An open API service indexing awesome lists of open source software.

https://github.com/man4ish/omnibioai-policy-engine

Centralized RBAC/ABAC policy evaluation engine for OmniBioAI β€” evaluates access control decisions for all platform services using attribute-based and role-based rules. HPC-aware policies cover data access, tool execution, workflow submission, and administrative operations. Real-time enforcement with audit trail on every policy decision.
https://github.com/man4ish/omnibioai-policy-engine

abac hpc-security omnibioai policy-engine python rbac zero-trust

Last synced: 1 day ago
JSON representation

Centralized RBAC/ABAC policy evaluation engine for OmniBioAI β€” evaluates access control decisions for all platform services using attribute-based and role-based rules. HPC-aware policies cover data access, tool execution, workflow submission, and administrative operations. Real-time enforcement with audit trail on every policy decision.

Awesome Lists containing this project

README

          

# πŸ“˜ OmniBioAI Policy Engine

**Policy Engine is the authorization brain of the OmniBioAI ecosystem.**
It evaluates *who can do what*, *on which resource*, under *what conditions*.

It enforces RBAC + ABAC rules across distributed systems like TES, Workbench, Studio, and future HPC services.

---

## 🧠 What this service does

The Policy Engine answers a single question:

> **"Is this user allowed to perform this action on this resource?"**

It evaluates:

* Role-Based Access Control (RBAC)
* Attribute-Based Access Control (ABAC)
* Custom business rules
* HPC constraints (GPU / cluster / quota)
* Dataset-level access policies

---

## 🧬 Architecture Role

```
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Auth Service β”‚
β”‚ (Identity) β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
β”‚
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ IAM Client β”‚
β”‚ (Fast cache layer) β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
β”‚
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Policy Engine β”‚
β”‚ (Decision layer) β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
β”‚
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β–Ό β–Ό β–Ό
TES Workbench Studio
```

---

## βš™οΈ Core Features

### πŸ” RBAC (Role-Based Access Control)

* Admin, researcher, data scientist roles
* Action-level restrictions

### 🧠 ABAC (Attribute-Based Access Control)

* GPU usage restrictions
* HPC node access control
* Dataset sensitivity rules

### πŸ“œ Rule Engine

* Domain-specific policies
* Bioinformatics dataset protection rules
* Model registry immutability rules

---

## πŸš€ API Overview

### Evaluate Policy

```http
POST /policy/evaluate
```

---

### Request

```json
{
"user_id": "123",
"roles": ["researcher"],
"permissions": [],
"action": "tes.run_workflow",
"resource": "rnaseq_pipeline",
"context": {
"gpu_required": true,
"node": "hpc"
}
}
```

---

### Response

```json
{
"allowed": true,
"reason": "access granted",
"policy_source": "ALL_PASSED"
}
```

---

## Running

### Via OmniBioAI Studio (recommended)

```bash
cd ~/Desktop/machine/omnibioai-studio
docker compose up -d policy-engine
```

Access (internal only β€” not exposed externally):
`http://policy-engine:8001` (Docker internal network)

### Standalone (development)

```bash
pip install -r requirements.txt
uvicorn app.main:app --host 0.0.0.0 --port 8001 --reload
```

### Health check

```bash
curl http://localhost:8001/health
# {"status": "ok"}
```

### Environment variables

| Variable | Default | Description |
|----------|---------|-------------|
| `REDIS_URL` | `redis://redis:6379` | Redis for policy cache |
| `OPA_URL` | β€” | Optional OPA backend URL |

---

## 🧠 Policy Evaluation Flow

1. **RBAC check**

* Validates user roles

2. **ABAC check**

* Evaluates runtime context (GPU, HPC, etc.)

3. **Rule engine**

* Applies domain-specific constraints

4. **Decision returned**

* ALLOW / DENY + reason

---

## 🧩 Integration Points

This service is used by:

* TES (workflow execution authorization)
* Workbench (dataset access control)
* Studio (pipeline execution control)
* IAM Client (future cached policy decisions)

---

## Testing

```bash
cd ~/Desktop/machine/omnibioai-policy-engine
pytest tests/ -v --cov=.

# 48 tests passing
# 93% coverage
# Covers: RBAC, ABAC, rule engine, cache, policy service, routes
```

---

## ⚑ Design Philosophy

* Stateless API
* Deterministic decisions
* Fast evaluation (<10ms target)
* Extendable rule system
* HPC-aware security model

---

## πŸ§ͺ Example Use Cases

### 1. Prevent GPU abuse

* Only GPU-enabled users can run ML pipelines

### 2. Protect genomic datasets

* Human genome datasets require elevated permissions

### 3. Control HPC usage

* Cluster-specific access control

### 4. Secure model registry

* Prevent deletion of production models

---

## Roadmap

| Feature | Status |
|---------|--------|
| Redis caching for policy decisions | βœ“ Implemented |
| RBAC/ABAC evaluation | βœ“ Stable |
| Custom rule engine | βœ“ Stable |
| OPA (Open Policy Agent) backend | Planned |
| Policy versioning system | Planned |
| Org-level multi-tenancy | Planned v0.5 |

---

## πŸ›  Tech Stack

* FastAPI
* Python 3.11+
* Pydantic models
* Pluggable RBAC/ABAC engine
* Redis caching (implemented)

---

## Related Services

| Service | Role |
|---------|------|
| `omnibioai-api-gateway` | Calls `/policy/evaluate` on every request |
| `omnibioai-auth` | Provides identity (roles/permissions) to policy engine |
| `omnibioai-hpc-policy-engine` | Handles compute-specific governance |
| `omnibioai-security-audit` | Receives policy decision audit events |
| `omnibioai-studio` | Manages policy-engine container lifecycle |

---

## 🧬 Why this exists

In a distributed bioinformatics + AI system, you need:

* Compute governance
* Data protection
* Reproducibility control
* Multi-user safety

This service ensures **every action is explicitly authorized**.

---

## 🧠 Summary

The Policy Engine is the **decision-making layer** of OmniBioAI.

If Auth says:

> β€œWho are you?”

Then Policy Engine says:

> β€œWhat are you allowed to do?”