https://github.com/man4ish/omnibioai-policy-engine
Centralized RBAC/ABAC policy evaluation engine for OmniBioAI β evaluates access control decisions for all platform services using attribute-based and role-based rules. HPC-aware policies cover data access, tool execution, workflow submission, and administrative operations. Real-time enforcement with audit trail on every policy decision.
https://github.com/man4ish/omnibioai-policy-engine
abac hpc-security omnibioai policy-engine python rbac zero-trust
Last synced: 1 day ago
JSON representation
Centralized RBAC/ABAC policy evaluation engine for OmniBioAI β evaluates access control decisions for all platform services using attribute-based and role-based rules. HPC-aware policies cover data access, tool execution, workflow submission, and administrative operations. Real-time enforcement with audit trail on every policy decision.
- Host: GitHub
- URL: https://github.com/man4ish/omnibioai-policy-engine
- Owner: man4ish
- Created: 2026-05-14T00:04:58.000Z (about 2 months ago)
- Default Branch: main
- Last Pushed: 2026-06-13T07:13:42.000Z (27 days ago)
- Last Synced: 2026-06-13T09:12:46.262Z (26 days ago)
- Topics: abac, hpc-security, omnibioai, policy-engine, python, rbac, zero-trust
- Language: Python
- Homepage:
- Size: 534 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# π OmniBioAI Policy Engine
**Policy Engine is the authorization brain of the OmniBioAI ecosystem.**
It evaluates *who can do what*, *on which resource*, under *what conditions*.
It enforces RBAC + ABAC rules across distributed systems like TES, Workbench, Studio, and future HPC services.
---
## π§ What this service does
The Policy Engine answers a single question:
> **"Is this user allowed to perform this action on this resource?"**
It evaluates:
* Role-Based Access Control (RBAC)
* Attribute-Based Access Control (ABAC)
* Custom business rules
* HPC constraints (GPU / cluster / quota)
* Dataset-level access policies
---
## 𧬠Architecture Role
```
ββββββββββββββββββββββ
β Auth Service β
β (Identity) β
βββββββββββ¬βββββββββββ
β
βββββββββββΌβββββββββββ
β IAM Client β
β (Fast cache layer) β
βββββββββββ¬βββββββββββ
β
βββββββββββΌβββββββββββ
β Policy Engine β
β (Decision layer) β
βββββββββββ¬βββββββββββ
β
ββββββββββββββββββββΌβββββββββββββββββββ
βΌ βΌ βΌ
TES Workbench Studio
```
---
## βοΈ Core Features
### π RBAC (Role-Based Access Control)
* Admin, researcher, data scientist roles
* Action-level restrictions
### π§ ABAC (Attribute-Based Access Control)
* GPU usage restrictions
* HPC node access control
* Dataset sensitivity rules
### π Rule Engine
* Domain-specific policies
* Bioinformatics dataset protection rules
* Model registry immutability rules
---
## π API Overview
### Evaluate Policy
```http
POST /policy/evaluate
```
---
### Request
```json
{
"user_id": "123",
"roles": ["researcher"],
"permissions": [],
"action": "tes.run_workflow",
"resource": "rnaseq_pipeline",
"context": {
"gpu_required": true,
"node": "hpc"
}
}
```
---
### Response
```json
{
"allowed": true,
"reason": "access granted",
"policy_source": "ALL_PASSED"
}
```
---
## Running
### Via OmniBioAI Studio (recommended)
```bash
cd ~/Desktop/machine/omnibioai-studio
docker compose up -d policy-engine
```
Access (internal only β not exposed externally):
`http://policy-engine:8001` (Docker internal network)
### Standalone (development)
```bash
pip install -r requirements.txt
uvicorn app.main:app --host 0.0.0.0 --port 8001 --reload
```
### Health check
```bash
curl http://localhost:8001/health
# {"status": "ok"}
```
### Environment variables
| Variable | Default | Description |
|----------|---------|-------------|
| `REDIS_URL` | `redis://redis:6379` | Redis for policy cache |
| `OPA_URL` | β | Optional OPA backend URL |
---
## π§ Policy Evaluation Flow
1. **RBAC check**
* Validates user roles
2. **ABAC check**
* Evaluates runtime context (GPU, HPC, etc.)
3. **Rule engine**
* Applies domain-specific constraints
4. **Decision returned**
* ALLOW / DENY + reason
---
## π§© Integration Points
This service is used by:
* TES (workflow execution authorization)
* Workbench (dataset access control)
* Studio (pipeline execution control)
* IAM Client (future cached policy decisions)
---
## Testing
```bash
cd ~/Desktop/machine/omnibioai-policy-engine
pytest tests/ -v --cov=.
# 48 tests passing
# 93% coverage
# Covers: RBAC, ABAC, rule engine, cache, policy service, routes
```
---
## β‘ Design Philosophy
* Stateless API
* Deterministic decisions
* Fast evaluation (<10ms target)
* Extendable rule system
* HPC-aware security model
---
## π§ͺ Example Use Cases
### 1. Prevent GPU abuse
* Only GPU-enabled users can run ML pipelines
### 2. Protect genomic datasets
* Human genome datasets require elevated permissions
### 3. Control HPC usage
* Cluster-specific access control
### 4. Secure model registry
* Prevent deletion of production models
---
## Roadmap
| Feature | Status |
|---------|--------|
| Redis caching for policy decisions | β Implemented |
| RBAC/ABAC evaluation | β Stable |
| Custom rule engine | β Stable |
| OPA (Open Policy Agent) backend | Planned |
| Policy versioning system | Planned |
| Org-level multi-tenancy | Planned v0.5 |
---
## π Tech Stack
* FastAPI
* Python 3.11+
* Pydantic models
* Pluggable RBAC/ABAC engine
* Redis caching (implemented)
---
## Related Services
| Service | Role |
|---------|------|
| `omnibioai-api-gateway` | Calls `/policy/evaluate` on every request |
| `omnibioai-auth` | Provides identity (roles/permissions) to policy engine |
| `omnibioai-hpc-policy-engine` | Handles compute-specific governance |
| `omnibioai-security-audit` | Receives policy decision audit events |
| `omnibioai-studio` | Manages policy-engine container lifecycle |
---
## 𧬠Why this exists
In a distributed bioinformatics + AI system, you need:
* Compute governance
* Data protection
* Reproducibility control
* Multi-user safety
This service ensures **every action is explicitly authorized**.
---
## π§ Summary
The Policy Engine is the **decision-making layer** of OmniBioAI.
If Auth says:
> βWho are you?β
Then Policy Engine says:
> βWhat are you allowed to do?β