feat: remove identity headers from model inference AuthPolicies

Remove X-MaaS-Username, X-MaaS-Group, X-MaaS-Key-Id, and X-MaaS-Subscription
headers from requests forwarded to upstream model workloads (defense-in-depth).

All identity information remains available to TokenRateLimitPolicy and gateway
telemetry through AuthPolicy's filters.identity mechanism, but is not exposed
to model runtime pods to prevent accidental disclosure in logs or dumps.

Changes:
- Remove response.success.headers from controller-generated AuthPolicies
- Add test verifying headers not forwarded and identity data available
- Update docs to explain security model and scope (model routes only)

Out of scope: maas-api static AuthPolicy unchanged (still uses headers for
ExtractUserInfo middleware on maas-api-route).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: jrhyness

docs/content/architecture.md

@@ -214,7 +214,7 @@ The MaaSAuthPolicy delegates to the MaaS API for key validation and subscription
 2. MaaS API validates the key (format, not revoked, not expired) and returns username, groups, and subscription.
 3. Authorino calls MaaS API to check subscription (groups, username, requested subscription from the key).
 4. If the user lacks access to the requested subscription → error (403).
-5. On success, returns selected subscription; Authorino caches the result (e.g., 60s TTL). AuthPolicy may inject `X-MaaS-Subscription` **server-side** for downstream rate limiting and metrics. Clients do not send this header on inference; subscription comes from the API key record created at mint time.
+5. On success, returns selected subscription; Authorino caches the result (e.g., 60s TTL). Identity information (username, groups, subscription, key ID) is made available to TokenRateLimitPolicy and observability through AuthPolicy's `filters.identity` mechanism, but is **not forwarded** as HTTP headers to upstream model workloads (defense-in-depth security). Clients do not send subscription headers on inference; subscription comes from the API key record created at mint time.
 
 ```mermaid
 graph TB

docs/content/configuration-and-management/maas-controller-overview.md

@@ -231,6 +231,32 @@ The Kuadrant AuthPolicy validates API keys via the MaaS API and validates user t
 
 ---
 
+## 9.1. Identity Headers and Defense-in-Depth
+
+**For model inference routes** (HTTPRoutes targeting model workloads):
+
+The controller-generated AuthPolicies do **not** inject identity-related HTTP headers (`X-MaaS-Username`, `X-MaaS-Group`, `X-MaaS-Key-Id`, `X-MaaS-Subscription`) into requests forwarded to upstream model pods. This is a defense-in-depth security measure to prevent accidental disclosure of user identity, group membership, and key identifiers in:
+
+- Model runtime logs
+- Upstream debug dumps
+- Misconfigured proxies or sidecars
+
+All identity information remains available to **gateway-level features** through Authorino's `auth.identity` and `auth.metadata` contexts, which are consumed by:
+
+- **TokenRateLimitPolicy (TRLP)**: Uses `selected_subscription_key`, `userid`, `groups`, and `subscription_labels` from `filters.identity`
+- **Gateway telemetry/metrics**: Accesses identity fields with `metrics: true` enabled on `filters.identity`
+- **Authorization policies**: OPA/Rego rules evaluate `auth.identity` and `auth.metadata` directly
+
+**For maas-api routes**:
+
+The static AuthPolicy for maas-api (`deployment/base/maas-api/policies/auth-policy.yaml`) still injects `X-MaaS-Username` and `X-MaaS-Group` headers, as maas-api's `ExtractUserInfo` middleware requires them. This is separate from model inference routes and follows a different security model (maas-api is a trusted internal service).
+
+**Security motivation:**
+
+Model workloads (vLLM, Llama.cpp, etc.) do not require strong identity claims in cleartext headers. By keeping identity at the gateway layer, we reduce the attack surface and limit the blast radius of potential log leaks or upstream vulnerabilities.
+
+---
+
 ## 10. Summary
 
 | Topic | Summary |

maas-controller/pkg/controller/maas/maasauthpolicy_controller.go

@@ -448,45 +448,12 @@ allow {
 		// match against subscription groups (which may differ from auth policy groups).
 		// Also inject subscription metadata from subscription-info for Limitador metrics.
 		// For API keys: username/groups come from apiKeyValidation metadata
-		// For K8s tokens: username/groups come from auth.identity
+		// Identity headers intentionally removed for defense-in-depth:
+		// User identity, groups, and key IDs are not forwarded to upstream model workloads
+		// to prevent accidental disclosure in logs or dumps. All identity information remains
+		// available to TRLP and telemetry via auth.identity and filters.identity below.
 		rule["response"] = map[string]interface{}{
 			"success": map[string]interface{}{
-				"headers": map[string]interface{}{
-					// Username from API key validation or K8s token identity
-					"X-MaaS-Username": map[string]interface{}{
-						"plain": map[string]interface{}{
-							"expression": `(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.username : auth.identity.user.username`,
-						},
-						"metrics":  false,
-						"priority": int64(0),
-					},
-					// Groups - serialize to JSON array string from API key validation or K8s identity
-					// Using string() conversion of JSON-serialized groups for proper escaping
-					"X-MaaS-Group": map[string]interface{}{
-						"plain": map[string]interface{}{
-							"expression": `string(((has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.groups : auth.identity.user.groups))`,
-						},
-						"metrics":  false,
-						"priority": int64(0),
-					},
-					// Key ID for tracking (only for API keys)
-					"X-MaaS-Key-Id": map[string]interface{}{
-						"plain": map[string]interface{}{
-							"expression": `(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.keyId : ""`,
-						},
-						"metrics":  false,
-						"priority": int64(0),
-					},
-					// Subscription bound to API key (only for API keys)
-					// For K8s tokens, this header is not injected (empty string)
-					"X-MaaS-Subscription": map[string]interface{}{
-						"plain": map[string]interface{}{
-							"expression": `(has(auth.metadata) && has(auth.metadata.apiKeyValidation)) ? auth.metadata.apiKeyValidation.subscription : ""`,
-						},
-						"metrics":  false,
-						"priority": int64(0),
-					},
-				},
 				"filters": map[string]interface{}{
 					"identity": map[string]interface{}{
 						"json": map[string]interface{}{

maas-controller/pkg/controller/maas/maasauthpolicy_controller_test.go

@@ -1062,6 +1062,117 @@ func TestMaaSAuthPolicyReconciler_CacheKeyModelIsolation(t *testing.T) {
 	}
 }
 
+// TestMaaSAuthPolicyReconciler_NoIdentityHeadersUpstream verifies that identity headers
+// (X-MaaS-Username, X-MaaS-Group, X-MaaS-Key-Id, X-MaaS-Subscription) are NOT injected
+// into requests forwarded to upstream model workloads (defense-in-depth).
+// All identity information remains available to TRLP and telemetry via filters.identity.
+func TestMaaSAuthPolicyReconciler_NoIdentityHeadersUpstream(t *testing.T) {
+	const (
+		modelName      = "llm"
+		namespace      = "default"
+		httpRouteName  = "maas-model-" + modelName
+		authPolicyName = "maas-auth-" + modelName
+		maasPolicyName = "policy-a"
+	)
+
+	model := newMaaSModelRef(modelName, namespace, "ExternalModel", modelName)
+	route := newHTTPRoute(httpRouteName, namespace)
+	maasPolicy := newMaaSAuthPolicy(maasPolicyName, namespace, "team-a", maasv1alpha1.ModelRef{Name: modelName, Namespace: namespace})
+
+	c := fake.NewClientBuilder().
+		WithScheme(scheme).
+		WithRESTMapper(testRESTMapper()).
+		WithObjects(model, route, maasPolicy).
+		WithStatusSubresource(&maasv1alpha1.MaaSAuthPolicy{}).
+		Build()
+
+	r := &MaaSAuthPolicyReconciler{
+		Client:           c,
+		Scheme:           scheme,
+		MaaSAPINamespace: "maas-system",
+		MetadataCacheTTL: 60,
+		AuthzCacheTTL:    60,
+	}
+
+	req := ctrl.Request{NamespacedName: types.NamespacedName{Name: maasPolicyName, Namespace: namespace}}
+	if _, err := r.Reconcile(context.Background(), req); err != nil {
+		t.Fatalf("Reconcile: unexpected error: %v", err)
+	}
+
+	got := &unstructured.Unstructured{}
+	got.SetGroupVersionKind(schema.GroupVersionKind{Group: "kuadrant.io", Version: "v1", Kind: "AuthPolicy"})
+	if err := c.Get(context.Background(), types.NamespacedName{Name: authPolicyName, Namespace: namespace}, got); err != nil {
+		t.Fatalf("Get AuthPolicy %q: %v", authPolicyName, err)
+	}
+
+	// Test 1: Verify response.success.headers does NOT exist (identity headers not forwarded upstream)
+	t.Run("identity headers not forwarded to upstream", func(t *testing.T) {
+		headers, found, err := unstructured.NestedMap(got.Object, "spec", "rules", "response", "success", "headers")
+		if err != nil {
+			t.Fatalf("Error checking headers: %v", err)
+		}
+
+		// Headers should either not exist or be empty
+		if found && len(headers) > 0 {
+			// Check that identity headers specifically are not present
+			forbiddenHeaders := []string{"X-MaaS-Username", "X-MaaS-Group", "X-MaaS-Key-Id", "X-MaaS-Subscription"}
+			for _, header := range forbiddenHeaders {
+				if _, exists := headers[header]; exists {
+					t.Errorf("Identity header %q should NOT be forwarded to upstream workloads (defense-in-depth)", header)
+				}
+			}
+		}
+	})
+
+	// Test 2: Verify filters.identity exists and contains all necessary data for TRLP and telemetry
+	t.Run("identity data available for TRLP and telemetry", func(t *testing.T) {
+		identity, found, err := unstructured.NestedMap(got.Object, "spec", "rules", "response", "success", "filters", "identity", "json", "properties")
+		if err != nil || !found {
+			t.Fatalf("filters.identity.json.properties missing: found=%v err=%v", found, err)
+		}
+
+		// Verify essential fields for TRLP
+		requiredFields := []string{
+			"userid",                      // User identification
+			"groups",                      // User groups
+			"selected_subscription_key",   // Model-scoped subscription key for TRLP
+			"selected_subscription",       // Subscription name
+			"subscription_labels",         // Labels for rate limit tiers
+		}
+
+		for _, field := range requiredFields {
+			if _, exists := identity[field]; !exists {
+				t.Errorf("filters.identity must include %q for TRLP/telemetry, but it's missing", field)
+			}
+		}
+
+		// Verify telemetry/observability fields
+		observabilityFields := []string{
+			"keyId",          // API key tracking
+			"organizationId", // Cost attribution
+			"costCenter",     // Chargeback
+		}
+
+		for _, field := range observabilityFields {
+			if _, exists := identity[field]; !exists {
+				t.Errorf("filters.identity should include %q for observability, but it's missing", field)
+			}
+		}
+	})
+
+	// Test 3: Verify metrics are enabled on identity filter
+	t.Run("identity filter has metrics enabled", func(t *testing.T) {
+		metricsEnabled, found, err := unstructured.NestedBool(got.Object, "spec", "rules", "response", "success", "filters", "identity", "metrics")
+		if err != nil || !found {
+			t.Fatalf("filters.identity.metrics missing: found=%v err=%v", found, err)
+		}
+
+		if !metricsEnabled {
+			t.Error("filters.identity.metrics must be true for telemetry to access identity data")
+		}
+	})
+}
+
 // contains is a helper to check if a string contains a substring (case-sensitive).
 func contains(s, substr string) bool {
 	return len(s) >= len(substr) && (s == substr || len(substr) == 0 ||