{"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3c0d47082320c9bb02d3788ab2b052c696af91abc2ae438437ae71a26936c7c2"} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4dc577fd60594d78a4a8bebe396f4b5a928f41bdc3f95c06d717cf1ddc3158b2"} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T19:51:45Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T19:51:45Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T19:51:45Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T19:51:45Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/df733b2c652bfe2458c9e19932b1091e939c1a62178d6879462b3b4f73fca4bb"} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T19:51:45Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T19:51:45Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T19:51:45Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T19:51:45Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"} {"level":"info","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T19:51:45Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T19:51:45Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"error","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"failed to update the resource","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"error":"Operation cannot be fulfilled on authconfigs.authorino.kuadrant.io \"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a\": the object has been modified; please apply your changes to the latest version and try again","stacktrace":"github.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).updateAuthConfigStatus\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:162\ngithub.com/kuadrant/authorino/controllers.(*AuthConfigStatusUpdater).Reconcile\n\t/usr/src/authorino/controllers/auth_config_status_updater.go:81\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/opt/app-root/src/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dc75fc8307b952a3e873400cf417e90f2861e8a225abec4b22708deb7901db7"} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2026-06-12T19:51:45Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2026-06-12T19:51:45Z","reason":"Reconciling"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"},"authconfig/status":{"conditions":[{"type":"Available","status":"True","lastTransitionTime":"2026-06-12T19:51:45Z","reason":"HostsLinked"},{"type":"Ready","status":"True","lastTransitionTime":"2026-06-12T19:51:45Z","reason":"Reconciled"}],"summary":{"ready":true,"hostsReady":["9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"],"numHostsReady":"1/1","numIdentitySources":3,"numMetadataSources":2,"numAuthorizationPolicies":4,"numResponseItems":6,"festivalWristbandEnabled":false}}} {"level":"info","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/80f10756c0e833d16937036ed66f1daf5bef95559ef05a5e852766b97b9bdaef"} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status updated","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/35d34d59676c333235d7c9f02273e0380bb39f27cfd30856fedc0f7c0e5f79aa"} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"} {"level":"debug","ts":"2026-06-12T19:51:45Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9bbfc0b2e9e9acadd41342cd7c36a24afa8a5eef942d161782a6adae8411158a"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/5fea747cb803a5ee3aeb620187bd9ec74ccccd10a92474ef528215a7ff146c8f"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/9903213c635804dd416e9f12956f0fa896195627091daaf593a30df64cf640c5"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/d3b195a61a7f24c6bf1fba40f9f2e2565facb6af92e959c1546ac398a9172618"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/bf72a6316f6ed79299511e58d068836cdc71dbca5e23944f783c9340ffa0aee1"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e38d76c6f386f12bc12190c87b39e6e77e182be454f85659a9197c301f2cd9be"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/a89b0896df0d8cd430f1c81b6eb292ddc044daed393537d009a6330718f58d4b"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/311b1be286674fd5684c9ac59b318287dade9769cfe4aeebd8c88e2dc6b72418"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/edcceb5a2e0cf1edde0fc3ed43068ce5b123a6fdc41949959c2c3b7a5a48bf24"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/b1f82c4ba6cc7617f9c0b90067f72f4a25fdc5de2564c14ccb90af534a2905f6"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","namespace":"kuadrant-system"}} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/319a353672fc7601c875fa3f8b807adf60b64f093f022b2a1c3dfef3ac8cd4f4"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status did not change","authconfig":{"name":"c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","namespace":"kuadrant-system"}} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/331dc257e65f55f80700a586f7807093eda7b3d8e7d91215dc3c47731508480c"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/7371c34ce8e4df2309ee8f952c87f921947b289427b6e9ea579dcb9970fc1b86"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/86cbb62fb4d82d4dc402b3281444539a5625c4bb4c86bbc4912c70e690a2e374"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/e50f5fdcb9fb7e124557afe69edae9a95d05da488eae1cc4b5c1c7c1220a826a"} {"level":"debug","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig.jwt","msg":"openid connect configuration updated","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f","issuerUrl":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a"} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource reconciled","authconfig":"kuadrant-system/c9f2cdb36f800bc8ef8831e6117ec4c6cc521d8cd63b718b7906225d0f25e59f"} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/3efb8e937aa19b5e0bdd0c3eb5b4ece33299385dcfc89205b8934853facbdcf0"} {"level":"info","ts":"2026-06-12T19:51:46Z","logger":"authorino.controller-runtime.manager.controller.authconfig","msg":"resource de-indexed","authconfig":"kuadrant-system/2200947db0f3acc41dd3fca21efa06f90c57afddd36d719bdda2dc74a0bd0a11"} {"level":"info","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9b2b75da-d804-48d3-95d0-d78b73f4c933","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54596","PortSpecifier":{"PortValue":54596}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"9b2b75da-d804-48d3-95d0-d78b73f4c933","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"9b2b75da-d804-48d3-95d0-d78b73f4c933","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54596","PortSpecifier":{"PortValue":54596}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293932,"nanos":187445336},"http":{"id":"9b2b75da-d804-48d3-95d0-d78b73f4c933","method":"POST","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"9b2b75da-d804-48d3-95d0-d78b73f4c933","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294232,"groups":["Engineering","Project-Alpha"],"iat":1781293932,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a7d886f6-f949-2f6a-cb1d-349367754719","preferred_username":"alice_lead","scope":"profile email","sid":"mMQJzy0lfnsQCN7I12vknwIg","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"9b2b75da-d804-48d3-95d0-d78b73f4c933","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294232,"groups":["Engineering","Project-Alpha"],"iat":1781293932,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a7d886f6-f949-2f6a-cb1d-349367754719","preferred_username":"alice_lead","scope":"profile email","sid":"mMQJzy0lfnsQCN7I12vknwIg","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9b2b75da-d804-48d3-95d0-d78b73f4c933","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9b2b75da-d804-48d3-95d0-d78b73f4c933","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"9b2b75da-d804-48d3-95d0-d78b73f4c933","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"9b2b75da-d804-48d3-95d0-d78b73f4c933","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9b2b75da-d804-48d3-95d0-d78b73f4c933","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"9b2b75da-d804-48d3-95d0-d78b73f4c933","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9b2b75da-d804-48d3-95d0-d78b73f4c933","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"9b2b75da-d804-48d3-95d0-d78b73f4c933","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"83c98def-359c-41f2-8a6f-c9658605b37d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54600","PortSpecifier":{"PortValue":54600}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"83c98def-359c-41f2-8a6f-c9658605b37d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"83c98def-359c-41f2-8a6f-c9658605b37d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54600","PortSpecifier":{"PortValue":54600}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293932,"nanos":299400480},"http":{"id":"83c98def-359c-41f2-8a6f-c9658605b37d","method":"POST","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"83c98def-359c-41f2-8a6f-c9658605b37d","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"83c98def-359c-41f2-8a6f-c9658605b37d","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"83c98def-359c-41f2-8a6f-c9658605b37d","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"83c98def-359c-41f2-8a6f-c9658605b37d","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"83c98def-359c-41f2-8a6f-c9658605b37d","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d6441339-7f21-48de-bf95-7f72f2f49ef1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54604","PortSpecifier":{"PortValue":54604}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d6441339-7f21-48de-bf95-7f72f2f49ef1","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d6441339-7f21-48de-bf95-7f72f2f49ef1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54604","PortSpecifier":{"PortValue":54604}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293932,"nanos":338637384},"http":{"id":"d6441339-7f21-48de-bf95-7f72f2f49ef1","method":"POST","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer","content-length":"35","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.13","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTRzcXI5CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.32~maas-default-gateway-openshift-default-8559cd5744-4sqr9.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.13","x-forwarded-host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"d6441339-7f21-48de-bf95-7f72f2f49ef1"},"path":"/maas-api/v1/api-keys","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"d6441339-7f21-48de-bf95-7f72f2f49ef1","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"credential not found"} {"level":"info","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d6441339-7f21-48de-bf95-7f72f2f49ef1","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d6441339-7f21-48de-bf95-7f72f2f49ef1","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5b689b3c-8cb6-4001-b9bd-1379a19b1b0e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54618","PortSpecifier":{"PortValue":54618}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"5b689b3c-8cb6-4001-b9bd-1379a19b1b0e","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"5b689b3c-8cb6-4001-b9bd-1379a19b1b0e","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54618","PortSpecifier":{"PortValue":54618}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293932,"nanos":366405844},"http":{"id":"5b689b3c-8cb6-4001-b9bd-1379a19b1b0e","method":"POST","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","content-length":"36","content-type":"application/json","forwarded":"for=44.212.242.249;host=maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com;proto=https","user-agent":"python-requests/2.32.5","x-envoy-decorator-operation":"maas-api.opendatahub.svc.cluster.local:8443/*","x-envoy-external-address":"10.132.0.13","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTRzcXI5CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.32~maas-default-gateway-openshift-default-8559cd5744-4sqr9.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"44.212.242.249,10.132.0.13","x-forwarded-host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","x-forwarded-port":"443","x-forwarded-proto":"https","x-request-id":"5b689b3c-8cb6-4001-b9bd-1379a19b1b0e"},"path":"/maas-api/v1/api-keys","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https","protocol":"HTTP/1.1"}},"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"metadata_context":{}}} {"level":"info","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5b689b3c-8cb6-4001-b9bd-1379a19b1b0e","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"5b689b3c-8cb6-4001-b9bd-1379a19b1b0e","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c711398f-0169-4f7a-a8dd-c2b8cea093f1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54628","PortSpecifier":{"PortValue":54628}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c711398f-0169-4f7a-a8dd-c2b8cea093f1","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c711398f-0169-4f7a-a8dd-c2b8cea093f1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54628","PortSpecifier":{"PortValue":54628}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293932,"nanos":713410754},"http":{"id":"c711398f-0169-4f7a-a8dd-c2b8cea093f1","method":"POST","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c711398f-0169-4f7a-a8dd-c2b8cea093f1","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294232,"groups":["Site-Reliability"],"iat":1781293932,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a1ce8a86-bd61-4356-e3d9-3bcb9e537d53","preferred_username":"bob_sre","scope":"profile email","sid":"_YjAQB72_YvrIdVFv5v4rzK8","sub":"7a64cde0-3a6b-439a-b9f4-0c020cca0a9b","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c711398f-0169-4f7a-a8dd-c2b8cea093f1","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294232,"groups":["Site-Reliability"],"iat":1781293932,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:a1ce8a86-bd61-4356-e3d9-3bcb9e537d53","preferred_username":"bob_sre","scope":"profile email","sid":"_YjAQB72_YvrIdVFv5v4rzK8","sub":"7a64cde0-3a6b-439a-b9f4-0c020cca0a9b","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c711398f-0169-4f7a-a8dd-c2b8cea093f1","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c711398f-0169-4f7a-a8dd-c2b8cea093f1","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c711398f-0169-4f7a-a8dd-c2b8cea093f1","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c711398f-0169-4f7a-a8dd-c2b8cea093f1","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c711398f-0169-4f7a-a8dd-c2b8cea093f1","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c711398f-0169-4f7a-a8dd-c2b8cea093f1","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"info","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c711398f-0169-4f7a-a8dd-c2b8cea093f1","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c711398f-0169-4f7a-a8dd-c2b8cea093f1","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f17a8534-d488-4afb-b8fa-645fdb8cf152","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54636","PortSpecifier":{"PortValue":54636}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"f17a8534-d488-4afb-b8fa-645fdb8cf152","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"f17a8534-d488-4afb-b8fa-645fdb8cf152","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54636","PortSpecifier":{"PortValue":54636}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293932,"nanos":924591320},"http":{"id":"f17a8534-d488-4afb-b8fa-645fdb8cf152","method":"POST","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"f17a8534-d488-4afb-b8fa-645fdb8cf152","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294232,"groups":["Engineering","Project-Alpha"],"iat":1781293932,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:542b38fc-87e1-a1fc-2e2c-746f2c3c88fe","preferred_username":"alice_lead","scope":"profile email","sid":"WWmJgeGoDnFy8L0Zoa8Uc_pQ","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"f17a8534-d488-4afb-b8fa-645fdb8cf152","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294232,"groups":["Engineering","Project-Alpha"],"iat":1781293932,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:542b38fc-87e1-a1fc-2e2c-746f2c3c88fe","preferred_username":"alice_lead","scope":"profile email","sid":"WWmJgeGoDnFy8L0Zoa8Uc_pQ","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f17a8534-d488-4afb-b8fa-645fdb8cf152","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f17a8534-d488-4afb-b8fa-645fdb8cf152","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"f17a8534-d488-4afb-b8fa-645fdb8cf152","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"f17a8534-d488-4afb-b8fa-645fdb8cf152","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f17a8534-d488-4afb-b8fa-645fdb8cf152","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"f17a8534-d488-4afb-b8fa-645fdb8cf152","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f17a8534-d488-4afb-b8fa-645fdb8cf152","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"f17a8534-d488-4afb-b8fa-645fdb8cf152","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"06d53dae-e449-4645-94b1-830d5280a397","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54644","PortSpecifier":{"PortValue":54644}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"06d53dae-e449-4645-94b1-830d5280a397","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"06d53dae-e449-4645-94b1-830d5280a397","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54644","PortSpecifier":{"PortValue":54644}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293932,"nanos":957678573},"http":{"id":"06d53dae-e449-4645-94b1-830d5280a397","method":"GET","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"06d53dae-e449-4645-94b1-830d5280a397","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1GIJpOzDRsYdXKNDH_ohlYJcdOhqaiPVbtq6oVRmq02mm0Pe5Jzuav596IIUm"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"06d53dae-e449-4645-94b1-830d5280a397","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1GIJpOzDRsYdXKNDH_ohlYJcdOhqaiPVbtq6oVRmq02mm0Pe5Jzuav596IIUm\"}"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"06d53dae-e449-4645-94b1-830d5280a397","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"06d53dae-e449-4645-94b1-830d5280a397","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"06d53dae-e449-4645-94b1-830d5280a397","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"06d53dae-e449-4645-94b1-830d5280a397","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"06d53dae-e449-4645-94b1-830d5280a397","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"06d53dae-e449-4645-94b1-830d5280a397","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"06d53dae-e449-4645-94b1-830d5280a397","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"06d53dae-e449-4645-94b1-830d5280a397","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"06d53dae-e449-4645-94b1-830d5280a397","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"06d53dae-e449-4645-94b1-830d5280a397","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"06d53dae-e449-4645-94b1-830d5280a397","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.41:36028","PortSpecifier":{"PortValue":36028}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.41:36028","PortSpecifier":{"PortValue":36028}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293932,"nanos":974198115},"http":{"id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1GIJpOzDRsYdXKNDH_ohlYJcdOhqaiPVbtq6oVRmq02mm0Pe5Jzuav596IIUm"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1GIJpOzDRsYdXKNDH_ohlYJcdOhqaiPVbtq6oVRmq02mm0Pe5Jzuav596IIUm\"}"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-1GIJpOzDRsYdXKNDH_ohlYJcdOhqaiPVbtq6oVRmq02mm0Pe5Jzuav596IIUm","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTRzcXI5CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.32~maas-default-gateway-openshift-default-8559cd5744-4sqr9.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":974198115,"seconds":1781293932},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.41:36028","port":36028}}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"c39203ec-9fc3-472d-9a17-04075364d990","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:12Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"a6f0244f-afa3-4fb6-a6e4-b589149c5c14","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54656","PortSpecifier":{"PortValue":54656}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","method":"POST","path":"/llm/facebook-opt-125m-simulated/v1/chat/completions","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54656","PortSpecifier":{"PortValue":54656}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293933,"nanos":5866455},"http":{"id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","method":"POST","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-1GIJpOzDRsYdXKNDH_ohlYJcdOhqaiPVbtq6oVRmq02mm0Pe5Jzuav596IIUm"} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-1GIJpOzDRsYdXKNDH_ohlYJcdOhqaiPVbtq6oVRmq02mm0Pe5Jzuav596IIUm\"}"} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"18e32965997cdd9967355c6fa5264ed12c0a215989d459ed88d7d6de02865f76"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/llm/facebook-opt-125m-simulated/v1/chat/completions",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"subscription_error","Value":{}},{"Name":"userid","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"keyId","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"groups","Value":{}},{"Name":"groups_str","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"c39203ec-9fc3-472d-9a17-04075364d990","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1cbcdc1f-1efb-422f-868a-16ca09b55254","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"66a7e0e1-fa2d-4f8f-aded-5537ba276bbd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54658","PortSpecifier":{"PortValue":54658}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"66a7e0e1-fa2d-4f8f-aded-5537ba276bbd","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"66a7e0e1-fa2d-4f8f-aded-5537ba276bbd","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54658","PortSpecifier":{"PortValue":54658}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293933,"nanos":111348961},"http":{"id":"66a7e0e1-fa2d-4f8f-aded-5537ba276bbd","method":"POST","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"66a7e0e1-fa2d-4f8f-aded-5537ba276bbd","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294233,"groups":["Engineering","Project-Alpha"],"iat":1781293933,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5cd80b76-61df-b2ae-9bec-fbf881f86992","preferred_username":"alice_lead","scope":"profile email","sid":"3inV8UCgvHmOg2S6boYz8nC6","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"66a7e0e1-fa2d-4f8f-aded-5537ba276bbd","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294233,"groups":["Engineering","Project-Alpha"],"iat":1781293933,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5cd80b76-61df-b2ae-9bec-fbf881f86992","preferred_username":"alice_lead","scope":"profile email","sid":"3inV8UCgvHmOg2S6boYz8nC6","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"66a7e0e1-fa2d-4f8f-aded-5537ba276bbd","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"66a7e0e1-fa2d-4f8f-aded-5537ba276bbd","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"66a7e0e1-fa2d-4f8f-aded-5537ba276bbd","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"66a7e0e1-fa2d-4f8f-aded-5537ba276bbd","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"66a7e0e1-fa2d-4f8f-aded-5537ba276bbd","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"66a7e0e1-fa2d-4f8f-aded-5537ba276bbd","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"66a7e0e1-fa2d-4f8f-aded-5537ba276bbd","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"66a7e0e1-fa2d-4f8f-aded-5537ba276bbd","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7ad50099-18b9-4bd6-ae11-8562701f305c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54674","PortSpecifier":{"PortValue":54674}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"7ad50099-18b9-4bd6-ae11-8562701f305c","method":"DELETE","path":"/maas-api/v1/api-keys/ec16756d-0712-414c-b476-cfeefebe0f3f","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"7ad50099-18b9-4bd6-ae11-8562701f305c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:54674","PortSpecifier":{"PortValue":54674}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293933,"nanos":141584879},"http":{"id":"7ad50099-18b9-4bd6-ae11-8562701f305c","method":"DELETE","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/ec16756d-0712-414c-b476-cfeefebe0f3f",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"7ad50099-18b9-4bd6-ae11-8562701f305c","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294233,"groups":["Engineering","Project-Alpha"],"iat":1781293933,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5cd80b76-61df-b2ae-9bec-fbf881f86992","preferred_username":"alice_lead","scope":"profile email","sid":"3inV8UCgvHmOg2S6boYz8nC6","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"7ad50099-18b9-4bd6-ae11-8562701f305c","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294233,"groups":["Engineering","Project-Alpha"],"iat":1781293933,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:5cd80b76-61df-b2ae-9bec-fbf881f86992","preferred_username":"alice_lead","scope":"profile email","sid":"3inV8UCgvHmOg2S6boYz8nC6","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/ec16756d-0712-414c-b476-cfeefebe0f3f",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7ad50099-18b9-4bd6-ae11-8562701f305c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7ad50099-18b9-4bd6-ae11-8562701f305c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"7ad50099-18b9-4bd6-ae11-8562701f305c","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"7ad50099-18b9-4bd6-ae11-8562701f305c","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7ad50099-18b9-4bd6-ae11-8562701f305c","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"7ad50099-18b9-4bd6-ae11-8562701f305c","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7ad50099-18b9-4bd6-ae11-8562701f305c","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:13Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"7ad50099-18b9-4bd6-ae11-8562701f305c","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"910e5290-22b8-49bb-81a4-585be15a5e9c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45436","PortSpecifier":{"PortValue":45436}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"910e5290-22b8-49bb-81a4-585be15a5e9c","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"910e5290-22b8-49bb-81a4-585be15a5e9c","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45436","PortSpecifier":{"PortValue":45436}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293936,"nanos":174964801},"http":{"id":"910e5290-22b8-49bb-81a4-585be15a5e9c","method":"GET","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"910e5290-22b8-49bb-81a4-585be15a5e9c","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-pnVRdIbYl12zy0CW_udzaYVztb43jJGLctsEKakgiYq9CgfOzUCzQbR28R3E"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"910e5290-22b8-49bb-81a4-585be15a5e9c","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-pnVRdIbYl12zy0CW_udzaYVztb43jJGLctsEKakgiYq9CgfOzUCzQbR28R3E\"}"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"910e5290-22b8-49bb-81a4-585be15a5e9c","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** revoked or expired","valid":false}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"910e5290-22b8-49bb-81a4-585be15a5e9c","input":{"auth":{"identity":"Bearer **** revoked or expired","valid":false}}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"910e5290-22b8-49bb-81a4-585be15a5e9c","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access denied","request id":"910e5290-22b8-49bb-81a4-585be15a5e9c","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"reason":"Unauthorized"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"910e5290-22b8-49bb-81a4-585be15a5e9c","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized"}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"910e5290-22b8-49bb-81a4-585be15a5e9c","authorized":false,"response":"PERMISSION_DENIED","object":{"code":7,"status":403,"message":"Unauthorized","headers":[{"content-type":"text/plain"},{"x-ext-auth-reason":""}]}} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d33a6bdb-05b6-4e22-a11b-e25cbf29c488","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45446","PortSpecifier":{"PortValue":45446}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"d33a6bdb-05b6-4e22-a11b-e25cbf29c488","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"d33a6bdb-05b6-4e22-a11b-e25cbf29c488","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45446","PortSpecifier":{"PortValue":45446}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293936,"nanos":306237318},"http":{"id":"d33a6bdb-05b6-4e22-a11b-e25cbf29c488","method":"POST","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"d33a6bdb-05b6-4e22-a11b-e25cbf29c488","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"failed to verify signature: failed to verify id token signature"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.identity.kubernetesauth","msg":"calling kubernetes token review api","request id":"d33a6bdb-05b6-4e22-a11b-e25cbf29c488","tokenreview":{"name":""}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"cannot validate identity","request id":"d33a6bdb-05b6-4e22-a11b-e25cbf29c488","config":{"Name":"openshift-identities","Priority":2,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":null,"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"Plain":null,"Noop":null,"ExtendedProperties":[]},"reason":"not authenticated"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d33a6bdb-05b6-4e22-a11b-e25cbf29c488","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required"}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"d33a6bdb-05b6-4e22-a11b-e25cbf29c488","authorized":false,"response":"UNAUTHENTICATED","object":{"code":16,"status":401,"message":"Authentication required","headers":[{"WWW-Authenticate":"request.headers.authorization realm=\"api-keys\""},{"WWW-Authenticate":"Bearer **** realm=\"openshift-identities\""}]}} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"300ae92c-921f-44d1-b2ea-1ceece8764ab","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45454","PortSpecifier":{"PortValue":45454}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"300ae92c-921f-44d1-b2ea-1ceece8764ab","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"300ae92c-921f-44d1-b2ea-1ceece8764ab","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45454","PortSpecifier":{"PortValue":45454}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293936,"nanos":462437468},"http":{"id":"300ae92c-921f-44d1-b2ea-1ceece8764ab","method":"POST","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"300ae92c-921f-44d1-b2ea-1ceece8764ab","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294236,"groups":["Engineering","Project-Alpha"],"iat":1781293936,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f4e8b75b-6b84-8dda-906d-4c1e889d0f31","preferred_username":"alice_lead","scope":"profile email","sid":"b_LlxdczqvjYLJhCWick2OIL","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"300ae92c-921f-44d1-b2ea-1ceece8764ab","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294236,"groups":["Engineering","Project-Alpha"],"iat":1781293936,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f4e8b75b-6b84-8dda-906d-4c1e889d0f31","preferred_username":"alice_lead","scope":"profile email","sid":"b_LlxdczqvjYLJhCWick2OIL","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"300ae92c-921f-44d1-b2ea-1ceece8764ab","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"300ae92c-921f-44d1-b2ea-1ceece8764ab","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"300ae92c-921f-44d1-b2ea-1ceece8764ab","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"300ae92c-921f-44d1-b2ea-1ceece8764ab","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"300ae92c-921f-44d1-b2ea-1ceece8764ab","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"300ae92c-921f-44d1-b2ea-1ceece8764ab","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"300ae92c-921f-44d1-b2ea-1ceece8764ab","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"300ae92c-921f-44d1-b2ea-1ceece8764ab","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"68efa2f2-2762-4c3b-9ea7-f1b46a33c05d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45460","PortSpecifier":{"PortValue":45460}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"68efa2f2-2762-4c3b-9ea7-f1b46a33c05d","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"68efa2f2-2762-4c3b-9ea7-f1b46a33c05d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45460","PortSpecifier":{"PortValue":45460}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293936,"nanos":494060052},"http":{"id":"68efa2f2-2762-4c3b-9ea7-f1b46a33c05d","method":"POST","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"68efa2f2-2762-4c3b-9ea7-f1b46a33c05d","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294236,"groups":["Site-Reliability"],"iat":1781293936,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:9033397e-116b-4c61-0201-05eed83f319a","preferred_username":"bob_sre","scope":"profile email","sid":"i4eO2rOku7vlPTOhsUtXVkD2","sub":"7a64cde0-3a6b-439a-b9f4-0c020cca0a9b","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"68efa2f2-2762-4c3b-9ea7-f1b46a33c05d","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294236,"groups":["Site-Reliability"],"iat":1781293936,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:9033397e-116b-4c61-0201-05eed83f319a","preferred_username":"bob_sre","scope":"profile email","sid":"i4eO2rOku7vlPTOhsUtXVkD2","sub":"7a64cde0-3a6b-439a-b9f4-0c020cca0a9b","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"68efa2f2-2762-4c3b-9ea7-f1b46a33c05d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"68efa2f2-2762-4c3b-9ea7-f1b46a33c05d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"68efa2f2-2762-4c3b-9ea7-f1b46a33c05d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"68efa2f2-2762-4c3b-9ea7-f1b46a33c05d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"68efa2f2-2762-4c3b-9ea7-f1b46a33c05d","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"bob_sre"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"68efa2f2-2762-4c3b-9ea7-f1b46a33c05d","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Site-Reliability\"]"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"68efa2f2-2762-4c3b-9ea7-f1b46a33c05d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"68efa2f2-2762-4c3b-9ea7-f1b46a33c05d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"54494124-f736-4f70-a2f2-04da7a0e4828","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45474","PortSpecifier":{"PortValue":45474}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"54494124-f736-4f70-a2f2-04da7a0e4828","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"54494124-f736-4f70-a2f2-04da7a0e4828","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45474","PortSpecifier":{"PortValue":45474}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293936,"nanos":590107582},"http":{"id":"54494124-f736-4f70-a2f2-04da7a0e4828","method":"POST","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"54494124-f736-4f70-a2f2-04da7a0e4828","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294236,"groups":["Engineering","Project-Alpha"],"iat":1781293936,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:10765449-932a-aac2-6679-2e362e36b4e5","preferred_username":"alice_lead","scope":"profile email","sid":"K8vdzfICuXNxRm3D8Ig3OdTZ","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"54494124-f736-4f70-a2f2-04da7a0e4828","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294236,"groups":["Engineering","Project-Alpha"],"iat":1781293936,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:10765449-932a-aac2-6679-2e362e36b4e5","preferred_username":"alice_lead","scope":"profile email","sid":"K8vdzfICuXNxRm3D8Ig3OdTZ","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"54494124-f736-4f70-a2f2-04da7a0e4828","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"54494124-f736-4f70-a2f2-04da7a0e4828","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"54494124-f736-4f70-a2f2-04da7a0e4828","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"54494124-f736-4f70-a2f2-04da7a0e4828","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"54494124-f736-4f70-a2f2-04da7a0e4828","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"54494124-f736-4f70-a2f2-04da7a0e4828","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"54494124-f736-4f70-a2f2-04da7a0e4828","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"54494124-f736-4f70-a2f2-04da7a0e4828","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"283f502e-1c3b-4c1f-9a32-dd6ceaa5d2b2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45488","PortSpecifier":{"PortValue":45488}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"283f502e-1c3b-4c1f-9a32-dd6ceaa5d2b2","method":"DELETE","path":"/maas-api/v1/api-keys/40a31edc-ceba-4852-ac6b-b27ce8e9de88","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"283f502e-1c3b-4c1f-9a32-dd6ceaa5d2b2","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45488","PortSpecifier":{"PortValue":45488}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293936,"nanos":623498755},"http":{"id":"283f502e-1c3b-4c1f-9a32-dd6ceaa5d2b2","method":"DELETE","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/40a31edc-ceba-4852-ac6b-b27ce8e9de88",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"283f502e-1c3b-4c1f-9a32-dd6ceaa5d2b2","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294236,"groups":["Engineering","Project-Alpha"],"iat":1781293936,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:10765449-932a-aac2-6679-2e362e36b4e5","preferred_username":"alice_lead","scope":"profile email","sid":"K8vdzfICuXNxRm3D8Ig3OdTZ","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"283f502e-1c3b-4c1f-9a32-dd6ceaa5d2b2","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294236,"groups":["Engineering","Project-Alpha"],"iat":1781293936,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:10765449-932a-aac2-6679-2e362e36b4e5","preferred_username":"alice_lead","scope":"profile email","sid":"K8vdzfICuXNxRm3D8Ig3OdTZ","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/40a31edc-ceba-4852-ac6b-b27ce8e9de88",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"283f502e-1c3b-4c1f-9a32-dd6ceaa5d2b2","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"283f502e-1c3b-4c1f-9a32-dd6ceaa5d2b2","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"283f502e-1c3b-4c1f-9a32-dd6ceaa5d2b2","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"283f502e-1c3b-4c1f-9a32-dd6ceaa5d2b2","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"283f502e-1c3b-4c1f-9a32-dd6ceaa5d2b2","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"283f502e-1c3b-4c1f-9a32-dd6ceaa5d2b2","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"283f502e-1c3b-4c1f-9a32-dd6ceaa5d2b2","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"283f502e-1c3b-4c1f-9a32-dd6ceaa5d2b2","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ed387b83-d2c2-4cd5-bdd3-bf83141ee38a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45494","PortSpecifier":{"PortValue":45494}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"ed387b83-d2c2-4cd5-bdd3-bf83141ee38a","method":"DELETE","path":"/maas-api/v1/api-keys/40a31edc-ceba-4852-ac6b-b27ce8e9de88","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"ed387b83-d2c2-4cd5-bdd3-bf83141ee38a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45494","PortSpecifier":{"PortValue":45494}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293936,"nanos":651601348},"http":{"id":"ed387b83-d2c2-4cd5-bdd3-bf83141ee38a","method":"DELETE","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/40a31edc-ceba-4852-ac6b-b27ce8e9de88",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"ed387b83-d2c2-4cd5-bdd3-bf83141ee38a","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294236,"groups":["Engineering","Project-Alpha"],"iat":1781293936,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:10765449-932a-aac2-6679-2e362e36b4e5","preferred_username":"alice_lead","scope":"profile email","sid":"K8vdzfICuXNxRm3D8Ig3OdTZ","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"ed387b83-d2c2-4cd5-bdd3-bf83141ee38a","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294236,"groups":["Engineering","Project-Alpha"],"iat":1781293936,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:10765449-932a-aac2-6679-2e362e36b4e5","preferred_username":"alice_lead","scope":"profile email","sid":"K8vdzfICuXNxRm3D8Ig3OdTZ","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"DELETE",":path":"/maas-api/v1/api-keys/40a31edc-ceba-4852-ac6b-b27ce8e9de88",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ed387b83-d2c2-4cd5-bdd3-bf83141ee38a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ed387b83-d2c2-4cd5-bdd3-bf83141ee38a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"ed387b83-d2c2-4cd5-bdd3-bf83141ee38a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"ed387b83-d2c2-4cd5-bdd3-bf83141ee38a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ed387b83-d2c2-4cd5-bdd3-bf83141ee38a","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"ed387b83-d2c2-4cd5-bdd3-bf83141ee38a","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ed387b83-d2c2-4cd5-bdd3-bf83141ee38a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"ed387b83-d2c2-4cd5-bdd3-bf83141ee38a","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3c3f4801-a7be-4b41-b3a5-5d601ac89b34","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45502","PortSpecifier":{"PortValue":45502}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3c3f4801-a7be-4b41-b3a5-5d601ac89b34","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3c3f4801-a7be-4b41-b3a5-5d601ac89b34","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45502","PortSpecifier":{"PortValue":45502}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293936,"nanos":740773692},"http":{"id":"3c3f4801-a7be-4b41-b3a5-5d601ac89b34","method":"POST","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3c3f4801-a7be-4b41-b3a5-5d601ac89b34","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294236,"groups":["Engineering","Project-Alpha"],"iat":1781293936,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f156d05c-dd55-e701-6770-ba930f562411","preferred_username":"alice_lead","scope":"profile email","sid":"qeA3ppTTU5xyhFws80EmDeaI","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3c3f4801-a7be-4b41-b3a5-5d601ac89b34","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294236,"groups":["Engineering","Project-Alpha"],"iat":1781293936,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:f156d05c-dd55-e701-6770-ba930f562411","preferred_username":"alice_lead","scope":"profile email","sid":"qeA3ppTTU5xyhFws80EmDeaI","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3c3f4801-a7be-4b41-b3a5-5d601ac89b34","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3c3f4801-a7be-4b41-b3a5-5d601ac89b34","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3c3f4801-a7be-4b41-b3a5-5d601ac89b34","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3c3f4801-a7be-4b41-b3a5-5d601ac89b34","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3c3f4801-a7be-4b41-b3a5-5d601ac89b34","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3c3f4801-a7be-4b41-b3a5-5d601ac89b34","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3c3f4801-a7be-4b41-b3a5-5d601ac89b34","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3c3f4801-a7be-4b41-b3a5-5d601ac89b34","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"67a08b75-b1ed-473b-adce-cc306f6f43e9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45510","PortSpecifier":{"PortValue":45510}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"67a08b75-b1ed-473b-adce-cc306f6f43e9","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"67a08b75-b1ed-473b-adce-cc306f6f43e9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45510","PortSpecifier":{"PortValue":45510}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293936,"nanos":771975388},"http":{"id":"67a08b75-b1ed-473b-adce-cc306f6f43e9","method":"GET","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"67a08b75-b1ed-473b-adce-cc306f6f43e9","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-QWXNPvOZFxj3iaEC_GFGNuUx2xN7CcYzqUW5Jr3DgSf9aHRljqtyBMg9tMLw"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"67a08b75-b1ed-473b-adce-cc306f6f43e9","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-QWXNPvOZFxj3iaEC_GFGNuUx2xN7CcYzqUW5Jr3DgSf9aHRljqtyBMg9tMLw\"}"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"67a08b75-b1ed-473b-adce-cc306f6f43e9","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"67a08b75-b1ed-473b-adce-cc306f6f43e9","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"67a08b75-b1ed-473b-adce-cc306f6f43e9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"67a08b75-b1ed-473b-adce-cc306f6f43e9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"67a08b75-b1ed-473b-adce-cc306f6f43e9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"67a08b75-b1ed-473b-adce-cc306f6f43e9","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"67a08b75-b1ed-473b-adce-cc306f6f43e9","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"67a08b75-b1ed-473b-adce-cc306f6f43e9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"67a08b75-b1ed-473b-adce-cc306f6f43e9","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"67a08b75-b1ed-473b-adce-cc306f6f43e9","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"67a08b75-b1ed-473b-adce-cc306f6f43e9","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.41:36028","PortSpecifier":{"PortValue":36028}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"237a70dd-8eae-4a1b-9803-632a40b283d9","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.41:36028","PortSpecifier":{"PortValue":36028}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293936,"nanos":778238480},"http":{"id":"237a70dd-8eae-4a1b-9803-632a40b283d9","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-QWXNPvOZFxj3iaEC_GFGNuUx2xN7CcYzqUW5Jr3DgSf9aHRljqtyBMg9tMLw"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-QWXNPvOZFxj3iaEC_GFGNuUx2xN7CcYzqUW5Jr3DgSf9aHRljqtyBMg9tMLw\"}"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-QWXNPvOZFxj3iaEC_GFGNuUx2xN7CcYzqUW5Jr3DgSf9aHRljqtyBMg9tMLw","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTRzcXI5CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.32~maas-default-gateway-openshift-default-8559cd5744-4sqr9.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"237a70dd-8eae-4a1b-9803-632a40b283d9"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"237a70dd-8eae-4a1b-9803-632a40b283d9","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":778238480,"seconds":1781293936},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.41:36028","port":36028}}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"5e690f97-bdfa-43a6-af5f-7c00d23c2bcf","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"237a70dd-8eae-4a1b-9803-632a40b283d9","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1f149799-bc3e-451f-acb9-bbf3c2641b07","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45524","PortSpecifier":{"PortValue":45524}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"1f149799-bc3e-451f-acb9-bbf3c2641b07","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"1f149799-bc3e-451f-acb9-bbf3c2641b07","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45524","PortSpecifier":{"PortValue":45524}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293936,"nanos":869417600},"http":{"id":"1f149799-bc3e-451f-acb9-bbf3c2641b07","method":"POST","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"1f149799-bc3e-451f-acb9-bbf3c2641b07","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294236,"groups":["Engineering","Project-Alpha"],"iat":1781293936,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:1aed2abb-f6ff-5c4f-8593-79b946ea0d0c","preferred_username":"alice_lead","scope":"profile email","sid":"JGy76Exz5TMrphTTQNLmmG3d","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"1f149799-bc3e-451f-acb9-bbf3c2641b07","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294236,"groups":["Engineering","Project-Alpha"],"iat":1781293936,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:1aed2abb-f6ff-5c4f-8593-79b946ea0d0c","preferred_username":"alice_lead","scope":"profile email","sid":"JGy76Exz5TMrphTTQNLmmG3d","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1f149799-bc3e-451f-acb9-bbf3c2641b07","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1f149799-bc3e-451f-acb9-bbf3c2641b07","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"1f149799-bc3e-451f-acb9-bbf3c2641b07","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"1f149799-bc3e-451f-acb9-bbf3c2641b07","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1f149799-bc3e-451f-acb9-bbf3c2641b07","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"1f149799-bc3e-451f-acb9-bbf3c2641b07","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1f149799-bc3e-451f-acb9-bbf3c2641b07","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"1f149799-bc3e-451f-acb9-bbf3c2641b07","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c5757aef-ca7d-4b50-a798-f839392b2d7a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45536","PortSpecifier":{"PortValue":45536}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c5757aef-ca7d-4b50-a798-f839392b2d7a","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c5757aef-ca7d-4b50-a798-f839392b2d7a","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45536","PortSpecifier":{"PortValue":45536}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293936,"nanos":896209220},"http":{"id":"c5757aef-ca7d-4b50-a798-f839392b2d7a","method":"GET","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c5757aef-ca7d-4b50-a798-f839392b2d7a","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-wr6n1K7X8Y9gi1tB_6ogDYo4MApQXL9LSvgEZerek4zZvYCNyrDYsUdoJlDy"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c5757aef-ca7d-4b50-a798-f839392b2d7a","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-wr6n1K7X8Y9gi1tB_6ogDYo4MApQXL9LSvgEZerek4zZvYCNyrDYsUdoJlDy\"}"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c5757aef-ca7d-4b50-a798-f839392b2d7a","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c5757aef-ca7d-4b50-a798-f839392b2d7a","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c5757aef-ca7d-4b50-a798-f839392b2d7a","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c5757aef-ca7d-4b50-a798-f839392b2d7a","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c5757aef-ca7d-4b50-a798-f839392b2d7a","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c5757aef-ca7d-4b50-a798-f839392b2d7a","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c5757aef-ca7d-4b50-a798-f839392b2d7a","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c5757aef-ca7d-4b50-a798-f839392b2d7a","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c5757aef-ca7d-4b50-a798-f839392b2d7a","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c5757aef-ca7d-4b50-a798-f839392b2d7a","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c5757aef-ca7d-4b50-a798-f839392b2d7a","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6f86e2c1-eb96-4194-be1d-e1a96c6294f1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45538","PortSpecifier":{"PortValue":45538}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"6f86e2c1-eb96-4194-be1d-e1a96c6294f1","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"6f86e2c1-eb96-4194-be1d-e1a96c6294f1","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45538","PortSpecifier":{"PortValue":45538}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293936,"nanos":921700789},"http":{"id":"6f86e2c1-eb96-4194-be1d-e1a96c6294f1","method":"GET","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"6f86e2c1-eb96-4194-be1d-e1a96c6294f1","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-wr6n1K7X8Y9gi1tB_6ogDYo4MApQXL9LSvgEZerek4zZvYCNyrDYsUdoJlDy"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"6f86e2c1-eb96-4194-be1d-e1a96c6294f1","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-wr6n1K7X8Y9gi1tB_6ogDYo4MApQXL9LSvgEZerek4zZvYCNyrDYsUdoJlDy\"}"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"6f86e2c1-eb96-4194-be1d-e1a96c6294f1","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"6f86e2c1-eb96-4194-be1d-e1a96c6294f1","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6f86e2c1-eb96-4194-be1d-e1a96c6294f1","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6f86e2c1-eb96-4194-be1d-e1a96c6294f1","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"6f86e2c1-eb96-4194-be1d-e1a96c6294f1","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6f86e2c1-eb96-4194-be1d-e1a96c6294f1","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6f86e2c1-eb96-4194-be1d-e1a96c6294f1","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"6f86e2c1-eb96-4194-be1d-e1a96c6294f1","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"6f86e2c1-eb96-4194-be1d-e1a96c6294f1","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6f86e2c1-eb96-4194-be1d-e1a96c6294f1","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"6f86e2c1-eb96-4194-be1d-e1a96c6294f1","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.41:36028","PortSpecifier":{"PortValue":36028}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.41:36028","PortSpecifier":{"PortValue":36028}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293936,"nanos":927406259},"http":{"id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-wr6n1K7X8Y9gi1tB_6ogDYo4MApQXL9LSvgEZerek4zZvYCNyrDYsUdoJlDy"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-wr6n1K7X8Y9gi1tB_6ogDYo4MApQXL9LSvgEZerek4zZvYCNyrDYsUdoJlDy\"}"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-wr6n1K7X8Y9gi1tB_6ogDYo4MApQXL9LSvgEZerek4zZvYCNyrDYsUdoJlDy","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTRzcXI5CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.32~maas-default-gateway-openshift-default-8559cd5744-4sqr9.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":927406259,"seconds":1781293936},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.41:36028","port":36028}}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"afd7a1ea-02f2-48f0-9030-da38fac1fe80","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:16Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"e3f4f80b-6330-463d-acb9-db78e9cf31a9","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3ddbb81a-37c4-40e1-b69b-5c837de13bad","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45540","PortSpecifier":{"PortValue":45540}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"3ddbb81a-37c4-40e1-b69b-5c837de13bad","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"3ddbb81a-37c4-40e1-b69b-5c837de13bad","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45540","PortSpecifier":{"PortValue":45540}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293937,"nanos":16385090},"http":{"id":"3ddbb81a-37c4-40e1-b69b-5c837de13bad","method":"POST","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"3ddbb81a-37c4-40e1-b69b-5c837de13bad","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294236,"groups":["Engineering","Project-Alpha"],"iat":1781293936,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b66c83de-eae9-188b-95c4-f792967af0ba","preferred_username":"alice_lead","scope":"profile email","sid":"yVcvhOLLeyHDQTxonKD_qChP","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"3ddbb81a-37c4-40e1-b69b-5c837de13bad","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294236,"groups":["Engineering","Project-Alpha"],"iat":1781293936,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:b66c83de-eae9-188b-95c4-f792967af0ba","preferred_username":"alice_lead","scope":"profile email","sid":"yVcvhOLLeyHDQTxonKD_qChP","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3ddbb81a-37c4-40e1-b69b-5c837de13bad","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3ddbb81a-37c4-40e1-b69b-5c837de13bad","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"3ddbb81a-37c4-40e1-b69b-5c837de13bad","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"3ddbb81a-37c4-40e1-b69b-5c837de13bad","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3ddbb81a-37c4-40e1-b69b-5c837de13bad","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"3ddbb81a-37c4-40e1-b69b-5c837de13bad","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3ddbb81a-37c4-40e1-b69b-5c837de13bad","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"3ddbb81a-37c4-40e1-b69b-5c837de13bad","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"91b7f3ee-a238-4e56-8414-71f783d475ca","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45552","PortSpecifier":{"PortValue":45552}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"91b7f3ee-a238-4e56-8414-71f783d475ca","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"91b7f3ee-a238-4e56-8414-71f783d475ca","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45552","PortSpecifier":{"PortValue":45552}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293937,"nanos":46318405},"http":{"id":"91b7f3ee-a238-4e56-8414-71f783d475ca","method":"GET","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"91b7f3ee-a238-4e56-8414-71f783d475ca","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-812vXMuNS6ieUIk0_v39OFJWCMrKXKmCx4OMbmjVJdAyMzei2Ngr74NNkZMR"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"91b7f3ee-a238-4e56-8414-71f783d475ca","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-812vXMuNS6ieUIk0_v39OFJWCMrKXKmCx4OMbmjVJdAyMzei2Ngr74NNkZMR\"}"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"91b7f3ee-a238-4e56-8414-71f783d475ca","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"91b7f3ee-a238-4e56-8414-71f783d475ca","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"91b7f3ee-a238-4e56-8414-71f783d475ca","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"91b7f3ee-a238-4e56-8414-71f783d475ca","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"91b7f3ee-a238-4e56-8414-71f783d475ca","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"91b7f3ee-a238-4e56-8414-71f783d475ca","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"91b7f3ee-a238-4e56-8414-71f783d475ca","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"91b7f3ee-a238-4e56-8414-71f783d475ca","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"91b7f3ee-a238-4e56-8414-71f783d475ca","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"info","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"91b7f3ee-a238-4e56-8414-71f783d475ca","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"91b7f3ee-a238-4e56-8414-71f783d475ca","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.41:36028","PortSpecifier":{"PortValue":36028}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.41:36028","PortSpecifier":{"PortValue":36028}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293937,"nanos":53814483},"http":{"id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-812vXMuNS6ieUIk0_v39OFJWCMrKXKmCx4OMbmjVJdAyMzei2Ngr74NNkZMR"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-812vXMuNS6ieUIk0_v39OFJWCMrKXKmCx4OMbmjVJdAyMzei2Ngr74NNkZMR\"}"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-812vXMuNS6ieUIk0_v39OFJWCMrKXKmCx4OMbmjVJdAyMzei2Ngr74NNkZMR","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTRzcXI5CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.32~maas-default-gateway-openshift-default-8559cd5744-4sqr9.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":53814483,"seconds":1781293937},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.41:36028","port":36028}}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"de2d43b7-31ff-4bd6-8434-41f6496c73a5","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"755e3acf-bfd9-46fd-a9e9-58cc42958f25","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c88c63c5-ffbf-4bad-865c-0e082b1061a0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45562","PortSpecifier":{"PortValue":45562}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c88c63c5-ffbf-4bad-865c-0e082b1061a0","method":"GET","path":"/maas-api/v1/models","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c88c63c5-ffbf-4bad-865c-0e082b1061a0","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45562","PortSpecifier":{"PortValue":45562}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293937,"nanos":83231823},"http":{"id":"c88c63c5-ffbf-4bad-865c-0e082b1061a0","method":"GET","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"GET",":path":"/maas-api/v1/models",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c88c63c5-ffbf-4bad-865c-0e082b1061a0","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-812vXMuNS6ieUIk0_v39OFJWCMrKXKmCx4OMbmjVJdAyMzei2Ngr74NNkZMR"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c88c63c5-ffbf-4bad-865c-0e082b1061a0","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-812vXMuNS6ieUIk0_v39OFJWCMrKXKmCx4OMbmjVJdAyMzei2Ngr74NNkZMR\"}"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c88c63c5-ffbf-4bad-865c-0e082b1061a0","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c88c63c5-ffbf-4bad-865c-0e082b1061a0","input":{"auth":{"identity":"Bearer **** deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c88c63c5-ffbf-4bad-865c-0e082b1061a0","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c88c63c5-ffbf-4bad-865c-0e082b1061a0","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c88c63c5-ffbf-4bad-865c-0e082b1061a0","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c88c63c5-ffbf-4bad-865c-0e082b1061a0","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c88c63c5-ffbf-4bad-865c-0e082b1061a0","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c88c63c5-ffbf-4bad-865c-0e082b1061a0","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"c88c63c5-ffbf-4bad-865c-0e082b1061a0","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: subscription-info"} {"level":"info","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c88c63c5-ffbf-4bad-865c-0e082b1061a0","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c88c63c5-ffbf-4bad-865c-0e082b1061a0","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.41:36028","PortSpecifier":{"PortValue":36028}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.41:36028","PortSpecifier":{"PortValue":36028}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293937,"nanos":89319665},"http":{"id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","method":"GET","headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","config":{"Name":"api-keys","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** sk-oai-812vXMuNS6ieUIk0_v39OFJWCMrKXKmCx4OMbmjVJdAyMzei2Ngr74NNkZMR"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","config":"apiKeyValidation","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/api-keys/validate","headers":{"Content-Type":["application/json"]},"body":"{\"key\":\"sk-oai-812vXMuNS6ieUIk0_v39OFJWCMrKXKmCx4OMbmjVJdAyMzei2Ngr74NNkZMR\"}"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","config":{"Name":"apiKeyValidation","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.metadata.http","msg":"sending request","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","config":"subscription-info","method":"POST","url":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","headers":{"Content-Type":["application/json"]},"body":"{\"groups\":[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"],\"requestedModel\":\"llm/facebook-opt-125m-simulated\",\"requestedSubscription\":\"simulator-subscription\",\"username\":\"alice_lead\"}"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.metadata","msg":"fetched auth metadata","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","config":{"Name":"subscription-info","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"UserInfo":null,"UMA":null,"GenericHTTP":{"Endpoint":"https://maas-api.opendatahub.svc.cluster.local:8443/internal/v1/subscriptions/select","DynamicEndpoint":null,"Method":"POST","Body":{},"Parameters":[],"Headers":[],"ContentType":"application/json","SharedSecret":"","OAuth2":null,"OAuth2TokenForceFetch":false,"AuthCredentials":null}},"object":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","input":{"auth":{"identity":"Bearer **** subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true}}},"context":{"context_extensions":{"host":"3dd75e19cd66d310c30638e330078972afd6d2d96305f91055bc6a6f363fb8d3"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local",":method":"GET",":path":"/llm/facebook-opt-125m-simulated/v1/models",":scheme":"https","accept-encoding":"gzip","authorization":"Bearer **** sk-oai-812vXMuNS6ieUIk0_v39OFJWCMrKXKmCx4OMbmjVJdAyMzei2Ngr74NNkZMR","user-agent":"Go-http-client/1.1","x-envoy-decorator-operation":"facebook-opt-125m-simulated-kserve-workload-svc.llm.svc.cluster.local:8000/*","x-envoy-external-address":"10.133.0.41","x-envoy-peer-metadata":"ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwqLAQoGTEFCRUxTEoABKn4KSwofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdAovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKQQoETkFNRRI5GjdtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdC04NTU5Y2Q1NzQ0LTRzcXI5CiAKCU5BTUVTUEFDRRITGhFvcGVuc2hpZnQtaW5ncmVzcwp0CgVPV05FUhJrGmlrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvb3BlbnNoaWZ0LWluZ3Jlc3MvZGVwbG95bWVudHMvbWFhcy1kZWZhdWx0LWdhdGV3YXktb3BlbnNoaWZ0LWRlZmF1bHQKOQoNV09SS0xPQURfTkFNRRIoGiZtYWFzLWRlZmF1bHQtZ2F0ZXdheS1vcGVuc2hpZnQtZGVmYXVsdA==","x-envoy-peer-metadata-id":"router~10.133.0.32~maas-default-gateway-openshift-default-8559cd5744-4sqr9.openshift-ingress~openshift-ingress.svc.cluster.local","x-forwarded-for":"10.133.0.41","x-forwarded-proto":"https","x-maas-subscription":"simulator-subscription","x-request-id":"c1b9893b-68a7-459a-801f-5b88916ffa2d"},"host":"maas-default-gateway-openshift-default.openshift-ingress.svc.cluster.local","id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","method":"GET","path":"/llm/facebook-opt-125m-simulated/v1/models","protocol":"HTTP/1.1","scheme":"https","time":{"nanos":89319665,"seconds":1781293937},"url_path":"/llm/facebook-opt-125m-simulated/v1/models","user_agent":"Go-http-client/1.1"},"source":{"address":"10.133.0.41:36028","port":36028}}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","config":{"Name":"subscription-valid","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"name\", \"\") != \"\"\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"error\", \"\") == \"\"\n\tphase := object.get(input.auth.metadata[\"subscription-info\"], \"phase\", \"\")\n\tany([phase == \"Active\", phase == \"Degraded\"])\n\tobject.get(input.auth.metadata[\"subscription-info\"], \"deletionTimestamp\", \"\") == \"\"\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","config":{"Name":"X-MaaS-Username","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","config":{"Name":"X-MaaS-Group","Priority":0,"Conditions":{"Left":{"Selector":"request.headers.authorization","Operator":5,"Value":"^Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","config":{"Name":"X-MaaS-Subscription","Priority":0,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Subscription","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"simulator-subscription"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"userid","Value":{}},{"Name":"groups","Value":{}}]},"Plain":null},"object":{"groups":["system:authenticated","Engineering","Project-Alpha"],"groups_str":"system:authenticated,Engineering,Project-Alpha","keyId":"de2d43b7-31ff-4bd6-8434-41f6496c73a5","selected_subscription":"simulator-subscription","selected_subscription_key":"models-as-a-service/simulator-subscription@llm/facebook-opt-125m-simulated","subscription_error":"","subscription_error_message":"","subscription_info":{"description":"Free-tier subscription with 100 tokens/min rate limit","displayName":"Simulator Subscription (Free)","modelRefs":[{"description":"A simulated OPT-125M model for free-tier testing","display_name":"Facebook OPT 125M (Simulated)","name":"facebook-opt-125m-simulated","source":"internal","token_rate_limits":[{"limit":100,"window":"1m"}]}],"name":"simulator-subscription","namespace":"models-as-a-service","phase":"Active","priority":10,"ready":true},"userid":"alice_lead"}} {"level":"info","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"c1b9893b-68a7-459a-801f-5b88916ffa2d","authorized":true,"response":"OK"} {"level":"info","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"eeeea67c-e340-48d7-9827-998b6b73ee43","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45572","PortSpecifier":{"PortValue":45572}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"http":{"id":"eeeea67c-e340-48d7-9827-998b6b73ee43","method":"POST","path":"/maas-api/v1/api-keys","host":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com","scheme":"https"}}}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"incoming authorization request","request id":"eeeea67c-e340-48d7-9827-998b6b73ee43","object":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.132.0.13:45572","PortSpecifier":{"PortValue":45572}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.133.0.32:443","PortSpecifier":{"PortValue":443}}}}},"request":{"time":{"seconds":1781293937,"nanos":181078356},"http":{"id":"eeeea67c-e340-48d7-9827-998b6b73ee43","method":"POST","headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.identity","msg":"identity validated","request id":"eeeea67c-e340-48d7-9827-998b6b73ee43","config":{"Name":"oidc-identities","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Metrics":false,"Cache":null,"OAuth2":null,"JWTAuthentication":{"AuthCredentials":{"KeySelector":"Bearer","In":"authorization_header"}},"MTLS":null,"HMAC":null,"APIKey":null,"KubernetesAuth":null,"Plain":null,"Noop":null,"ExtendedProperties":[]},"object":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294237,"groups":["Engineering","Project-Alpha"],"iat":1781293937,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:4dac0dbe-dc6a-ef03-0722-8f1565c4f90b","preferred_username":"alice_lead","scope":"profile email","sid":"_MgcY3sNISme5R8e8O4tZD4M","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"evaluating for input","request id":"eeeea67c-e340-48d7-9827-998b6b73ee43","input":{"auth":{"identity":{"acr":"1","allowed-origins":["*"],"azp":"test-client","email_verified":true,"exp":1781294237,"groups":["Engineering","Project-Alpha"],"iat":1781293937,"iss":"https://keycloak.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com/realms/tenant-a","jti":"onrtro:4dac0dbe-dc6a-ef03-0722-8f1565c4f90b","preferred_username":"alice_lead","scope":"profile email","sid":"_MgcY3sNISme5R8e8O4tZD4M","sub":"a078cdc9-c9e5-4790-b756-8926e6ddf0c1","typ":"Bearer"}},"context":{"context_extensions":{"host":"4b78668c68e506f3e4245c5d1f1af6820d0987e90bac1b37e2a03d21cc7ed38d"},"destination":{"address":{"Address":{"SocketAddress":{"PortSpecifier":{"PortValue":443},"address":"10.133.0.32:443"}}}},"metadata_context":{},"request":{"http":{"headers":{":authority":"maas.apps.71411a9d-3589-47da-b636-fd1b7a34023d.prod.konfluxeaas.com",":method":"POST",":path":"/maas-api/v1/api-keys",":scheme":"https","accept":"*/*","accept-encoding":"gzip, deflate","authorization":"Bearer **** deflate","authorization":"Bearer **** {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"eeeea67c-e340-48d7-9827-998b6b73ee43","config":{"Name":"tenant-gateway-isolation","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":null,"OPA":{"Rego":"# Tenant hostname isolation stub.\n# Replace with a real maas-api call to validate that the API key's tenant\n# matches the gateway hostname (prevents Coke key on Pepsi gateway).\nallow { true }","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"eeeea67c-e340-48d7-9827-998b6b73ee43","config":{"Name":"auth-valid","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"allow {\n object.get(input.auth.metadata, \"apiKeyValidation\", {})\n input.auth.metadata.apiKeyValidation.valid == true\n}\nallow {\n not input.auth.metadata.apiKeyValidation\n}","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.authorization","msg":"access granted","request id":"eeeea67c-e340-48d7-9827-998b6b73ee43","config":{"Name":"require-group-membership","Priority":0,"Conditions":{"Left":null,"Right":null},"Metrics":false,"Cache":{},"OPA":{"Rego":"\nmodel_access := {\"llm/facebook-opt-125m-simulated\":{\"users\":null,\"groups\":[\"system:authenticated\"]},\"llm/premium-simulated-simulated-premium\":{\"users\":[\"system:serviceaccount:premium-users-namespace:premium-service-account\"],\"groups\":[\"premium-user\"]}}\n\nrequest_path := object.get(input.context.request.http, \"path\", \"\")\nrequest_headers := object.get(input.context.request.http, \"headers\", {})\n\npath_parts := [p | p := split(request_path, \"/\")[_]; p != \"\"]\n\npath_model_identity := sprintf(\"%s/%s\", [path_parts[0], path_parts[1]]) {\n\tcount(path_parts) >= 2\n}\n\nheader_model_identity := object.get(request_headers, \"x-gateway-model-name\", \"\")\n\nmodel_identity := path_model_identity {\n\tstartswith(request_path, \"/llm/\")\n} else := header_model_identity {\n\theader_model_identity != \"\"\n} else := \"\"\n\nusername := input.auth.metadata.apiKeyValidation.username\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.username != \"\" }\nelse := input.auth.identity.preferred_username\n\t{ object.get(input.auth, \"identity\", {}).preferred_username != \"\" }\nelse := input.auth.identity.sub\n\t{ object.get(input.auth, \"identity\", {}).sub != \"\" }\nelse := input.auth.identity.user.username\n\t{ object.get(input.auth, \"identity\", {}).user.username != \"\" }\nelse := \"\"\n\ngroups := input.auth.metadata.apiKeyValidation.groups\n\t{ object.get(input.auth, \"metadata\", {}).apiKeyValidation.groups != [] }\nelse := input.auth.identity.groups\n\t{ object.get(input.auth, \"identity\", {}).groups != [] }\nelse := input.auth.identity.user.groups\n\t{ object.get(input.auth, \"identity\", {}).user.groups != [] }\nelse := []\n\nmodel_rules := object.get(model_access, model_identity, null)\n\n# Management endpoints (e.g. /v1/models, /v1/api-keys) carry no model context.\n# Allow them here; subscription and rate-limit checks are gated by the /llm/ when-condition.\nallow {\n\tmodel_identity == \"\"\n}\n\n# Inference path: deny by default when no MaaSAuthPolicy covers this model.\n# Allow only when the caller's username or a group is explicitly listed.\nallow {\n\tmodel_rules != null\n\tmodel_rules.users[_] == username\n}\n\nallow {\n\tmodel_rules != null\n\tg := groups[_]\n\tmodel_rules.groups[_] == g\n}\n","ExternalSource":null,"AllValues":false},"JSON":null,"KubernetesAuthz":null,"Authzed":null},"object":{"allow":true}} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"cannot build dynamic response","request id":"eeeea67c-e340-48d7-9827-998b6b73ee43","config":{"Name":"identity","Priority":0,"Conditions":{"Left":null,"Right":null},"Wrapper":"envoyDynamicMetadata","WrapperKey":"identity","Metrics":true,"Cache":null,"Wristband":null,"DynamicJSON":{"Properties":[{"Name":"groups_str","Value":{}},{"Name":"selected_subscription","Value":{}},{"Name":"subscription_error_message","Value":{}},{"Name":"subscription_info","Value":{}},{"Name":"keyId","Value":{}},{"Name":"selected_subscription_key","Value":{}},{"Name":"subscription_error","Value":{}},{"Name":"groups","Value":{}},{"Name":"userid","Value":{}}]},"Plain":null},"reason":"no such key: metadata"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"eeeea67c-e340-48d7-9827-998b6b73ee43","config":{"Name":"X-MaaS-Username-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Username","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"alice_lead"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth.authpipeline.response","msg":"dynamic response built","request id":"eeeea67c-e340-48d7-9827-998b6b73ee43","config":{"Name":"X-MaaS-Group-Token","Priority":1,"Conditions":{"Left":{},"Right":{"Left":null,"Right":null}},"Wrapper":"httpHeader","WrapperKey":"X-MaaS-Group","Metrics":false,"Cache":null,"Wristband":null,"DynamicJSON":null,"Plain":{"Value":{}}},"object":"[\"system:authenticated\",\"Engineering\",\"Project-Alpha\"]"} {"level":"info","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"eeeea67c-e340-48d7-9827-998b6b73ee43","authorized":true,"response":"OK"} {"level":"debug","ts":"2026-06-12T19:52:17Z","logger":"authorino.service.auth","msg":"outgoing authorization response","request id":"eeeea67c-e340-48d7-9827-998b6b73ee43","authorized":true,"response":"OK"}