如何在基于python的web应用程序中实现基于属性的访问控制

我有一个用python编写的web应用程序(django REST框架(，现在我想在我的web应用上实现基于属性的访问控制(ABAC(以进行授权，我如何在此应用程序上实现ABAC策略(我可以使用XACML策略(如何在python web应用程序上实施XACML(吗？或者有其他方法在python上编写ABAC策略以及如何在我的web应用程序中实现吗？(我可以使用py ABAC吗？如何使用它？

import vakt
from vakt.rules import Eq, Any, StartsWith, And, Greater, Less
policy = vakt.Policy(
123456,
actions=[Eq('fork'), Eq('clone')],
resources=[StartsWith('repos/Google', ci=True)],
subjects=[{'name': Any(), 'stars': And(Greater(50), Less(999))}],
effect=vakt.ALLOW_ACCESS,
context={'referer': Eq('https://github.com')},
description="""
Allow to fork or clone any Google repository for
users that have > 50 and < 999 stars and came from Github
"""
)
storage = vakt.MemoryStorage()
storage.add(policy)
guard = vakt.Guard(storage, vakt.RulesChecker())
inq = vakt.Inquiry(action='fork',
resource='repos/google/tensorflow',
subject={'name': 'larry', 'stars': 80},
context={'referer': 'https://github.com'})
assert guard.is_allowed(inq)
Or if you prefer Amazon IAM Policies style:
import vakt
from vakt.rules import CIDR
policy = vakt.Policy(
123457,
effect=vakt.ALLOW_ACCESS,
subjects=[r'<[a-zA-Z]+ M[a-z]+>'],
resources=['library:books:<.+>', 'office:magazines:<.+>'],
actions=['<read|get>'],
context={
'ip': CIDR('192.168.0.0/24'),
},
description="""
Allow all readers of the book library whose surnames start with M get and read any book or magazine,
but only when they connect from local library's computer
""",
)
storage = vakt.MemoryStorage()
storage.add(policy)
guard = vakt.Guard(storage, vakt.RegexChecker())
inq = vakt.Inquiry(action='read',
resource='library:books:Hobbit',
subject='Jim Morrison',
context={'ip': '192.168.0.220'})
assert guard.is_allowed(inq)
Thanks in advance!