我有一个用python（django REST框架）编写的Web应用程序，现在我想在Web应用程序上实现基于属性的访问控制（ABAC）进行授权，如何在此应用程序上实现ABAC策略（我可以使用XACML）策略（如何在python Web应用程序上实现xacml）或是否有其他方法可以在python上编写ABAC策略以及如何在我的Web应用程序上实现） 我可以使用py-ABAC以及如何使用它吗？

import vakt
from vakt.rules import Eq,Any,StartsWith,And,Greater,Less

policy = vakt.Policy(
    123456,actions=[Eq('fork'),Eq('clone')],resources=[StartsWith('repos/Google',ci=True)],subjects=[{'name': Any(),'stars': And(Greater(50),Less(999))}],effect=vakt.ALLOW_ACCESS,context={'referer': Eq('https://github.com')},description="""
    Allow to fork or clone any Google repository for
    users that have > 50 and < 999 stars and came from Github
    """
)
storage = vakt.MemoryStorage()
storage.add(policy)
guard = vakt.Guard(storage,vakt.RulesChecker())

inq = vakt.Inquiry(action='fork',resource='repos/google/tensorflow',subject={'name': 'larry','stars': 80},context={'referer': 'https://github.com'})

assert guard.is_allowed(inq)
Or if you prefer Amazon IAM Policies style:

import vakt
from vakt.rules import CIDR

policy = vakt.Policy(
    123457,subjects=[r'<[a-zA-Z]+ M[a-z]+>'],resources=['library:books:<.+>','office:magazines:<.+>'],actions=['<read|get>'],context={
        'ip': CIDR('192.168.0.0/24'),},description="""
    Allow all readers of the book library whose surnames start with M get and read any book or magazine,but only when they connect from local library's computer
    """,)
storage = vakt.MemoryStorage()
storage.add(policy)
guard = vakt.Guard(storage,vakt.RegexChecker())

inq = vakt.Inquiry(action='read',resource='library:books:Hobbit',subject='Jim Morrison',context={'ip': '192.168.0.220'})

assert guard.is_allowed(inq)

Thanks in advance!  

解决方法

{"Request":{"AccessSubject":
{"Attribute":
[ {"AttributeId":"user.name","Value":"alice"} ]
},"Resource":
{"Attribute":
[ {"AttributeId":"resource.objectType","Value":"insurance claim"} ]
},"Action":
{"Attribute":
[ {"AttributeId":"action-id","Value":"view"}]
}
}
}