea48-df11-fa445657f3ca","preferred_username":"bob_sre","scope":"profile email","sid":"okHMQH1eXH9hPfVwXle8KQ-Q","sub":"fecd0fa2-9ed8-4495-bf4c-7c67299b8b87","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"8f540a6a-64f0-4ee1-b646-64d0c8570ae3","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512052,"groups":["Site-Reliability"],"iat":1781511752,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:87ecb663-d4b9-ea48-df11-fa445657f3ca","preferred_username":"bob_sre","scope":"profile email","sid":"okHMQH1eXH9hPfVwXle8KQ-Q","sub":"fecd0fa2-9ed8-4495-bf4c-7c67299b8b87","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8f540a6a-64f0-4ee1-b646-64d0c8570ae3","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8f540a6a-64f0-4ee1-b646-64d0c8570ae3","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"8f540a6a-64f0-4ee1-b646-64d0c8570ae3","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"8f540a6a-64f0-4ee1-b646-64d0c8570ae3","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8f540a6a-64f0-4ee1-b646-64d0c8570ae3","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8f540a6a-64f0-4ee1-b646-64d0c8570ae3","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"8f540a6a-64f0-4ee1-b646-64d0c8570ae3","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"info","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8f540a6a-64f0-4ee1-b646-64d0c8570ae3","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"8f540a6a-64f0-4ee1-b646-64d0c8570ae3","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d7ef10b1-dff0-4b1c-9bef-49fde4cacabb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37648","PortSpecifier":{"PortValue":37648}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d7ef10b1-dff0-4b1c-9bef-49fde4cacabb","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d7ef10b1-dff0-4b1c-9bef-49fde4cacabb","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37648","PortSpecifier":{"PortValue":37648}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511752,"nanos":867032938},"http":{"id":"d7ef10b1-dff0-4b1c-9bef-49fde4cacabb","method":"POST","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"d7ef10b1-dff0-4b1c-9bef-49fde4cacabb","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512052,"groups":["Engineering","Project-Alpha"],"iat":1781511752,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:60361ba2-d854-7807-6437-9281b47943bb","preferred_username":"alice_lead","scope":"profile email","sid":"D1RqTWU5y4X6esYWAd4ORGvp","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"d7ef10b1-dff0-4b1c-9bef-49fde4cacabb","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512052,"groups":["Engineering","Project-Alpha"],"iat":1781511752,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:60361ba2-d854-7807-6437-9281b47943bb","preferred_username":"alice_lead","scope":"profile email","sid":"D1RqTWU5y4X6esYWAd4ORGvp","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d7ef10b1-dff0-4b1c-9bef-49fde4cacabb","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d7ef10b1-dff0-4b1c-9bef-49fde4cacabb","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"d7ef10b1-dff0-4b1c-9bef-49fde4cacabb","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"d7ef10b1-dff0-4b1c-9bef-49fde4cacabb","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d7ef10b1-dff0-4b1c-9bef-49fde4cacabb","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d7ef10b1-dff0-4b1c-9bef-49fde4cacabb","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"d7ef10b1-dff0-4b1c-9bef-49fde4cacabb","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d7ef10b1-dff0-4b1c-9bef-49fde4cacabb","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d7ef10b1-dff0-4b1c-9bef-49fde4cacabb","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4b3d224a-ae58-4021-8906-935c4f530f87","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37660","PortSpecifier":{"PortValue":37660}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4b3d224a-ae58-4021-8906-935c4f530f87","method":"DELETE","path":"/maas-api/v1/api-keys/92771a76-23ff-4ca4-a5cf-a29a07568eb7","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4b3d224a-ae58-4021-8906-935c4f530f87","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37660","PortSpecifier":{"PortValue":37660}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511752,"nanos":899134314},"http":{"id":"4b3d224a-ae58-4021-8906-935c4f530f87","method":"DELETE","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/92771a76-23ff-4ca4-a5cf-a29a07568eb7",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4b3d224a-ae58-4021-8906-935c4f530f87","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512052,"groups":["Engineering","Project-Alpha"],"iat":1781511752,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:60361ba2-d854-7807-6437-9281b47943bb","preferred_username":"alice_lead","scope":"profile email","sid":"D1RqTWU5y4X6esYWAd4ORGvp","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4b3d224a-ae58-4021-8906-935c4f530f87","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512052,"groups":["Engineering","Project-Alpha"],"iat":1781511752,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:60361ba2-d854-7807-6437-9281b47943bb","preferred_username":"alice_lead","scope":"profile email","sid":"D1RqTWU5y4X6esYWAd4ORGvp","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/92771a76-23ff-4ca4-a5cf-a29a07568eb7",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4b3d224a-ae58-4021-8906-935c4f530f87","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4b3d224a-ae58-4021-8906-935c4f530f87","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4b3d224a-ae58-4021-8906-935c4f530f87","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"4b3d224a-ae58-4021-8906-935c4f530f87","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4b3d224a-ae58-4021-8906-935c4f530f87","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4b3d224a-ae58-4021-8906-935c4f530f87","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4b3d224a-ae58-4021-8906-935c4f530f87","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4b3d224a-ae58-4021-8906-935c4f530f87","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4b3d224a-ae58-4021-8906-935c4f530f87","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"67743872-1694-4471-b9a8-ebd60e7eebc4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37670","PortSpecifier":{"PortValue":37670}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"67743872-1694-4471-b9a8-ebd60e7eebc4","method":"DELETE","path":"/maas-api/v1/api-keys/92771a76-23ff-4ca4-a5cf-a29a07568eb7","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"67743872-1694-4471-b9a8-ebd60e7eebc4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37670","PortSpecifier":{"PortValue":37670}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511752,"nanos":927271004},"http":{"id":"67743872-1694-4471-b9a8-ebd60e7eebc4","method":"DELETE","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/92771a76-23ff-4ca4-a5cf-a29a07568eb7",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"67743872-1694-4471-b9a8-ebd60e7eebc4","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512052,"groups":["Engineering","Project-Alpha"],"iat":1781511752,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:60361ba2-d854-7807-6437-9281b47943bb","preferred_username":"alice_lead","scope":"profile email","sid":"D1RqTWU5y4X6esYWAd4ORGvp","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"67743872-1694-4471-b9a8-ebd60e7eebc4","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512052,"groups":["Engineering","Project-Alpha"],"iat":1781511752,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:60361ba2-d854-7807-6437-9281b47943bb","preferred_username":"alice_lead","scope":"profile email","sid":"D1RqTWU5y4X6esYWAd4ORGvp","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/92771a76-23ff-4ca4-a5cf-a29a07568eb7",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"67743872-1694-4471-b9a8-ebd60e7eebc4","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"67743872-1694-4471-b9a8-ebd60e7eebc4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"67743872-1694-4471-b9a8-ebd60e7eebc4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"67743872-1694-4471-b9a8-ebd60e7eebc4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"67743872-1694-4471-b9a8-ebd60e7eebc4","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"67743872-1694-4471-b9a8-ebd60e7eebc4","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"67743872-1694-4471-b9a8-ebd60e7eebc4","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"67743872-1694-4471-b9a8-ebd60e7eebc4","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:32Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"67743872-1694-4471-b9a8-ebd60e7eebc4","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6a097b6c-307d-4cc2-8c8d-6c358e3b8a94","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37682","PortSpecifier":{"PortValue":37682}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6a097b6c-307d-4cc2-8c8d-6c358e3b8a94","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6a097b6c-307d-4cc2-8c8d-6c358e3b8a94","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37682","PortSpecifier":{"PortValue":37682}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511753,"nanos":74849512},"http":{"id":"6a097b6c-307d-4cc2-8c8d-6c358e3b8a94","method":"POST","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6a097b6c-307d-4cc2-8c8d-6c358e3b8a94","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512053,"groups":["Engineering","Project-Alpha"],"iat":1781511753,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5bccdf1a-5360-b6ae-6794-fee828d4c6ca","preferred_username":"alice_lead","scope":"profile email","sid":"Mr-qPdQDrXd-yZzKDx5aW4CN","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6a097b6c-307d-4cc2-8c8d-6c358e3b8a94","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512053,"groups":["Engineering","Project-Alpha"],"iat":1781511753,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5bccdf1a-5360-b6ae-6794-fee828d4c6ca","preferred_username":"alice_lead","scope":"profile email","sid":"Mr-qPdQDrXd-yZzKDx5aW4CN","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6a097b6c-307d-4cc2-8c8d-6c358e3b8a94","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6a097b6c-307d-4cc2-8c8d-6c358e3b8a94","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6a097b6c-307d-4cc2-8c8d-6c358e3b8a94","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"6a097b6c-307d-4cc2-8c8d-6c358e3b8a94","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6a097b6c-307d-4cc2-8c8d-6c358e3b8a94","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6a097b6c-307d-4cc2-8c8d-6c358e3b8a94","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6a097b6c-307d-4cc2-8c8d-6c358e3b8a94","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6a097b6c-307d-4cc2-8c8d-6c358e3b8a94","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6a097b6c-307d-4cc2-8c8d-6c358e3b8a94","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"11c81474-1440-467c-b82a-3bf5f2beff84","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37692","PortSpecifier":{"PortValue":37692}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"11c81474-1440-467c-b82a-3bf5f2beff84","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"11c81474-1440-467c-b82a-3bf5f2beff84","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37692","PortSpecifier":{"PortValue":37692}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511753,"nanos":105890401},"http":{"id":"11c81474-1440-467c-b82a-3bf5f2beff84","method":"GET","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"11c81474-1440-467c-b82a-3bf5f2beff84","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-yKK7YPcQQTYj1jTX_AsiVMIGVGBL0QovrgES91FjwvHx0vIrGKB2k2dHk3J2"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"11c81474-1440-467c-b82a-3bf5f2beff84","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-yKK7YPcQQTYj1jTX_AsiVMIGVGBL0QovrgES91FjwvHx0vIrGKB2k2dHk3J2\"}"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"11c81474-1440-467c-b82a-3bf5f2beff84","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"11c81474-1440-467c-b82a-3bf5f2beff84","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"11c81474-1440-467c-b82a-3bf5f2beff84","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"11c81474-1440-467c-b82a-3bf5f2beff84","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"11c81474-1440-467c-b82a-3bf5f2beff84","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"11c81474-1440-467c-b82a-3bf5f2beff84","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"11c81474-1440-467c-b82a-3bf5f2beff84","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"11c81474-1440-467c-b82a-3bf5f2beff84","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"11c81474-1440-467c-b82a-3bf5f2beff84","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"11c81474-1440-467c-b82a-3bf5f2beff84","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"11c81474-1440-467c-b82a-3bf5f2beff84","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"11c81474-1440-467c-b82a-3bf5f2beff84","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:44112","PortSpecifier":{"PortValue":44112}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c87c750f-e965-49e7-8059-2c72e2406c1f","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:44112","PortSpecifier":{"PortValue":44112}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511753,"nanos":112633314},"http":{"id":"c87c750f-e965-49e7-8059-2c72e2406c1f","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-yKK7YPcQQTYj1jTX_AsiVMIGVGBL0QovrgES91FjwvHx0vIrGKB2k2dHk3J2"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-yKK7YPcQQTYj1jTX_AsiVMIGVGBL0QovrgES91FjwvHx0vIrGKB2k2dHk3J2\"}"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-yKK7YPcQQTYj1jTX_AsiVMIGVGBL0QovrgES91FjwvHx0vIrGKB2k2dHk3J2","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.34","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtbDhmeDIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.41~maas-default-gateway-openshift-default-687ff6996-l8fx2.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.34","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"c87c750f-e965-49e7-8059-2c72e2406c1f"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"c87c750f-e965-49e7-8059-2c72e2406c1f","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":112633314,"seconds":1781511753},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.34:44112","port":44112}}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"5e91297d-2083-4186-8a34-ef576e5aa4f6","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c87c750f-e965-49e7-8059-2c72e2406c1f","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"184aa229-ea94-4332-a490-fa6eea5b110e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37696","PortSpecifier":{"PortValue":37696}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"184aa229-ea94-4332-a490-fa6eea5b110e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"184aa229-ea94-4332-a490-fa6eea5b110e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37696","PortSpecifier":{"PortValue":37696}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511753,"nanos":274541191},"http":{"id":"184aa229-ea94-4332-a490-fa6eea5b110e","method":"POST","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"184aa229-ea94-4332-a490-fa6eea5b110e","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512053,"groups":["Engineering","Project-Alpha"],"iat":1781511753,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:032cc4a2-a1fc-0965-cce1-e3ada9556f0c","preferred_username":"alice_lead","scope":"profile email","sid":"9ZTrotxep8eL_3hDZpfVhqys","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"184aa229-ea94-4332-a490-fa6eea5b110e","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512053,"groups":["Engineering","Project-Alpha"],"iat":1781511753,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:032cc4a2-a1fc-0965-cce1-e3ada9556f0c","preferred_username":"alice_lead","scope":"profile email","sid":"9ZTrotxep8eL_3hDZpfVhqys","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"184aa229-ea94-4332-a490-fa6eea5b110e","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"184aa229-ea94-4332-a490-fa6eea5b110e","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"184aa229-ea94-4332-a490-fa6eea5b110e","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"184aa229-ea94-4332-a490-fa6eea5b110e","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"184aa229-ea94-4332-a490-fa6eea5b110e","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"184aa229-ea94-4332-a490-fa6eea5b110e","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"184aa229-ea94-4332-a490-fa6eea5b110e","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"184aa229-ea94-4332-a490-fa6eea5b110e","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"184aa229-ea94-4332-a490-fa6eea5b110e","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37708","PortSpecifier":{"PortValue":37708}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37708","PortSpecifier":{"PortValue":37708}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511753,"nanos":305470124},"http":{"id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","method":"GET","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-k1B85HS3ilLrqwfw_9NiIHJSOe5nRzWPPlCM4QBdKQx4nwCQlDeUX3VAPw0V"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-k1B85HS3ilLrqwfw_9NiIHJSOe5nRzWPPlCM4QBdKQx4nwCQlDeUX3VAPw0V\"}"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"879d43b5-dfdb-486c-8a81-d2ccf5a59afc","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"329c91bd-df19-4931-9dba-e070d74e9b10","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37716","PortSpecifier":{"PortValue":37716}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"329c91bd-df19-4931-9dba-e070d74e9b10","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"329c91bd-df19-4931-9dba-e070d74e9b10","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37716","PortSpecifier":{"PortValue":37716}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511753,"nanos":331450613},"http":{"id":"329c91bd-df19-4931-9dba-e070d74e9b10","method":"GET","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"329c91bd-df19-4931-9dba-e070d74e9b10","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-k1B85HS3ilLrqwfw_9NiIHJSOe5nRzWPPlCM4QBdKQx4nwCQlDeUX3VAPw0V"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"329c91bd-df19-4931-9dba-e070d74e9b10","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-k1B85HS3ilLrqwfw_9NiIHJSOe5nRzWPPlCM4QBdKQx4nwCQlDeUX3VAPw0V\"}"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"329c91bd-df19-4931-9dba-e070d74e9b10","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"329c91bd-df19-4931-9dba-e070d74e9b10","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"329c91bd-df19-4931-9dba-e070d74e9b10","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"329c91bd-df19-4931-9dba-e070d74e9b10","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"329c91bd-df19-4931-9dba-e070d74e9b10","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"329c91bd-df19-4931-9dba-e070d74e9b10","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"329c91bd-df19-4931-9dba-e070d74e9b10","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"329c91bd-df19-4931-9dba-e070d74e9b10","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"329c91bd-df19-4931-9dba-e070d74e9b10","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"329c91bd-df19-4931-9dba-e070d74e9b10","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"329c91bd-df19-4931-9dba-e070d74e9b10","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"329c91bd-df19-4931-9dba-e070d74e9b10","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:44112","PortSpecifier":{"PortValue":44112}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:44112","PortSpecifier":{"PortValue":44112}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511753,"nanos":338864340},"http":{"id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-k1B85HS3ilLrqwfw_9NiIHJSOe5nRzWPPlCM4QBdKQx4nwCQlDeUX3VAPw0V"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-k1B85HS3ilLrqwfw_9NiIHJSOe5nRzWPPlCM4QBdKQx4nwCQlDeUX3VAPw0V\"}"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-k1B85HS3ilLrqwfw_9NiIHJSOe5nRzWPPlCM4QBdKQx4nwCQlDeUX3VAPw0V","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.34","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtbDhmeDIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.41~maas-default-gateway-openshift-default-687ff6996-l8fx2.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.34","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":338864340,"seconds":1781511753},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.34:44112","port":44112}}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"576c5ded-38b8-4b87-93a9-acb5ac29e0a6","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ce241b9b-a882-42b6-9941-dbc62cf48c3b","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"719eb2d1-5e24-42c9-b6fa-003bbab9debe","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37730","PortSpecifier":{"PortValue":37730}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"719eb2d1-5e24-42c9-b6fa-003bbab9debe","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"719eb2d1-5e24-42c9-b6fa-003bbab9debe","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37730","PortSpecifier":{"PortValue":37730}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511753,"nanos":495946625},"http":{"id":"719eb2d1-5e24-42c9-b6fa-003bbab9debe","method":"POST","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"719eb2d1-5e24-42c9-b6fa-003bbab9debe","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512053,"groups":["Engineering","Project-Alpha"],"iat":1781511753,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:61f5dc87-f672-8852-1477-752f57a89e26","preferred_username":"alice_lead","scope":"profile email","sid":"Ij0hd2M27EmnTzXQWEih0YM-","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"719eb2d1-5e24-42c9-b6fa-003bbab9debe","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512053,"groups":["Engineering","Project-Alpha"],"iat":1781511753,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:61f5dc87-f672-8852-1477-752f57a89e26","preferred_username":"alice_lead","scope":"profile email","sid":"Ij0hd2M27EmnTzXQWEih0YM-","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"719eb2d1-5e24-42c9-b6fa-003bbab9debe","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"719eb2d1-5e24-42c9-b6fa-003bbab9debe","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"719eb2d1-5e24-42c9-b6fa-003bbab9debe","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"719eb2d1-5e24-42c9-b6fa-003bbab9debe","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"719eb2d1-5e24-42c9-b6fa-003bbab9debe","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"719eb2d1-5e24-42c9-b6fa-003bbab9debe","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"719eb2d1-5e24-42c9-b6fa-003bbab9debe","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"719eb2d1-5e24-42c9-b6fa-003bbab9debe","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"719eb2d1-5e24-42c9-b6fa-003bbab9debe","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37744","PortSpecifier":{"PortValue":37744}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37744","PortSpecifier":{"PortValue":37744}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511753,"nanos":525571814},"http":{"id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","method":"GET","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-ZN7jbv7HsbhqV3IR_tySCiWwVsM5QJ1eawtgMsqSQX9V7IkxQHQW1wzyyfhu"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-ZN7jbv7HsbhqV3IR_tySCiWwVsM5QJ1eawtgMsqSQX9V7IkxQHQW1wzyyfhu\"}"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c2e67075-640c-44db-b874-cf5ccd9fdb91","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"148829de-85bd-4eda-82be-cf76116b5160","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:44112","PortSpecifier":{"PortValue":44112}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"148829de-85bd-4eda-82be-cf76116b5160","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"148829de-85bd-4eda-82be-cf76116b5160","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:44112","PortSpecifier":{"PortValue":44112}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511753,"nanos":532634094},"http":{"id":"148829de-85bd-4eda-82be-cf76116b5160","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"148829de-85bd-4eda-82be-cf76116b5160","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-ZN7jbv7HsbhqV3IR_tySCiWwVsM5QJ1eawtgMsqSQX9V7IkxQHQW1wzyyfhu"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"148829de-85bd-4eda-82be-cf76116b5160","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-ZN7jbv7HsbhqV3IR_tySCiWwVsM5QJ1eawtgMsqSQX9V7IkxQHQW1wzyyfhu\"}"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"148829de-85bd-4eda-82be-cf76116b5160","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"148829de-85bd-4eda-82be-cf76116b5160","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"148829de-85bd-4eda-82be-cf76116b5160","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"148829de-85bd-4eda-82be-cf76116b5160","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-ZN7jbv7HsbhqV3IR_tySCiWwVsM5QJ1eawtgMsqSQX9V7IkxQHQW1wzyyfhu","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.34","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtbDhmeDIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.41~maas-default-gateway-openshift-default-687ff6996-l8fx2.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.34","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"148829de-85bd-4eda-82be-cf76116b5160"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"148829de-85bd-4eda-82be-cf76116b5160","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":532634094,"seconds":1781511753},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.34:44112","port":44112}}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"148829de-85bd-4eda-82be-cf76116b5160","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"148829de-85bd-4eda-82be-cf76116b5160","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"148829de-85bd-4eda-82be-cf76116b5160","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"148829de-85bd-4eda-82be-cf76116b5160","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"148829de-85bd-4eda-82be-cf76116b5160","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"148829de-85bd-4eda-82be-cf76116b5160","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"148829de-85bd-4eda-82be-cf76116b5160","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"148829de-85bd-4eda-82be-cf76116b5160","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"148829de-85bd-4eda-82be-cf76116b5160","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"9f61e6ae-0805-44b2-af08-2f42e7335e50","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"148829de-85bd-4eda-82be-cf76116b5160","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"148829de-85bd-4eda-82be-cf76116b5160","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37756","PortSpecifier":{"PortValue":37756}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37756","PortSpecifier":{"PortValue":37756}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511753,"nanos":565905246},"http":{"id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","method":"GET","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-ZN7jbv7HsbhqV3IR_tySCiWwVsM5QJ1eawtgMsqSQX9V7IkxQHQW1wzyyfhu"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-ZN7jbv7HsbhqV3IR_tySCiWwVsM5QJ1eawtgMsqSQX9V7IkxQHQW1wzyyfhu\"}"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"db6ac379-6ec9-4333-8ec0-5b795f1a5642","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:44112","PortSpecifier":{"PortValue":44112}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a68ac8ef-ca78-4264-90fa-08db920b4018","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.34:44112","PortSpecifier":{"PortValue":44112}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511753,"nanos":572639430},"http":{"id":"a68ac8ef-ca78-4264-90fa-08db920b4018","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-ZN7jbv7HsbhqV3IR_tySCiWwVsM5QJ1eawtgMsqSQX9V7IkxQHQW1wzyyfhu"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-ZN7jbv7HsbhqV3IR_tySCiWwVsM5QJ1eawtgMsqSQX9V7IkxQHQW1wzyyfhu\"}"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-ZN7jbv7HsbhqV3IR_tySCiWwVsM5QJ1eawtgMsqSQX9V7IkxQHQW1wzyyfhu","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.34","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQAoETkFNRRI4GjZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC02ODdmZjY5OTYtbDhmeDIKIAoJTkFNRVNQQUNFEhMaEW9wZW5zaGlmdC1pbmdyZXNzCnQKBU9XTkVSEmsaaWt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9vcGVuc2hpZnQtaW5ncmVzcy9kZXBsb3ltZW50cy9tYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAo5Cg1XT1JLTE9BRF9OQU1FEigaJm1hYXMtZGVmYXVsdC1nYXRld2F5LW9wZW5zaGlmdC1kZWZhdWx0","x-envoy-peer-metadata-id":"router~10.132.0.41~maas-default-gateway-openshift-default-687ff6996-l8fx2.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.34","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"a68ac8ef-ca78-4264-90fa-08db920b4018"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"a68ac8ef-ca78-4264-90fa-08db920b4018","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":572639430,"seconds":1781511753},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.34:44112","port":44112}}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"groups","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"9f61e6ae-0805-44b2-af08-2f42e7335e50","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a68ac8ef-ca78-4264-90fa-08db920b4018","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e29a275c-c8e7-4701-8968-b96633562072","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37770","PortSpecifier":{"PortValue":37770}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e29a275c-c8e7-4701-8968-b96633562072","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e29a275c-c8e7-4701-8968-b96633562072","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.8:37770","PortSpecifier":{"PortValue":37770}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.41:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781511753,"nanos":723964538},"http":{"id":"e29a275c-c8e7-4701-8968-b96633562072","method":"POST","headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e29a275c-c8e7-4701-8968-b96633562072","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512053,"groups":["Engineering","Project-Alpha"],"iat":1781511753,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0100b121-3100-3f64-b03d-7230ec291d38","preferred_username":"alice_lead","scope":"profile email","sid":"MUlRbUqDvOMBP8iPLNaWT8AI","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e29a275c-c8e7-4701-8968-b96633562072","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781512053,"groups":["Engineering","Project-Alpha"],"iat":1781511753,"iss":"https://keycloak.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0100b121-3100-3f64-b03d-7230ec291d38","preferred_username":"alice_lead","scope":"profile email","sid":"MUlRbUqDvOMBP8iPLNaWT8AI","sub":"a3e6dd58-72f6-4f63-9ecc-416f3d1f301a","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.132.0.41:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.b3a5d79a-bcf7-4ba3-aaa6-9f18e51b910a.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e29a275c-c8e7-4701-8968-b96633562072","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e29a275c-c8e7-4701-8968-b96633562072","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e29a275c-c8e7-4701-8968-b96633562072","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"e29a275c-c8e7-4701-8968-b96633562072","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e29a275c-c8e7-4701-8968-b96633562072","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"opendatahub"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e29a275c-c8e7-4701-8968-b96633562072","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e29a275c-c8e7-4701-8968-b96633562072","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"info","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e29a275c-c8e7-4701-8968-b96633562072","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-15T08:22:33Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e29a275c-c8e7-4701-8968-b96633562072","authorized":true,"response":"OK"}