{"id":51510295,"url":"https://github.com/man4ish/omnibioai-policy-engine","last_synced_at":"2026-07-08T05:01:58.591Z","repository":{"id":364491944,"uuid":"1238232921","full_name":"man4ish/omnibioai-policy-engine","owner":"man4ish","description":"Centralized RBAC/ABAC policy evaluation engine for OmniBioAI — evaluates access control decisions for all platform services using attribute-based and role-based rules. HPC-aware policies cover data access, tool execution, workflow submission, and administrative operations. Real-time enforcement with audit trail on every policy decision.","archived":false,"fork":false,"pushed_at":"2026-06-13T07:13:42.000Z","size":547,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-13T09:12:46.262Z","etag":null,"topics":["abac","hpc-security","omnibioai","policy-engine","python","rbac","zero-trust"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/man4ish.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-14T00:04:58.000Z","updated_at":"2026-06-13T07:13:45.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/man4ish/omnibioai-policy-engine","commit_stats":null,"previous_names":["man4ish/omnibioai-policy-engine"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/man4ish/omnibioai-policy-engine","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-policy-engine","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-policy-engine/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-policy-engine/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-policy-engine/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/man4ish","download_url":"https://codeload.github.com/man4ish/omnibioai-policy-engine/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-policy-engine/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35252324,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-08T02:00:06.796Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["abac","hpc-security","omnibioai","policy-engine","python","rbac","zero-trust"],"created_at":"2026-07-08T05:01:57.706Z","updated_at":"2026-07-08T05:01:58.569Z","avatar_url":"https://github.com/man4ish.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 📘 OmniBioAI Policy Engine\n\n**Policy Engine is the authorization brain of the OmniBioAI ecosystem.**\nIt evaluates *who can do what*, *on which resource*, under *what conditions*.\n\nIt enforces RBAC + ABAC rules across distributed systems like TES, Workbench, Studio, and future HPC services.\n\n---\n\n## 🧠 What this service does\n\nThe Policy Engine answers a single question:\n\n\u003e **\"Is this user allowed to perform this action on this resource?\"**\n\nIt evaluates:\n\n* Role-Based Access Control (RBAC)\n* Attribute-Based Access Control (ABAC)\n* Custom business rules\n* HPC constraints (GPU / cluster / quota)\n* Dataset-level access policies\n\n---\n\n## 🧬 Architecture Role\n\n```\n                 ┌────────────────────┐\n                 │  Auth Service      │\n                 │  (Identity)        │\n                 └─────────┬──────────┘\n                           │\n                 ┌─────────▼──────────┐\n                 │ IAM Client         │\n                 │ (Fast cache layer) │\n                 └─────────┬──────────┘\n                           │\n                 ┌─────────▼──────────┐\n                 │ Policy Engine      │\n                 │ (Decision layer)   │\n                 └─────────┬──────────┘\n                           │\n        ┌──────────────────┼──────────────────┐\n        ▼                  ▼                  ▼\n      TES             Workbench           Studio\n```\n\n---\n\n## ⚙️ Core Features\n\n### 🔐 RBAC (Role-Based Access Control)\n\n* Admin, researcher, data scientist roles\n* Action-level restrictions\n\n### 🧠 ABAC (Attribute-Based Access Control)\n\n* GPU usage restrictions\n* HPC node access control\n* Dataset sensitivity rules\n\n### 📜 Rule Engine\n\n* Domain-specific policies\n* Bioinformatics dataset protection rules\n* Model registry immutability rules\n\n---\n\n## 🚀 API Overview\n\n### Evaluate Policy\n\n```http\nPOST /policy/evaluate\n```\n\n---\n\n### Request\n\n```json\n{\n  \"user_id\": \"123\",\n  \"roles\": [\"researcher\"],\n  \"permissions\": [],\n  \"action\": \"tes.run_workflow\",\n  \"resource\": \"rnaseq_pipeline\",\n  \"context\": {\n    \"gpu_required\": true,\n    \"node\": \"hpc\"\n  }\n}\n```\n\n---\n\n### Response\n\n```json\n{\n  \"allowed\": true,\n  \"reason\": \"access granted\",\n  \"policy_source\": \"ALL_PASSED\"\n}\n```\n\n---\n\n## Running\n\n### Via OmniBioAI Studio (recommended)\n\n```bash\ncd ~/Desktop/machine/omnibioai-studio\ndocker compose up -d policy-engine\n```\n\nAccess (internal only — not exposed externally):\n`http://policy-engine:8001` (Docker internal network)\n\n### Standalone (development)\n\n```bash\npip install -r requirements.txt\nuvicorn app.main:app --host 0.0.0.0 --port 8001 --reload\n```\n\n### Health check\n\n```bash\ncurl http://localhost:8001/health\n# {\"status\": \"ok\"}\n```\n\n### Environment variables\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `REDIS_URL` | `redis://redis:6379` | Redis for policy cache |\n| `OPA_URL` | — | Optional OPA backend URL |\n\n---\n\n## 🧠 Policy Evaluation Flow\n\n1. **RBAC check**\n\n   * Validates user roles\n\n2. **ABAC check**\n\n   * Evaluates runtime context (GPU, HPC, etc.)\n\n3. **Rule engine**\n\n   * Applies domain-specific constraints\n\n4. **Decision returned**\n\n   * ALLOW / DENY + reason\n\n---\n\n## 🧩 Integration Points\n\nThis service is used by:\n\n* TES (workflow execution authorization)\n* Workbench (dataset access control)\n* Studio (pipeline execution control)\n* IAM Client (future cached policy decisions)\n\n---\n\n## Testing\n\n```bash\ncd ~/Desktop/machine/omnibioai-policy-engine\npytest tests/ -v --cov=.\n\n# 48 tests passing\n# 93% coverage\n# Covers: RBAC, ABAC, rule engine, cache, policy service, routes\n```\n\n---\n\n## ⚡ Design Philosophy\n\n* Stateless API\n* Deterministic decisions\n* Fast evaluation (\u003c10ms target)\n* Extendable rule system\n* HPC-aware security model\n\n---\n\n## 🧪 Example Use Cases\n\n### 1. Prevent GPU abuse\n\n* Only GPU-enabled users can run ML pipelines\n\n### 2. Protect genomic datasets\n\n* Human genome datasets require elevated permissions\n\n### 3. Control HPC usage\n\n* Cluster-specific access control\n\n### 4. Secure model registry\n\n* Prevent deletion of production models\n\n---\n\n## Roadmap\n\n| Feature | Status |\n|---------|--------|\n| Redis caching for policy decisions | ✓ Implemented |\n| RBAC/ABAC evaluation | ✓ Stable |\n| Custom rule engine | ✓ Stable |\n| OPA (Open Policy Agent) backend | Planned |\n| Policy versioning system | Planned |\n| Org-level multi-tenancy | Planned v0.5 |\n\n---\n\n## 🛠 Tech Stack\n\n* FastAPI\n* Python 3.11+\n* Pydantic models\n* Pluggable RBAC/ABAC engine\n* Redis caching (implemented)\n\n---\n\n## Related Services\n\n| Service | Role |\n|---------|------|\n| `omnibioai-api-gateway` | Calls `/policy/evaluate` on every request |\n| `omnibioai-auth` | Provides identity (roles/permissions) to policy engine |\n| `omnibioai-hpc-policy-engine` | Handles compute-specific governance |\n| `omnibioai-security-audit` | Receives policy decision audit events |\n| `omnibioai-studio` | Manages policy-engine container lifecycle |\n\n---\n\n## 🧬 Why this exists\n\nIn a distributed bioinformatics + AI system, you need:\n\n* Compute governance\n* Data protection\n* Reproducibility control\n* Multi-user safety\n\nThis service ensures **every action is explicitly authorized**.\n\n---\n\n## 🧠 Summary\n\nThe Policy Engine is the **decision-making layer** of OmniBioAI.\n\nIf Auth says:\n\n\u003e “Who are you?”\n\nThen Policy Engine says:\n\n\u003e “What are you allowed to do?”\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fman4ish%2Fomnibioai-policy-engine","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fman4ish%2Fomnibioai-policy-engine","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fman4ish%2Fomnibioai-policy-engine/lists"}