{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-13T01:48:52Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-13T01:48:52Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-13T01:48:52Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-13T01:48:52Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":8,"festivalWristbandEnabled":false}}}
{"level":"info","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}}
{"level":"debug","ts":"2026-06-13T01:48:52Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"}
{"level":"debug","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/cc09b530b46a73b0d4ddb40e465580cff15db19d77e93e4903c9737647deeb1a"}
{"level":"debug","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"}
{"level":"debug","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"}
{"level":"debug","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"}
{"level":"debug","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"}
{"level":"debug","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"}
{"level":"debug","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"debug","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}}
{"level":"info","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"}
{"level":"debug","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a"}
{"level":"info","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"}
{"level":"info","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"}
{"level":"info","ts":"2026-06-13T01:48:53Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"}
{"level":"info","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"58660124-648c-4bc1-9b7d-283c60b6311a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56296","PortSpecifier":{"PortValue":56296}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"58660124-648c-4bc1-9b7d-283c60b6311a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"58660124-648c-4bc1-9b7d-283c60b6311a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56296","PortSpecifier":{"PortValue":56296}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315359,"nanos":824169266},"http":{"id":"58660124-648c-4bc1-9b7d-283c60b6311a","method":"POST","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"58660124-648c-4bc1-9b7d-283c60b6311a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315659,"groups":["Engineering","Project-Alpha"],"iat":1781315359,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6d147156-5844-3855-ac55-5fc7bd7a8b2b","preferred_username":"alice_lead","scope":"email profile","sid":"Yd-TU7wNpGgZ4wZFUzkv4BI6","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"58660124-648c-4bc1-9b7d-283c60b6311a","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315659,"groups":["Engineering","Project-Alpha"],"iat":1781315359,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:6d147156-5844-3855-ac55-5fc7bd7a8b2b","preferred_username":"alice_lead","scope":"email profile","sid":"Yd-TU7wNpGgZ4wZFUzkv4BI6","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"58660124-648c-4bc1-9b7d-283c60b6311a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"58660124-648c-4bc1-9b7d-283c60b6311a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"58660124-648c-4bc1-9b7d-283c60b6311a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"58660124-648c-4bc1-9b7d-283c60b6311a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"58660124-648c-4bc1-9b7d-283c60b6311a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"58660124-648c-4bc1-9b7d-283c60b6311a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"58660124-648c-4bc1-9b7d-283c60b6311a","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"info","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"58660124-648c-4bc1-9b7d-283c60b6311a","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"58660124-648c-4bc1-9b7d-283c60b6311a","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a149d889-43ff-4282-b00a-0ccc9c3c45df","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56306","PortSpecifier":{"PortValue":56306}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a149d889-43ff-4282-b00a-0ccc9c3c45df","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a149d889-43ff-4282-b00a-0ccc9c3c45df","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56306","PortSpecifier":{"PortValue":56306}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315359,"nanos":969094392},"http":{"id":"a149d889-43ff-4282-b00a-0ccc9c3c45df","method":"POST","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"a149d889-43ff-4282-b00a-0ccc9c3c45df","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"a149d889-43ff-4282-b00a-0ccc9c3c45df","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"a149d889-43ff-4282-b00a-0ccc9c3c45df","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a149d889-43ff-4282-b00a-0ccc9c3c45df","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-13T01:49:19Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a149d889-43ff-4282-b00a-0ccc9c3c45df","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""},{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""}]}}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7610dc29-f0c8-4a09-86f4-3fcb6288b2c0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56308","PortSpecifier":{"PortValue":56308}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7610dc29-f0c8-4a09-86f4-3fcb6288b2c0","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7610dc29-f0c8-4a09-86f4-3fcb6288b2c0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56308","PortSpecifier":{"PortValue":56308}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315360,"nanos":12777680},"http":{"id":"7610dc29-f0c8-4a09-86f4-3fcb6288b2c0","method":"POST","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=52.71.36.72;host=maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.15","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTh0azdmCiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.134.0.26~maas-default-gateway-openshift-default-8559cd5744-8tk7f.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"52.71.36.72,10.132.0.15","x-forwarded-host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"7610dc29-f0c8-4a09-86f4-3fcb6288b2c0"},"path":"/maas-api/v1/api-keys","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"7610dc29-f0c8-4a09-86f4-3fcb6288b2c0","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7610dc29-f0c8-4a09-86f4-3fcb6288b2c0","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7610dc29-f0c8-4a09-86f4-3fcb6288b2c0","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""},{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""}]}}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"12b287b1-94e9-9033-8b3a-a303cd24bd46","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56314","PortSpecifier":{"PortValue":56314}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"12b287b1-94e9-9033-8b3a-a303cd24bd46","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"12b287b1-94e9-9033-8b3a-a303cd24bd46","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56314","PortSpecifier":{"PortValue":56314}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315360,"nanos":41749471},"http":{"id":"12b287b1-94e9-9033-8b3a-a303cd24bd46","method":"POST","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=52.71.36.72;host=maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.15","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTh0azdmCiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.134.0.26~maas-default-gateway-openshift-default-8559cd5744-8tk7f.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"52.71.36.72,10.132.0.15","x-forwarded-host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"12b287b1-94e9-9033-8b3a-a303cd24bd46"},"path":"/maas-api/v1/api-keys","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"12b287b1-94e9-9033-8b3a-a303cd24bd46","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"12b287b1-94e9-9033-8b3a-a303cd24bd46","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""},{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""}]}}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"648bb731-5a9e-41c0-a5cc-7ca7ed9112ea","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56320","PortSpecifier":{"PortValue":56320}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"648bb731-5a9e-41c0-a5cc-7ca7ed9112ea","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"648bb731-5a9e-41c0-a5cc-7ca7ed9112ea","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56320","PortSpecifier":{"PortValue":56320}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315360,"nanos":432040403},"http":{"id":"648bb731-5a9e-41c0-a5cc-7ca7ed9112ea","method":"POST","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"648bb731-5a9e-41c0-a5cc-7ca7ed9112ea","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315660,"groups":["Site-Reliability"],"iat":1781315360,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3a880a20-cf3d-6a30-811c-5aafcc2b7ac8","preferred_username":"bob_sre","scope":"email profile","sid":"rdUV-UCGmcxlBGlI-Mm_UTPM","sub":"eb1cc206-db6c-40ec-92db-49d166dbb448","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"648bb731-5a9e-41c0-a5cc-7ca7ed9112ea","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315660,"groups":["Site-Reliability"],"iat":1781315360,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:3a880a20-cf3d-6a30-811c-5aafcc2b7ac8","preferred_username":"bob_sre","scope":"email profile","sid":"rdUV-UCGmcxlBGlI-Mm_UTPM","sub":"eb1cc206-db6c-40ec-92db-49d166dbb448","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"648bb731-5a9e-41c0-a5cc-7ca7ed9112ea","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"648bb731-5a9e-41c0-a5cc-7ca7ed9112ea","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"648bb731-5a9e-41c0-a5cc-7ca7ed9112ea","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"648bb731-5a9e-41c0-a5cc-7ca7ed9112ea","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"648bb731-5a9e-41c0-a5cc-7ca7ed9112ea","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"648bb731-5a9e-41c0-a5cc-7ca7ed9112ea","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"648bb731-5a9e-41c0-a5cc-7ca7ed9112ea","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"648bb731-5a9e-41c0-a5cc-7ca7ed9112ea","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"648bb731-5a9e-41c0-a5cc-7ca7ed9112ea","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bfe371bf-4cdc-4324-808f-943642e25614","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56328","PortSpecifier":{"PortValue":56328}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"bfe371bf-4cdc-4324-808f-943642e25614","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"bfe371bf-4cdc-4324-808f-943642e25614","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56328","PortSpecifier":{"PortValue":56328}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315360,"nanos":679591864},"http":{"id":"bfe371bf-4cdc-4324-808f-943642e25614","method":"POST","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"bfe371bf-4cdc-4324-808f-943642e25614","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315660,"groups":["Engineering","Project-Alpha"],"iat":1781315360,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f1c60e2e-0ef9-5d6c-cd24-db161f2d87c3","preferred_username":"alice_lead","scope":"email profile","sid":"Gou7GL0dmSd6dypL6X-v_z0o","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"bfe371bf-4cdc-4324-808f-943642e25614","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315660,"groups":["Engineering","Project-Alpha"],"iat":1781315360,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f1c60e2e-0ef9-5d6c-cd24-db161f2d87c3","preferred_username":"alice_lead","scope":"email profile","sid":"Gou7GL0dmSd6dypL6X-v_z0o","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bfe371bf-4cdc-4324-808f-943642e25614","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bfe371bf-4cdc-4324-808f-943642e25614","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"bfe371bf-4cdc-4324-808f-943642e25614","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"bfe371bf-4cdc-4324-808f-943642e25614","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bfe371bf-4cdc-4324-808f-943642e25614","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bfe371bf-4cdc-4324-808f-943642e25614","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"bfe371bf-4cdc-4324-808f-943642e25614","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bfe371bf-4cdc-4324-808f-943642e25614","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"bfe371bf-4cdc-4324-808f-943642e25614","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6685c896-c592-4111-be66-9f2c9adc7598","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56342","PortSpecifier":{"PortValue":56342}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6685c896-c592-4111-be66-9f2c9adc7598","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6685c896-c592-4111-be66-9f2c9adc7598","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56342","PortSpecifier":{"PortValue":56342}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315360,"nanos":711894128},"http":{"id":"6685c896-c592-4111-be66-9f2c9adc7598","method":"GET","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6685c896-c592-4111-be66-9f2c9adc7598","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-HlZDsGq1xkhCUq3p_OgFtazPm1tO4BL6Ck24eRXumodi4a9S97I57Ltm6Sti"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6685c896-c592-4111-be66-9f2c9adc7598","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-HlZDsGq1xkhCUq3p_OgFtazPm1tO4BL6Ck24eRXumodi4a9S97I57Ltm6Sti\"}"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6685c896-c592-4111-be66-9f2c9adc7598","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6685c896-c592-4111-be66-9f2c9adc7598","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6685c896-c592-4111-be66-9f2c9adc7598","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6685c896-c592-4111-be66-9f2c9adc7598","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6685c896-c592-4111-be66-9f2c9adc7598","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6685c896-c592-4111-be66-9f2c9adc7598","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6685c896-c592-4111-be66-9f2c9adc7598","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6685c896-c592-4111-be66-9f2c9adc7598","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"6685c896-c592-4111-be66-9f2c9adc7598","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6685c896-c592-4111-be66-9f2c9adc7598","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6685c896-c592-4111-be66-9f2c9adc7598","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6685c896-c592-4111-be66-9f2c9adc7598","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.38:35034","PortSpecifier":{"PortValue":35034}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"cc9f460e-e673-43a8-8b23-52d38602051d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.38:35034","PortSpecifier":{"PortValue":35034}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315360,"nanos":730009454},"http":{"id":"cc9f460e-e673-43a8-8b23-52d38602051d","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-HlZDsGq1xkhCUq3p_OgFtazPm1tO4BL6Ck24eRXumodi4a9S97I57Ltm6Sti"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-HlZDsGq1xkhCUq3p_OgFtazPm1tO4BL6Ck24eRXumodi4a9S97I57Ltm6Sti\"}"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-HlZDsGq1xkhCUq3p_OgFtazPm1tO4BL6Ck24eRXumodi4a9S97I57Ltm6Sti","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.38","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTh0azdmCiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.134.0.26~maas-default-gateway-openshift-default-8559cd5744-8tk7f.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.38","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"cc9f460e-e673-43a8-8b23-52d38602051d"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"cc9f460e-e673-43a8-8b23-52d38602051d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":730009454,"seconds":1781315360},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.38:35034","port":35034}}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"c34725cc-4b2f-4fa3-9290-3b7b142b219d","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"cc9f460e-e673-43a8-8b23-52d38602051d","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56344","PortSpecifier":{"PortValue":56344}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2d584c64-0fea-4628-8435-2ad20efaee7c","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56344","PortSpecifier":{"PortValue":56344}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315360,"nanos":764355352},"http":{"id":"2d584c64-0fea-4628-8435-2ad20efaee7c","method":"POST","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-HlZDsGq1xkhCUq3p_OgFtazPm1tO4BL6Ck24eRXumodi4a9S97I57Ltm6Sti"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-HlZDsGq1xkhCUq3p_OgFtazPm1tO4BL6Ck24eRXumodi4a9S97I57Ltm6Sti\"}"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"userid","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"c34725cc-4b2f-4fa3-9290-3b7b142b219d","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2d584c64-0fea-4628-8435-2ad20efaee7c","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"750da52c-586c-409d-9858-50ceaae23ebd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56360","PortSpecifier":{"PortValue":56360}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"750da52c-586c-409d-9858-50ceaae23ebd","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"750da52c-586c-409d-9858-50ceaae23ebd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56360","PortSpecifier":{"PortValue":56360}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315360,"nanos":875967962},"http":{"id":"750da52c-586c-409d-9858-50ceaae23ebd","method":"POST","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"750da52c-586c-409d-9858-50ceaae23ebd","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315660,"groups":["Engineering","Project-Alpha"],"iat":1781315360,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:2a787dae-c13a-7e08-ac78-7549784f4e10","preferred_username":"alice_lead","scope":"email profile","sid":"IMJ-4LpdzXwFAR_GS9vxfVE0","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"750da52c-586c-409d-9858-50ceaae23ebd","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315660,"groups":["Engineering","Project-Alpha"],"iat":1781315360,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:2a787dae-c13a-7e08-ac78-7549784f4e10","preferred_username":"alice_lead","scope":"email profile","sid":"IMJ-4LpdzXwFAR_GS9vxfVE0","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"750da52c-586c-409d-9858-50ceaae23ebd","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"750da52c-586c-409d-9858-50ceaae23ebd","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"750da52c-586c-409d-9858-50ceaae23ebd","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"750da52c-586c-409d-9858-50ceaae23ebd","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"750da52c-586c-409d-9858-50ceaae23ebd","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"750da52c-586c-409d-9858-50ceaae23ebd","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"750da52c-586c-409d-9858-50ceaae23ebd","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"750da52c-586c-409d-9858-50ceaae23ebd","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"750da52c-586c-409d-9858-50ceaae23ebd","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c3e575a6-0fb3-4bc8-815c-1f5977eb0a96","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56368","PortSpecifier":{"PortValue":56368}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c3e575a6-0fb3-4bc8-815c-1f5977eb0a96","method":"DELETE","path":"/maas-api/v1/api-keys/d0d89d1a-0232-4918-b2ea-06b3b57fc43c","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c3e575a6-0fb3-4bc8-815c-1f5977eb0a96","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56368","PortSpecifier":{"PortValue":56368}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315360,"nanos":904318125},"http":{"id":"c3e575a6-0fb3-4bc8-815c-1f5977eb0a96","method":"DELETE","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/d0d89d1a-0232-4918-b2ea-06b3b57fc43c",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c3e575a6-0fb3-4bc8-815c-1f5977eb0a96","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315660,"groups":["Engineering","Project-Alpha"],"iat":1781315360,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:2a787dae-c13a-7e08-ac78-7549784f4e10","preferred_username":"alice_lead","scope":"email profile","sid":"IMJ-4LpdzXwFAR_GS9vxfVE0","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c3e575a6-0fb3-4bc8-815c-1f5977eb0a96","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315660,"groups":["Engineering","Project-Alpha"],"iat":1781315360,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:2a787dae-c13a-7e08-ac78-7549784f4e10","preferred_username":"alice_lead","scope":"email profile","sid":"IMJ-4LpdzXwFAR_GS9vxfVE0","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/d0d89d1a-0232-4918-b2ea-06b3b57fc43c",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c3e575a6-0fb3-4bc8-815c-1f5977eb0a96","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c3e575a6-0fb3-4bc8-815c-1f5977eb0a96","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c3e575a6-0fb3-4bc8-815c-1f5977eb0a96","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c3e575a6-0fb3-4bc8-815c-1f5977eb0a96","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c3e575a6-0fb3-4bc8-815c-1f5977eb0a96","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c3e575a6-0fb3-4bc8-815c-1f5977eb0a96","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c3e575a6-0fb3-4bc8-815c-1f5977eb0a96","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c3e575a6-0fb3-4bc8-815c-1f5977eb0a96","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:20Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c3e575a6-0fb3-4bc8-815c-1f5977eb0a96","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5adfc1c4-6c5f-4661-9fcc-7dc27962e446","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56376","PortSpecifier":{"PortValue":56376}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5adfc1c4-6c5f-4661-9fcc-7dc27962e446","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:23Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5adfc1c4-6c5f-4661-9fcc-7dc27962e446","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56376","PortSpecifier":{"PortValue":56376}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315363,"nanos":943201193},"http":{"id":"5adfc1c4-6c5f-4661-9fcc-7dc27962e446","method":"GET","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:23Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5adfc1c4-6c5f-4661-9fcc-7dc27962e446","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-GzbxrrUPjT8rKB8s_9U649GmaHyFazM0XrZEG05rafi28YnImriMI5aLaBbx"}
{"level":"debug","ts":"2026-06-13T01:49:23Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"5adfc1c4-6c5f-4661-9fcc-7dc27962e446","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-GzbxrrUPjT8rKB8s_9U649GmaHyFazM0XrZEG05rafi28YnImriMI5aLaBbx\"}"}
{"level":"debug","ts":"2026-06-13T01:49:23Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"5adfc1c4-6c5f-4661-9fcc-7dc27962e446","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","tenant":"","valid":false}}
{"level":"debug","ts":"2026-06-13T01:49:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5adfc1c4-6c5f-4661-9fcc-7dc27962e446","input":{"auth":{"identity":"Bearer **** revoked or expired","tenant":"","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5adfc1c4-6c5f-4661-9fcc-7dc27962e446","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:23Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"5adfc1c4-6c5f-4661-9fcc-7dc27962e446","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"}
{"level":"info","ts":"2026-06-13T01:49:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5adfc1c4-6c5f-4661-9fcc-7dc27962e446","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}}
{"level":"debug","ts":"2026-06-13T01:49:23Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5adfc1c4-6c5f-4661-9fcc-7dc27962e446","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"facf3c7a-d185-446c-8971-0e676ad9d76a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56380","PortSpecifier":{"PortValue":56380}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"facf3c7a-d185-446c-8971-0e676ad9d76a","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"facf3c7a-d185-446c-8971-0e676ad9d76a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56380","PortSpecifier":{"PortValue":56380}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":98284371},"http":{"id":"facf3c7a-d185-446c-8971-0e676ad9d76a","method":"POST","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"facf3c7a-d185-446c-8971-0e676ad9d76a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"facf3c7a-d185-446c-8971-0e676ad9d76a","tokenreview":{"name":""}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"facf3c7a-d185-446c-8971-0e676ad9d76a","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"facf3c7a-d185-446c-8971-0e676ad9d76a","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"facf3c7a-d185-446c-8971-0e676ad9d76a","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""},{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""}]}}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4b5c4ab9-c0a2-47bd-821d-345b0d9d5ce1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56390","PortSpecifier":{"PortValue":56390}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4b5c4ab9-c0a2-47bd-821d-345b0d9d5ce1","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4b5c4ab9-c0a2-47bd-821d-345b0d9d5ce1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56390","PortSpecifier":{"PortValue":56390}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":287163970},"http":{"id":"4b5c4ab9-c0a2-47bd-821d-345b0d9d5ce1","method":"POST","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4b5c4ab9-c0a2-47bd-821d-345b0d9d5ce1","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Engineering","Project-Alpha"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7c9b09cc-7282-efaf-e483-91fd7c7ebc67","preferred_username":"alice_lead","scope":"email profile","sid":"LiVIX3S90-bUt7xUg1piqz_t","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4b5c4ab9-c0a2-47bd-821d-345b0d9d5ce1","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Engineering","Project-Alpha"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:7c9b09cc-7282-efaf-e483-91fd7c7ebc67","preferred_username":"alice_lead","scope":"email profile","sid":"LiVIX3S90-bUt7xUg1piqz_t","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4b5c4ab9-c0a2-47bd-821d-345b0d9d5ce1","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4b5c4ab9-c0a2-47bd-821d-345b0d9d5ce1","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4b5c4ab9-c0a2-47bd-821d-345b0d9d5ce1","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"4b5c4ab9-c0a2-47bd-821d-345b0d9d5ce1","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4b5c4ab9-c0a2-47bd-821d-345b0d9d5ce1","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4b5c4ab9-c0a2-47bd-821d-345b0d9d5ce1","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4b5c4ab9-c0a2-47bd-821d-345b0d9d5ce1","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4b5c4ab9-c0a2-47bd-821d-345b0d9d5ce1","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4b5c4ab9-c0a2-47bd-821d-345b0d9d5ce1","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3317cf35-1378-4d63-8e6d-4a3754a3a13b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56398","PortSpecifier":{"PortValue":56398}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3317cf35-1378-4d63-8e6d-4a3754a3a13b","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3317cf35-1378-4d63-8e6d-4a3754a3a13b","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56398","PortSpecifier":{"PortValue":56398}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":315236365},"http":{"id":"3317cf35-1378-4d63-8e6d-4a3754a3a13b","method":"POST","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3317cf35-1378-4d63-8e6d-4a3754a3a13b","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Site-Reliability"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:50a15a3a-d6d8-203d-12ff-e10ceae3eec2","preferred_username":"bob_sre","scope":"email profile","sid":"aWCE_TeYdLbiQ9pLPgqz4qjl","sub":"eb1cc206-db6c-40ec-92db-49d166dbb448","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3317cf35-1378-4d63-8e6d-4a3754a3a13b","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Site-Reliability"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:50a15a3a-d6d8-203d-12ff-e10ceae3eec2","preferred_username":"bob_sre","scope":"email profile","sid":"aWCE_TeYdLbiQ9pLPgqz4qjl","sub":"eb1cc206-db6c-40ec-92db-49d166dbb448","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3317cf35-1378-4d63-8e6d-4a3754a3a13b","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3317cf35-1378-4d63-8e6d-4a3754a3a13b","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3317cf35-1378-4d63-8e6d-4a3754a3a13b","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3317cf35-1378-4d63-8e6d-4a3754a3a13b","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3317cf35-1378-4d63-8e6d-4a3754a3a13b","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3317cf35-1378-4d63-8e6d-4a3754a3a13b","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3317cf35-1378-4d63-8e6d-4a3754a3a13b","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3317cf35-1378-4d63-8e6d-4a3754a3a13b","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3317cf35-1378-4d63-8e6d-4a3754a3a13b","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1c13e4b6-c24b-4998-8bda-7a2faca80525","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56408","PortSpecifier":{"PortValue":56408}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1c13e4b6-c24b-4998-8bda-7a2faca80525","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1c13e4b6-c24b-4998-8bda-7a2faca80525","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56408","PortSpecifier":{"PortValue":56408}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":402357198},"http":{"id":"1c13e4b6-c24b-4998-8bda-7a2faca80525","method":"POST","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"1c13e4b6-c24b-4998-8bda-7a2faca80525","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Engineering","Project-Alpha"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:beca1677-4a76-d93c-6788-0b2e587e5d0b","preferred_username":"alice_lead","scope":"email profile","sid":"zJAKI-2_Kx3YDvPJe51g4S8L","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"1c13e4b6-c24b-4998-8bda-7a2faca80525","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Engineering","Project-Alpha"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:beca1677-4a76-d93c-6788-0b2e587e5d0b","preferred_username":"alice_lead","scope":"email profile","sid":"zJAKI-2_Kx3YDvPJe51g4S8L","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1c13e4b6-c24b-4998-8bda-7a2faca80525","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1c13e4b6-c24b-4998-8bda-7a2faca80525","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1c13e4b6-c24b-4998-8bda-7a2faca80525","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"1c13e4b6-c24b-4998-8bda-7a2faca80525","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1c13e4b6-c24b-4998-8bda-7a2faca80525","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1c13e4b6-c24b-4998-8bda-7a2faca80525","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1c13e4b6-c24b-4998-8bda-7a2faca80525","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1c13e4b6-c24b-4998-8bda-7a2faca80525","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1c13e4b6-c24b-4998-8bda-7a2faca80525","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c2b67e5a-5ad6-4d98-bd0e-8657d14d04f0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56418","PortSpecifier":{"PortValue":56418}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c2b67e5a-5ad6-4d98-bd0e-8657d14d04f0","method":"DELETE","path":"/maas-api/v1/api-keys/ebb6f16d-967b-414c-803c-be7c0004e42e","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c2b67e5a-5ad6-4d98-bd0e-8657d14d04f0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56418","PortSpecifier":{"PortValue":56418}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":430953248},"http":{"id":"c2b67e5a-5ad6-4d98-bd0e-8657d14d04f0","method":"DELETE","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/ebb6f16d-967b-414c-803c-be7c0004e42e",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c2b67e5a-5ad6-4d98-bd0e-8657d14d04f0","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Engineering","Project-Alpha"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:beca1677-4a76-d93c-6788-0b2e587e5d0b","preferred_username":"alice_lead","scope":"email profile","sid":"zJAKI-2_Kx3YDvPJe51g4S8L","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c2b67e5a-5ad6-4d98-bd0e-8657d14d04f0","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Engineering","Project-Alpha"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:beca1677-4a76-d93c-6788-0b2e587e5d0b","preferred_username":"alice_lead","scope":"email profile","sid":"zJAKI-2_Kx3YDvPJe51g4S8L","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/ebb6f16d-967b-414c-803c-be7c0004e42e",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c2b67e5a-5ad6-4d98-bd0e-8657d14d04f0","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c2b67e5a-5ad6-4d98-bd0e-8657d14d04f0","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c2b67e5a-5ad6-4d98-bd0e-8657d14d04f0","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c2b67e5a-5ad6-4d98-bd0e-8657d14d04f0","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c2b67e5a-5ad6-4d98-bd0e-8657d14d04f0","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c2b67e5a-5ad6-4d98-bd0e-8657d14d04f0","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c2b67e5a-5ad6-4d98-bd0e-8657d14d04f0","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c2b67e5a-5ad6-4d98-bd0e-8657d14d04f0","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c2b67e5a-5ad6-4d98-bd0e-8657d14d04f0","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7f003203-6825-4407-8ce0-baa49c55be41","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56432","PortSpecifier":{"PortValue":56432}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7f003203-6825-4407-8ce0-baa49c55be41","method":"DELETE","path":"/maas-api/v1/api-keys/ebb6f16d-967b-414c-803c-be7c0004e42e","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7f003203-6825-4407-8ce0-baa49c55be41","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56432","PortSpecifier":{"PortValue":56432}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":458919389},"http":{"id":"7f003203-6825-4407-8ce0-baa49c55be41","method":"DELETE","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/ebb6f16d-967b-414c-803c-be7c0004e42e",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7f003203-6825-4407-8ce0-baa49c55be41","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Engineering","Project-Alpha"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:beca1677-4a76-d93c-6788-0b2e587e5d0b","preferred_username":"alice_lead","scope":"email profile","sid":"zJAKI-2_Kx3YDvPJe51g4S8L","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7f003203-6825-4407-8ce0-baa49c55be41","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Engineering","Project-Alpha"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:beca1677-4a76-d93c-6788-0b2e587e5d0b","preferred_username":"alice_lead","scope":"email profile","sid":"zJAKI-2_Kx3YDvPJe51g4S8L","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/ebb6f16d-967b-414c-803c-be7c0004e42e",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7f003203-6825-4407-8ce0-baa49c55be41","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7f003203-6825-4407-8ce0-baa49c55be41","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7f003203-6825-4407-8ce0-baa49c55be41","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"7f003203-6825-4407-8ce0-baa49c55be41","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7f003203-6825-4407-8ce0-baa49c55be41","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7f003203-6825-4407-8ce0-baa49c55be41","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7f003203-6825-4407-8ce0-baa49c55be41","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7f003203-6825-4407-8ce0-baa49c55be41","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7f003203-6825-4407-8ce0-baa49c55be41","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5bb178f1-fae9-4675-a8f0-a74e46cafa5d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56434","PortSpecifier":{"PortValue":56434}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5bb178f1-fae9-4675-a8f0-a74e46cafa5d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5bb178f1-fae9-4675-a8f0-a74e46cafa5d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56434","PortSpecifier":{"PortValue":56434}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":544855721},"http":{"id":"5bb178f1-fae9-4675-a8f0-a74e46cafa5d","method":"POST","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"5bb178f1-fae9-4675-a8f0-a74e46cafa5d","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Engineering","Project-Alpha"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0c1fc93a-e281-d78c-df0e-2c62d531f5f4","preferred_username":"alice_lead","scope":"email profile","sid":"6_Jo3wACOncaS0OUeKUJNTMI","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"5bb178f1-fae9-4675-a8f0-a74e46cafa5d","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Engineering","Project-Alpha"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0c1fc93a-e281-d78c-df0e-2c62d531f5f4","preferred_username":"alice_lead","scope":"email profile","sid":"6_Jo3wACOncaS0OUeKUJNTMI","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5bb178f1-fae9-4675-a8f0-a74e46cafa5d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5bb178f1-fae9-4675-a8f0-a74e46cafa5d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"5bb178f1-fae9-4675-a8f0-a74e46cafa5d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"5bb178f1-fae9-4675-a8f0-a74e46cafa5d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5bb178f1-fae9-4675-a8f0-a74e46cafa5d","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5bb178f1-fae9-4675-a8f0-a74e46cafa5d","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"5bb178f1-fae9-4675-a8f0-a74e46cafa5d","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5bb178f1-fae9-4675-a8f0-a74e46cafa5d","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5bb178f1-fae9-4675-a8f0-a74e46cafa5d","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56448","PortSpecifier":{"PortValue":56448}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56448","PortSpecifier":{"PortValue":56448}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":574003114},"http":{"id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","method":"GET","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-QoOqIi9ikTNyR1VE_nCfdAr9XWrlFHUbRJTAmoLhv8TgZZDHegR9JadqvQKW"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-QoOqIi9ikTNyR1VE_nCfdAr9XWrlFHUbRJTAmoLhv8TgZZDHegR9JadqvQKW\"}"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"0bd49399-d41b-4f3a-a646-723a3b5f3dec","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.38:58842","PortSpecifier":{"PortValue":58842}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"61080c62-9a36-4069-bf22-93eee1d9b752","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.38:58842","PortSpecifier":{"PortValue":58842}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":588939798},"http":{"id":"61080c62-9a36-4069-bf22-93eee1d9b752","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-QoOqIi9ikTNyR1VE_nCfdAr9XWrlFHUbRJTAmoLhv8TgZZDHegR9JadqvQKW"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-QoOqIi9ikTNyR1VE_nCfdAr9XWrlFHUbRJTAmoLhv8TgZZDHegR9JadqvQKW\"}"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-QoOqIi9ikTNyR1VE_nCfdAr9XWrlFHUbRJTAmoLhv8TgZZDHegR9JadqvQKW","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.38","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTh0azdmCiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.134.0.26~maas-default-gateway-openshift-default-8559cd5744-8tk7f.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.38","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"61080c62-9a36-4069-bf22-93eee1d9b752"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"61080c62-9a36-4069-bf22-93eee1d9b752","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":588939798,"seconds":1781315364},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.38:58842","port":58842}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"652dd6cf-7643-4163-9340-f4d3272f9ae1","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"61080c62-9a36-4069-bf22-93eee1d9b752","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7e6d9d92-2f1a-4edd-a8f8-df0709d0dbd4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56452","PortSpecifier":{"PortValue":56452}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7e6d9d92-2f1a-4edd-a8f8-df0709d0dbd4","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7e6d9d92-2f1a-4edd-a8f8-df0709d0dbd4","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56452","PortSpecifier":{"PortValue":56452}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":686466336},"http":{"id":"7e6d9d92-2f1a-4edd-a8f8-df0709d0dbd4","method":"POST","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7e6d9d92-2f1a-4edd-a8f8-df0709d0dbd4","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Engineering","Project-Alpha"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:baeae923-702d-b915-7ba6-42026c541bf4","preferred_username":"alice_lead","scope":"email profile","sid":"Qs0Afkn50uNS_o7ziAHtecnN","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7e6d9d92-2f1a-4edd-a8f8-df0709d0dbd4","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Engineering","Project-Alpha"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:baeae923-702d-b915-7ba6-42026c541bf4","preferred_username":"alice_lead","scope":"email profile","sid":"Qs0Afkn50uNS_o7ziAHtecnN","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7e6d9d92-2f1a-4edd-a8f8-df0709d0dbd4","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7e6d9d92-2f1a-4edd-a8f8-df0709d0dbd4","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7e6d9d92-2f1a-4edd-a8f8-df0709d0dbd4","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"7e6d9d92-2f1a-4edd-a8f8-df0709d0dbd4","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7e6d9d92-2f1a-4edd-a8f8-df0709d0dbd4","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7e6d9d92-2f1a-4edd-a8f8-df0709d0dbd4","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7e6d9d92-2f1a-4edd-a8f8-df0709d0dbd4","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7e6d9d92-2f1a-4edd-a8f8-df0709d0dbd4","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7e6d9d92-2f1a-4edd-a8f8-df0709d0dbd4","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9499dc9e-d5d5-4d4b-8688-618012822f85","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56464","PortSpecifier":{"PortValue":56464}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9499dc9e-d5d5-4d4b-8688-618012822f85","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9499dc9e-d5d5-4d4b-8688-618012822f85","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56464","PortSpecifier":{"PortValue":56464}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":713978821},"http":{"id":"9499dc9e-d5d5-4d4b-8688-618012822f85","method":"GET","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9499dc9e-d5d5-4d4b-8688-618012822f85","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-BNQF4i9b719DMMju_PkFfpe5hXtX5auts1Il8jYliSpcDN6RW0rNryopgLRD"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"9499dc9e-d5d5-4d4b-8688-618012822f85","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-BNQF4i9b719DMMju_PkFfpe5hXtX5auts1Il8jYliSpcDN6RW0rNryopgLRD\"}"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"9499dc9e-d5d5-4d4b-8688-618012822f85","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9499dc9e-d5d5-4d4b-8688-618012822f85","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9499dc9e-d5d5-4d4b-8688-618012822f85","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9499dc9e-d5d5-4d4b-8688-618012822f85","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9499dc9e-d5d5-4d4b-8688-618012822f85","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9499dc9e-d5d5-4d4b-8688-618012822f85","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9499dc9e-d5d5-4d4b-8688-618012822f85","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9499dc9e-d5d5-4d4b-8688-618012822f85","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9499dc9e-d5d5-4d4b-8688-618012822f85","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9499dc9e-d5d5-4d4b-8688-618012822f85","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9499dc9e-d5d5-4d4b-8688-618012822f85","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9499dc9e-d5d5-4d4b-8688-618012822f85","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"64de27e5-2451-4b68-afdf-1aa24669e740","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56472","PortSpecifier":{"PortValue":56472}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"64de27e5-2451-4b68-afdf-1aa24669e740","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"64de27e5-2451-4b68-afdf-1aa24669e740","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56472","PortSpecifier":{"PortValue":56472}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":741149516},"http":{"id":"64de27e5-2451-4b68-afdf-1aa24669e740","method":"GET","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"64de27e5-2451-4b68-afdf-1aa24669e740","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-BNQF4i9b719DMMju_PkFfpe5hXtX5auts1Il8jYliSpcDN6RW0rNryopgLRD"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"64de27e5-2451-4b68-afdf-1aa24669e740","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-BNQF4i9b719DMMju_PkFfpe5hXtX5auts1Il8jYliSpcDN6RW0rNryopgLRD\"}"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"64de27e5-2451-4b68-afdf-1aa24669e740","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"64de27e5-2451-4b68-afdf-1aa24669e740","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"64de27e5-2451-4b68-afdf-1aa24669e740","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"64de27e5-2451-4b68-afdf-1aa24669e740","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"64de27e5-2451-4b68-afdf-1aa24669e740","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"64de27e5-2451-4b68-afdf-1aa24669e740","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"64de27e5-2451-4b68-afdf-1aa24669e740","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"64de27e5-2451-4b68-afdf-1aa24669e740","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"64de27e5-2451-4b68-afdf-1aa24669e740","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"64de27e5-2451-4b68-afdf-1aa24669e740","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"64de27e5-2451-4b68-afdf-1aa24669e740","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"64de27e5-2451-4b68-afdf-1aa24669e740","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.38:58842","PortSpecifier":{"PortValue":58842}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.38:58842","PortSpecifier":{"PortValue":58842}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":747780208},"http":{"id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-BNQF4i9b719DMMju_PkFfpe5hXtX5auts1Il8jYliSpcDN6RW0rNryopgLRD"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-BNQF4i9b719DMMju_PkFfpe5hXtX5auts1Il8jYliSpcDN6RW0rNryopgLRD\"}"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-BNQF4i9b719DMMju_PkFfpe5hXtX5auts1Il8jYliSpcDN6RW0rNryopgLRD","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.38","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTh0azdmCiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.134.0.26~maas-default-gateway-openshift-default-8559cd5744-8tk7f.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.38","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":747780208,"seconds":1781315364},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.38:58842","port":58842}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"917c3ba7-3a82-4d33-9e3a-8d96c0ab25bf","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"2e6d1f83-2406-48a2-ba5f-6e68fedf431c","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"404d0a66-4676-4f2f-be68-e44e12919b02","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56480","PortSpecifier":{"PortValue":56480}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"404d0a66-4676-4f2f-be68-e44e12919b02","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"404d0a66-4676-4f2f-be68-e44e12919b02","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56480","PortSpecifier":{"PortValue":56480}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":839892724},"http":{"id":"404d0a66-4676-4f2f-be68-e44e12919b02","method":"POST","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"404d0a66-4676-4f2f-be68-e44e12919b02","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Engineering","Project-Alpha"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0a072ed7-975d-40e2-a051-26d754460c4b","preferred_username":"alice_lead","scope":"email profile","sid":"xHNSZumZ6J7CfKbANkJrIiTx","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"404d0a66-4676-4f2f-be68-e44e12919b02","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Engineering","Project-Alpha"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:0a072ed7-975d-40e2-a051-26d754460c4b","preferred_username":"alice_lead","scope":"email profile","sid":"xHNSZumZ6J7CfKbANkJrIiTx","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"404d0a66-4676-4f2f-be68-e44e12919b02","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"404d0a66-4676-4f2f-be68-e44e12919b02","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"404d0a66-4676-4f2f-be68-e44e12919b02","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"404d0a66-4676-4f2f-be68-e44e12919b02","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"404d0a66-4676-4f2f-be68-e44e12919b02","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"404d0a66-4676-4f2f-be68-e44e12919b02","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"404d0a66-4676-4f2f-be68-e44e12919b02","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"404d0a66-4676-4f2f-be68-e44e12919b02","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"404d0a66-4676-4f2f-be68-e44e12919b02","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56490","PortSpecifier":{"PortValue":56490}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56490","PortSpecifier":{"PortValue":56490}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":868983893},"http":{"id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","method":"GET","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1Cz2q0NWXghonSbLR_Ubm9uwf7eMuMyvoKXeKIfswNgbwVj0R2LZf06b5xzOf"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1Cz2q0NWXghonSbLR_Ubm9uwf7eMuMyvoKXeKIfswNgbwVj0R2LZf06b5xzOf\"}"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"4cada411-a8a3-430b-9bf5-7ada6235e02c","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.38:58842","PortSpecifier":{"PortValue":58842}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.38:58842","PortSpecifier":{"PortValue":58842}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":875776997},"http":{"id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1Cz2q0NWXghonSbLR_Ubm9uwf7eMuMyvoKXeKIfswNgbwVj0R2LZf06b5xzOf"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1Cz2q0NWXghonSbLR_Ubm9uwf7eMuMyvoKXeKIfswNgbwVj0R2LZf06b5xzOf\"}"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1Cz2q0NWXghonSbLR_Ubm9uwf7eMuMyvoKXeKIfswNgbwVj0R2LZf06b5xzOf","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.38","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTh0azdmCiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.134.0.26~maas-default-gateway-openshift-default-8559cd5744-8tk7f.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.38","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":875776997,"seconds":1781315364},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.38:58842","port":58842}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"aeadd34e-2ad7-4a46-9556-513c8095546b","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"99470686-cee7-4d3a-a709-ecf5d5e34fdf","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56496","PortSpecifier":{"PortValue":56496}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56496","PortSpecifier":{"PortValue":56496}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":906027000},"http":{"id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","method":"GET","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1Cz2q0NWXghonSbLR_Ubm9uwf7eMuMyvoKXeKIfswNgbwVj0R2LZf06b5xzOf"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1Cz2q0NWXghonSbLR_Ubm9uwf7eMuMyvoKXeKIfswNgbwVj0R2LZf06b5xzOf\"}"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"b6f9d9c9-150d-4bd8-a024-af60964731a6","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.38:58842","PortSpecifier":{"PortValue":58842}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.38:58842","PortSpecifier":{"PortValue":58842}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315364,"nanos":912927105},"http":{"id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1Cz2q0NWXghonSbLR_Ubm9uwf7eMuMyvoKXeKIfswNgbwVj0R2LZf06b5xzOf"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1Cz2q0NWXghonSbLR_Ubm9uwf7eMuMyvoKXeKIfswNgbwVj0R2LZf06b5xzOf\"}"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1Cz2q0NWXghonSbLR_Ubm9uwf7eMuMyvoKXeKIfswNgbwVj0R2LZf06b5xzOf","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.38","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTh0azdmCiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.134.0.26~maas-default-gateway-openshift-default-8559cd5744-8tk7f.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.38","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":912927105,"seconds":1781315364},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.38:58842","port":58842}}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","config":{"Name":"X-MaaS-Tenant","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"aeadd34e-2ad7-4a46-9556-513c8095546b","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}}
{"level":"info","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:24Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"54b92ca8-b4eb-4b66-b208-9a3207f278b8","authorized":true,"response":"OK"}
{"level":"info","ts":"2026-06-13T01:49:25Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"dbff0977-0c41-409f-9aa1-907849b96833","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56498","PortSpecifier":{"PortValue":56498}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"dbff0977-0c41-409f-9aa1-907849b96833","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com","scheme":"https"}}}}
{"level":"debug","ts":"2026-06-13T01:49:25Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"dbff0977-0c41-409f-9aa1-907849b96833","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.15:56498","PortSpecifier":{"PortValue":56498}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.134.0.26:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781315365,"nanos":11769289},"http":{"id":"dbff0977-0c41-409f-9aa1-907849b96833","method":"POST","headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:25Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"dbff0977-0c41-409f-9aa1-907849b96833","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Engineering","Project-Alpha"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:cd513ca7-17c6-f95a-ac7c-a9c50673627a","preferred_username":"alice_lead","scope":"email profile","sid":"eTOuyCZIwCbin5Ypxl8r4X95","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}}
{"level":"debug","ts":"2026-06-13T01:49:25Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"dbff0977-0c41-409f-9aa1-907849b96833","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781315664,"groups":["Engineering","Project-Alpha"],"iat":1781315364,"iss":"https://keycloak.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:cd513ca7-17c6-f95a-ac7c-a9c50673627a","preferred_username":"alice_lead","scope":"email profile","sid":"eTOuyCZIwCbin5Ypxl8r4X95","sub":"de1f66f2-607d-4494-b40d-d32b4403fb42","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.134.0.26:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.e079cdbb-29c8-4149-b58a-c19e9da859e9.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer ****
{"level":"debug","ts":"2026-06-13T01:49:25Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dbff0977-0c41-409f-9aa1-907849b96833","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:25Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dbff0977-0c41-409f-9aa1-907849b96833","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n  object.get(input.auth.metadata, \"apiKeyValidation\", {})\n  input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n  not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:25Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"dbff0977-0c41-409f-9aa1-907849b96833","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}}
{"level":"debug","ts":"2026-06-13T01:49:25Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"dbff0977-0c41-409f-9aa1-907849b96833","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"}
{"level":"debug","ts":"2026-06-13T01:49:25Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dbff0977-0c41-409f-9aa1-907849b96833","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"}
{"level":"debug","ts":"2026-06-13T01:49:25Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dbff0977-0c41-409f-9aa1-907849b96833","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"}
{"level":"debug","ts":"2026-06-13T01:49:25Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"dbff0977-0c41-409f-9aa1-907849b96833","config":{"Name":"X-MaaS-Tenant-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Tenant","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"models-as-a-service"}
{"level":"info","ts":"2026-06-13T01:49:25Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"dbff0977-0c41-409f-9aa1-907849b96833","authorized":true,"response":"OK"}
{"level":"debug","ts":"2026-06-13T01:49:25Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"dbff0977-0c41-409f-9aa1-907849b96833","authorized":true,"response":"OK"}