Merge pull request #3316 from jumpserver/dev

Dev
Merge pull request #3315 from jumpserver/dev_bai
2025-12-15 16:42:34 +00:00 · 2019-10-09 17:32:02 +08:00 · 2019-10-09 17:24:20 +08:00 · 2019-10-09 17:23:22 +08:00 · 2019-10-09 10:50:12 +08:00 · 2019-10-09 10:43:51 +08:00
802 changed files with 140947 additions and 22640 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -4,4 +4,6 @@ data/*
 .github
 tmp/*
 django.db
-celerybeat.pid
+celerybeat.pid
+### Vagrant ###
+.vagrant/
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -1,7 +1,8 @@
 [简述你的问题]

+
 ##### 使用版本
-[请提供你使用的Jumpserver版本 0.3.2 或 0.5.0]
+[请提供你使用的Jumpserver版本 1.x.x 注: 0.3.x不再提供支持]

 ##### 问题复现步骤
 1. [步骤1]
--- a/.gitignore
+++ b/.gitignore
@@ -17,7 +17,7 @@ dump.rdb
 .idea/
 db.sqlite3
 config.py
-migrations/
+config.yml
 *.log
 host_rsa_key
 *.bat
@@ -33,3 +33,6 @@ celerybeat-schedule.db
 data/static
 docs/_build/
 xpack
+logs/*
+### Vagrant ###
+.vagrant/
--- a/26
+++ b/26
@@ -0,0 +1,26 @@
+FROM registry.fit2cloud.com/public/python:v3
+MAINTAINER Jumpserver Team <ibuler@qq.com>
+
+WORKDIR /opt/jumpserver
+RUN useradd jumpserver
+
+COPY ./requirements /tmp/requirements
+
+RUN yum -y install epel-release && \
+      echo -e "[mysql]\nname=mysql\nbaseurl=https://mirrors.tuna.tsinghua.edu.cn/mysql/yum/mysql57-community-el6/\ngpgcheck=0\nenabled=1" > /etc/yum.repos.d/mysql.repo
+RUN cd /tmp/requirements && yum -y install $(cat rpm_requirements.txt)
+RUN cd /tmp/requirements && pip install --upgrade pip setuptools && \
+    pip install -i https://mirrors.aliyun.com/pypi/simple/ -r requirements.txt || pip install -r requirements.txt
+RUN mkdir -p /root/.ssh/ && echo -e "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null" > /root/.ssh/config
+
+COPY . /opt/jumpserver
+RUN echo > config.yml
+VOLUME /opt/jumpserver/data
+VOLUME /opt/jumpserver/logs
+
+ENV LANG=zh_CN.UTF-8
+ENV LC_ALL=zh_CN.UTF-8
+
+EXPOSE 8070
+EXPOSE 8080
+ENTRYPOINT ["./entrypoint.sh"]
--- a/README.md
+++ b/README.md
@@ -1,52 +1,198 @@
-## Jumpserver
+# Jumpserver 多云环境下更好用的堡垒机

 [![Python3](https://img.shields.io/badge/python-3.6-green.svg?style=plastic)](https://www.python.org/)
-[![Django](https://img.shields.io/badge/django-1.11-brightgreen.svg?style=plastic)](https://www.djangoproject.com/)
-[![Ansible](https://img.shields.io/badge/ansible-2.2.2.0-blue.svg?style=plastic)](https://www.ansible.com/)
-[![Paramiko](https://img.shields.io/badge/paramiko-2.1.2-green.svg?style=plastic)](http://www.paramiko.org/)
+[![Django](https://img.shields.io/badge/django-2.1-brightgreen.svg?style=plastic)](https://www.djangoproject.com/)
+[![Ansible](https://img.shields.io/badge/ansible-2.4.2.0-blue.svg?style=plastic)](https://www.ansible.com/)
+[![Paramiko](https://img.shields.io/badge/paramiko-2.4.1-green.svg?style=plastic)](http://www.paramiko.org/)

+Jumpserver 是全球首款完全开源的堡垒机，使用 GNU GPL v2.0 开源协议，是符合 4A 机制的运维安全审计系统。

----
+Jumpserver 使用 Python / Django 进行开发，遵循 Web 2.0 规范，配备了业界领先的 Web Terminal 方案，交互界面美观、用户体验好。

-Jumpserver是全球首款完全开源的堡垒机，使用GNU GPL v2.0开源协议，是符合 4A 的专业运维审计系统。
-
-Jumpserver使用Python / Django 进行开发，遵循 Web 2.0 规范，配备了业界领先的 Web Terminal 解决方案，交互界面美观、用户体验好。
-
-Jumpserver采纳分布式架构，支持多机房跨区域部署，中心节点提供 API，各机房部署登录节点，可横向扩展、无并发限制。
+Jumpserver 采纳分布式架构，支持多机房跨区域部署，支持横向扩展，无资产数量及并发限制。

 改变世界，从一点点开始。

----
+注: [KubeOperator](https://github.com/KubeOperator/KubeOperator) 是 Jumpserver 团队在 Kubernetes 领域的的又一全新力作，欢迎关注和使用。

-### 功能
+## 核心功能列表

- ![Jumpserver功能](https://jumpserver-release.oss-cn-hangzhou.aliyuncs.com/Jumpserver13.jpg "Jumpserver功能")
+<table class="subscription-level-table">
+    <tr class="subscription-level-tr-border">
+        <td class="features-first-td-background-style" rowspan="4">身份验证 Authentication</td>
+        <td class="features-second-td-background-style" rowspan="3" >登录认证
+        </td>
+        <td class="features-third-td-background-style">资源统一登录和认证
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-third-td-background-style">LDAP 认证
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-third-td-background-style">支持 OpenID，实现单点登录
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-second-td-background-style">多因子认证
+        </td>
+        <td class="features-third-td-background-style">MFA（Google Authenticator）
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-first-td-background-style" rowspan="9">账号管理 Account</td>
+        <td class="features-second-td-background-style" rowspan="2">集中账号管理
+        </td>
+        <td class="features-third-td-background-style">管理用户管理
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-third-td-background-style">系统用户管理
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-second-td-background-style" rowspan="4">统一密码管理
+        </td>
+        <td class="features-third-td-background-style">资产密码托管
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-third-td-background-style">自动生成密码
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-third-td-background-style">密码自动推送
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-third-td-background-style">密码过期设置
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-outline-td-background-style" rowspan="2">批量密码变更(X-PACK)
+        </td>
+        <td class="features-outline-td-background-style">定期批量修改密码
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-outline-td-background-style">生成随机密码
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-outline-td-background-style">多云环境的资产纳管(X-PACK)
+        </td>
+        <td class="features-outline-td-background-style">对私有云、公有云资产统一纳管
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-first-td-background-style" rowspan="9">授权控制 Authorization</td>
+        <td class="features-second-td-background-style" rowspan="3">资产授权管理
+        </td>
+        <td class="features-third-td-background-style">资产树
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-third-td-background-style">资产或资产组灵活授权
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-third-td-background-style">节点内资产自动继承授权
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-outline-td-background-style">RemoteApp(X-PACK)
+        </td>
+        <td class="features-outline-td-background-style">实现更细粒度的应用级授权
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-outline-td-background-style">组织管理(X-PACK)
+        </td>
+        <td class="features-outline-td-background-style">实现多租户管理，权限隔离
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-second-td-background-style">多维度授权
+        </td>
+        <td class="features-third-td-background-style">可对用户、用户组或系统角色授权
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-second-td-background-style">指令限制
+        </td>
+        <td class="features-third-td-background-style">限制特权指令使用，支持黑白名单
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-second-td-background-style">统一文件传输
+        </td>
+        <td class="features-third-td-background-style">SFTP 文件上传/下载
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-second-td-background-style">文件管理
+        </td>
+        <td class="features-third-td-background-style">Web SFTP 文件管理
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-first-td-background-style" rowspan="6">安全审计 Audit</td>
+        <td class="features-second-td-background-style" rowspan="2">会话管理
+        </td>
+        <td class="features-third-td-background-style">在线会话管理
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-third-td-background-style">历史会话管理
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-second-td-background-style" rowspan="2">录像管理
+        </td>
+        <td class="features-third-td-background-style">Linux 录像支持
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-third-td-background-style">Windows 录像支持
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-second-td-background-style">指令审计
+        </td>
+        <td class="features-third-td-background-style">指令记录
+        </td>
+    </tr>
+    <tr class="subscription-level-tr-border">
+        <td class="features-second-td-background-style">文件传输审计
+        </td>
+        <td class="features-third-td-background-style">上传/下载记录审计
+        </td>
+    </tr>
+</table>

-### 开始使用
+## 安装及使用指南

-快速开始文档  [Docker安装](http://docs.jumpserver.org/zh/docs/dockerinstall.html)
+-  [Docker 快速安装文档](http://docs.jumpserver.org/zh/docs/dockerinstall.html)
+-  [Step by Step 安装文档](http://docs.jumpserver.org/zh/docs/step_by_step.html)
+-  [完整文档](http://docs.jumpserver.org)

-一步一步安装文档 [详细部署](http://docs.jumpserver.org/zh/docs/step_by_step.html)
+## 演示视频和截屏

-也可以查看我们完整文档包括了使用和开发 [文档](http://docs.jumpserver.org)
+我们提供了演示视频和系统截图可以让你快速了解 Jumpserver：

-### Demo 和 截图
+- [演示视频](https://jumpserver.oss-cn-hangzhou.aliyuncs.com/jms-media/%E3%80%90%E6%BC%94%E7%A4%BA%E8%A7%86%E9%A2%91%E3%80%91Jumpserver%20%E5%A0%A1%E5%9E%92%E6%9C%BA%20V1.5.0%20%E6%BC%94%E7%A4%BA%E8%A7%86%E9%A2%91%20-%20final.mp4)
+- [系统截图](http://docs.jumpserver.org/zh/docs/snapshot.html)

-我们提供了DEMO和截图可以让你快速了解Jumpserver
+## SDK

-[DEMO](http://demo.jumpserver.org)
-[截图](http://docs.jumpserver.org/zh/docs/snapshot.html)
+我们编写了一些SDK，供您的其它系统快速和 Jumpserver API 交互：

-### SDK
+- [Python](https://github.com/jumpserver/jumpserver-python-sdk) Jumpserver 其它组件使用这个 SDK 完成交互
+- [Java](https://github.com/KaiJunYan/jumpserver-java-sdk.git) 恺珺同学提供的 Java 版本的 SDK

-我们还编写了一些SDK，供你其它系统快速和Jumpserver APi交互，
+## License & Copyright

- [python](https://github.com/jumpserver/jumpserver-python-sdk) Jumpserver其它组件使用这个SDK完成交互
- [java](https://github.com/KaiJunYan/jumpserver-java-sdk.git) 恺珺同学提供的Java版本的SDK
-
-
-### License & Copyright
-Copyright (c) 2014-2018 Beijing Duizhan Tech, Inc., All rights reserved.
+Copyright (c) 2014-2019 飞致云 FIT2CLOUD, All rights reserved.

 Licensed under The GNU General Public License version 2 (GPLv2)  (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

--- a/README_EN.md
+++ b/README_EN.md
@@ -0,0 +1,60 @@
+## Jumpserver 
+
+![Total visitor](https://visitor-count-badge.herokuapp.com/total.svg?repo_id=jumpserver)
+![Visitors in today](https://visitor-count-badge.herokuapp.com/today.svg?repo_id=jumpserver)
+[![Python3](https://img.shields.io/badge/python-3.6-green.svg?style=plastic)](https://www.python.org/)
+[![Django](https://img.shields.io/badge/django-2.1-brightgreen.svg?style=plastic)](https://www.djangoproject.com/)
+[![Ansible](https://img.shields.io/badge/ansible-2.4.2.0-blue.svg?style=plastic)](https://www.ansible.com/)
+[![Paramiko](https://img.shields.io/badge/paramiko-2.4.1-green.svg?style=plastic)](http://www.paramiko.org/)
+
+
+----
+
+- [中文版](https://github.com/jumpserver/jumpserver/blob/master/README_EN.md)
+
+Jumpserver is the first fully open source bastion in the world, based on the GNU GPL v2.0 open source protocol. Jumpserver is a  professional operation and maintenance audit system conforms to 4A specifications.
+
+Jumpserver is developed using Python / Django, conforms to the Web 2.0 specification, and is equipped with the industry-leading Web Terminal solution which have beautiful interface and great user experience.
+
+Jumpserver adopts a distributed architecture to support multi-branch deployment across multiple areas. The central node provides APIs, and login nodes are deployed in each branch. It can be scaled horizontally without concurrency restrictions.
+
+Change the world, starting from little things.
+
+----
+
+### Features
+
+ ![Jumpserver 功能](https://jumpserver-release.oss-cn-hangzhou.aliyuncs.com/Jumpserver148.jpeg "Jumpserver 功能")
+
+### Start 
+
+Quick start  [Docker Install](http://docs.jumpserver.org/zh/docs/dockerinstall.html)
+
+Step by Step deployment. [Docs](http://docs.jumpserver.org/zh/docs/step_by_step.html)
+
+Full documentation [Docs](http://docs.jumpserver.org)
+
+### Demo、Video 和 Snapshot
+
+We provide online demo, demo video and screenshots to get you started quickly.
+
+[Demo](https://demo.jumpserver.org/auth/login/?next=/)
+[Video](https://fit2cloud2-offline-installer.oss-cn-beijing.aliyuncs.com/tools/Jumpserver%20%E4%BB%8B%E7%BB%8Dv1.4.mp4)
+[Snapshot](http://docs.jumpserver.org/zh/docs/snapshot.html)
+
+### SDK
+
+We provide the SDK for your other systems to quickly interact with the Jumpserver API.
+
+- [Python](https://github.com/jumpserver/jumpserver-python-sdk) Jumpserver other components use this SDK to complete the interaction.
+- [Java](https://github.com/KaiJunYan/jumpserver-java-sdk.git) 恺珺同学提供的Java版本的SDK thanks to 恺珺 for provide Java SDK
+
+
+### License & Copyright
+Copyright (c) 2014-2019 Beijing Duizhan Tech, Inc., All rights reserved.
+
+Licensed under The GNU General Public License version 2 (GPLv2)  (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
+
+https://www.gnu.org/licenses/gpl-2.0.html
+
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
--- a/56
+++ b/56
@@ -0,0 +1,56 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  # The most common configuration options are documented and commented below.
+  # For a complete reference, please see the online documentation at
+  # https://docs.vagrantup.com.
+
+  # Every Vagrant development environment requires a box. You can search for
+  # boxes at https://vagrantcloud.com/search.
+  config.vm.box_check_update = false
+  config.vm.box = "centos/7"
+  config.vm.hostname = "jumpserver"
+  config.vm.network "private_network", ip: "172.17.8.101"
+  config.vm.provider "virtualbox" do |vb|
+    vb.memory = "4096"
+    vb.cpus = 2
+    vb.name = "jumpserver"
+  end
+
+  config.vm.synced_folder ".", "/vagrant", type: "rsync",
+    rsync__verbose: true,
+    rsync__exclude: ['.git*', 'node_modules*','*.log','*.box','Vagrantfile']
+
+  config.vm.provision "shell", inline: <<-SHELL
+## 设置yum的阿里云源
+sudo curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
+sudo sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
+sudo curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
+sudo yum makecache
+
+## 安装依赖包
+sudo yum install -y python36 python36-devel python36-pip \
+		 libtiff-devel libjpeg-devel libzip-devel freetype-devel \
+     lcms2-devel libwebp-devel tcl-devel tk-devel sshpass \
+     openldap-devel mariadb-devel mysql-devel libffi-devel \
+     openssh-clients telnet openldap-clients gcc
+
+## 配置pip阿里云源
+mkdir /home/vagrant/.pip
+cat << EOF | sudo tee -a /home/vagrant/.pip/pip.conf
+[global]
+timeout = 6000
+index-url = https://mirrors.aliyun.com/pypi/simple/
+
+[install]
+use-mirrors = true
+mirrors = https://mirrors.aliyun.com/pypi/simple/
+trusted-host=mirrors.aliyun.com
+EOF
+
+python3.6 -m venv /home/vagrant/venv
+source /home/vagrant/venv/bin/activate
+echo 'source /home/vagrant/venv/bin/activate' >> /home/vagrant/.bash_profile
+  SHELL
+end
--- a/apps/init.py
+++ b/apps/init.py
@@ -1,5 +1,3 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 #
-
-__version__ = "1.4.0"
--- a/apps/applications/init.py
+++ b/apps/applications/init.py
--- a/apps/applications/admin.py
+++ b/apps/applications/admin.py
@@ -0,0 +1,3 @@
+from django.contrib import admin
+
+# Register your models here.
--- a/apps/applications/api/init.py
+++ b/apps/applications/api/init.py
@@ -0,0 +1 @@
+from .remote_app import *
--- a/apps/applications/api/remote_app.py
+++ b/apps/applications/api/remote_app.py
@@ -0,0 +1,29 @@
+# coding: utf-8
+#
+
+
+from rest_framework import generics
+
+from orgs.mixins.api import OrgBulkModelViewSet
+from ..hands import IsOrgAdmin, IsAppUser
+from ..models import RemoteApp
+from ..serializers import RemoteAppSerializer, RemoteAppConnectionInfoSerializer
+
+
+__all__ = [
+    'RemoteAppViewSet', 'RemoteAppConnectionInfoApi',
+]
+
+
+class RemoteAppViewSet(OrgBulkModelViewSet):
+    filter_fields = ('name',)
+    search_fields = filter_fields
+    permission_classes = (IsOrgAdmin,)
+    queryset = RemoteApp.objects.all()
+    serializer_class = RemoteAppSerializer
+
+
+class RemoteAppConnectionInfoApi(generics.RetrieveAPIView):
+    queryset = RemoteApp.objects.all()
+    permission_classes = (IsAppUser, )
+    serializer_class = RemoteAppConnectionInfoSerializer
--- a/apps/applications/apps.py
+++ b/apps/applications/apps.py
@@ -0,0 +1,7 @@
+from __future__ import unicode_literals
+
+from django.apps import AppConfig
+
+
+class ApplicationsConfig(AppConfig):
+    name = 'applications'
--- a/apps/applications/const.py
+++ b/apps/applications/const.py
@@ -0,0 +1,68 @@
+#  coding: utf-8
+#
+
+from django.utils.translation import ugettext_lazy as _
+
+
+# RemoteApp
+REMOTE_APP_BOOT_PROGRAM_NAME = '||jmservisor'
+
+REMOTE_APP_TYPE_CHROME = 'chrome'
+REMOTE_APP_TYPE_MYSQL_WORKBENCH = 'mysql_workbench'
+REMOTE_APP_TYPE_VMWARE_CLIENT = 'vmware_client'
+REMOTE_APP_TYPE_CUSTOM = 'custom'
+
+REMOTE_APP_TYPE_CHOICES = (
+    (
+        _('Browser'),
+        (
+            (REMOTE_APP_TYPE_CHROME, 'Chrome'),
+        )
+    ),
+    (
+        _('Database tools'),
+        (
+            (REMOTE_APP_TYPE_MYSQL_WORKBENCH, 'MySQL Workbench'),
+        )
+    ),
+    (
+        _('Virtualization tools'),
+        (
+            (REMOTE_APP_TYPE_VMWARE_CLIENT, 'vSphere Client'),
+        )
+    ),
+    (REMOTE_APP_TYPE_CUSTOM, _('Custom')),
+
+)
+
+# Fields attribute write_only default => False
+
+REMOTE_APP_TYPE_CHROME_FIELDS = [
+    {'name': 'chrome_target'},
+    {'name': 'chrome_username'},
+    {'name': 'chrome_password', 'write_only': True}
+]
+REMOTE_APP_TYPE_MYSQL_WORKBENCH_FIELDS = [
+    {'name': 'mysql_workbench_ip'},
+    {'name': 'mysql_workbench_name'},
+    {'name': 'mysql_workbench_username'},
+    {'name': 'mysql_workbench_password', 'write_only': True}
+]
+REMOTE_APP_TYPE_VMWARE_CLIENT_FIELDS = [
+    {'name': 'vmware_target'},
+    {'name': 'vmware_username'},
+    {'name': 'vmware_password', 'write_only': True}
+]
+REMOTE_APP_TYPE_CUSTOM_FIELDS = [
+    {'name': 'custom_cmdline'},
+    {'name': 'custom_target'},
+    {'name': 'custom_username'},
+    {'name': 'custom_password', 'write_only': True}
+]
+
+REMOTE_APP_TYPE_MAP_FIELDS = {
+    REMOTE_APP_TYPE_CHROME: REMOTE_APP_TYPE_CHROME_FIELDS,
+    REMOTE_APP_TYPE_MYSQL_WORKBENCH: REMOTE_APP_TYPE_MYSQL_WORKBENCH_FIELDS,
+    REMOTE_APP_TYPE_VMWARE_CLIENT: REMOTE_APP_TYPE_VMWARE_CLIENT_FIELDS,
+    REMOTE_APP_TYPE_CUSTOM: REMOTE_APP_TYPE_CUSTOM_FIELDS
+}
--- a/apps/applications/forms/init.py
+++ b/apps/applications/forms/init.py
@@ -0,0 +1 @@
+from .remote_app import *
--- a/apps/applications/forms/remote_app.py
+++ b/apps/applications/forms/remote_app.py
@@ -0,0 +1,123 @@
+#  coding: utf-8
+#
+
+from django.utils.translation import ugettext as _
+from django import forms
+
+from orgs.mixins.forms import OrgModelForm
+from assets.models import SystemUser
+
+from ..models import RemoteApp
+from .. import const
+
+
+__all__ = [
+    'RemoteAppCreateUpdateForm',
+]
+
+
+class RemoteAppTypeChromeForm(forms.ModelForm):
+    chrome_target = forms.CharField(
+        max_length=128, label=_('Target URL'), required=False
+    )
+    chrome_username = forms.CharField(
+        max_length=128, label=_('Login username'), required=False
+    )
+    chrome_password = forms.CharField(
+        widget=forms.PasswordInput, strip=True,
+        max_length=128, label=_('Login password'), required=False
+    )
+
+
+class RemoteAppTypeMySQLWorkbenchForm(forms.ModelForm):
+    mysql_workbench_ip = forms.CharField(
+        max_length=128, label=_('Database IP'), required=False
+    )
+    mysql_workbench_name = forms.CharField(
+        max_length=128, label=_('Database name'), required=False
+    )
+    mysql_workbench_username = forms.CharField(
+        max_length=128, label=_('Database username'), required=False
+    )
+    mysql_workbench_password = forms.CharField(
+        widget=forms.PasswordInput, strip=True,
+        max_length=128, label=_('Database password'), required=False
+    )
+
+
+class RemoteAppTypeVMwareForm(forms.ModelForm):
+    vmware_target = forms.CharField(
+        max_length=128, label=_('Target address'), required=False
+    )
+    vmware_username = forms.CharField(
+        max_length=128, label=_('Login username'), required=False
+    )
+    vmware_password = forms.CharField(
+        widget=forms.PasswordInput, strip=True,
+        max_length=128, label=_('Login password'), required=False
+    )
+
+
+class RemoteAppTypeCustomForm(forms.ModelForm):
+    custom_cmdline = forms.CharField(
+        max_length=128, label=_('Operating parameter'), required=False
+    )
+    custom_target = forms.CharField(
+        max_length=128, label=_('Target address'), required=False
+    )
+    custom_username = forms.CharField(
+        max_length=128, label=_('Login username'), required=False
+    )
+    custom_password = forms.CharField(
+        widget=forms.PasswordInput, strip=True,
+        max_length=128, label=_('Login password'), required=False
+    )
+
+
+class RemoteAppTypeForms(
+    RemoteAppTypeChromeForm,
+    RemoteAppTypeMySQLWorkbenchForm,
+    RemoteAppTypeVMwareForm,
+    RemoteAppTypeCustomForm
+):
+    pass
+
+
+class RemoteAppCreateUpdateForm(RemoteAppTypeForms, OrgModelForm):
+    def __init__(self, *args, **kwargs):
+        # 过滤RDP资产和系统用户
+        super().__init__(*args, **kwargs)
+        field_asset = self.fields['asset']
+        field_asset.queryset = field_asset.queryset.has_protocol('rdp')
+
+    class Meta:
+        model = RemoteApp
+        fields = [
+            'name', 'asset', 'type', 'path', 'comment'
+        ]
+        widgets = {
+            'asset': forms.Select(attrs={
+                'class': 'select2', 'data-placeholder': _('Asset')
+            }),
+        }
+
+    def _clean_params(self):
+        app_type = self.data.get('type')
+        fields = const.REMOTE_APP_TYPE_MAP_FIELDS.get(app_type, [])
+        params = {}
+        for field in fields:
+            name = field['name']
+            value = self.cleaned_data[name]
+            params.update({name: value})
+        return params
+
+    def _save_params(self, instance):
+        params = self._clean_params()
+        instance.params = params
+        instance.save()
+        return instance
+
+    def save(self, commit=True):
+        instance = super().save(commit=commit)
+        instance = self._save_params(instance)
+        return instance
--- a/apps/applications/hands.py
+++ b/apps/applications/hands.py
@@ -0,0 +1,15 @@
+"""
+    jumpserver.__app__.hands.py
+    ~~~~~~~~~~~~~~~~~
+
+    This app depends other apps api, function .. should be import or write mack here.
+
+    Other module of this app shouldn't connect with other app.
+
+    :copyright: (c) 2014-2018 by Jumpserver Team.
+    :license: GPL v2, see LICENSE for more details.
+"""
+
+
+from common.permissions import IsAppUser, IsOrgAdmin, IsValidUser, IsOrgAdminOrAppUser
+from users.models import User, UserGroup
--- a/apps/applications/migrations/0001_initial.py
+++ b/apps/applications/migrations/0001_initial.py
@@ -0,0 +1,42 @@
+# Generated by Django 2.1.7 on 2019-05-20 11:04
+
+import common.fields.model
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ('assets', '0026_auto_20190325_2035'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='RemoteApp',
+            fields=[
+                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=128, verbose_name='Name')),
+                ('type', models.CharField(choices=[('Browser', (('chrome', 'Chrome'),)), ('Database tools', (('mysql_workbench', 'MySQL Workbench'),)), ('Virtualization tools', (('vmware_client', 'vSphere Client'),)), ('custom', 'Custom')], default='chrome', max_length=128, verbose_name='App type')),
+                ('path', models.CharField(max_length=128, verbose_name='App path')),
+                ('params', common.fields.model.EncryptJsonDictTextField(blank=True, default={}, max_length=4096, null=True, verbose_name='Parameters')),
+                ('created_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Created by')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+                ('comment', models.TextField(blank=True, default='', max_length=128, verbose_name='Comment')),
+                ('asset', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='assets.Asset', verbose_name='Asset')),
+                ('system_user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='assets.SystemUser', verbose_name='System user')),
+            ],
+            options={
+                'verbose_name': 'RemoteApp',
+                'ordering': ('name',),
+            },
+        ),
+        migrations.AlterUniqueTogether(
+            name='remoteapp',
+            unique_together={('org_id', 'name')},
+        ),
+    ]
--- a/apps/applications/migrations/0002_remove_remoteapp_system_user.py
+++ b/apps/applications/migrations/0002_remove_remoteapp_system_user.py
@@ -0,0 +1,18 @@
+# Generated by Django 2.1.7 on 2019-09-09 09:57
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('applications', '0001_initial'),
+        ('perms', '0009_remoteapppermission_system_users'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='remoteapp',
+            name='system_user',
+        ),
+    ]
--- a/apps/applications/migrations/init.py
+++ b/apps/applications/migrations/init.py
--- a/apps/applications/models/init.py
+++ b/apps/applications/models/init.py
@@ -0,0 +1 @@
+from .remote_app import *
--- a/apps/applications/models/remote_app.py
+++ b/apps/applications/models/remote_app.py
@@ -0,0 +1,78 @@
+# coding: utf-8
+#
+
+import uuid
+from django.db import models
+from django.utils.translation import ugettext_lazy as _
+
+from orgs.mixins.models import OrgModelMixin
+from common.fields.model import EncryptJsonDictTextField
+
+from .. import const
+
+
+__all__ = [
+    'RemoteApp',
+]
+
+
+class RemoteApp(OrgModelMixin):
+    id = models.UUIDField(default=uuid.uuid4, primary_key=True)
+    name = models.CharField(max_length=128, verbose_name=_('Name'))
+    asset = models.ForeignKey(
+        'assets.Asset', on_delete=models.CASCADE, verbose_name=_('Asset')
+    )
+    type = models.CharField(
+        default=const.REMOTE_APP_TYPE_CHROME,
+        choices=const.REMOTE_APP_TYPE_CHOICES,
+        max_length=128, verbose_name=_('App type')
+    )
+    path = models.CharField(
+        max_length=128, blank=False, null=False,
+        verbose_name=_('App path')
+    )
+    params = EncryptJsonDictTextField(
+        max_length=4096, default={}, blank=True, null=True,
+        verbose_name=_('Parameters')
+    )
+    created_by = models.CharField(
+        max_length=32, null=True, blank=True, verbose_name=_('Created by')
+    )
+    date_created = models.DateTimeField(
+        auto_now_add=True, null=True, blank=True, verbose_name=_('Date created')
+    )
+    comment = models.TextField(
+        max_length=128, default='', blank=True, verbose_name=_('Comment')
+    )
+
+    class Meta:
+        verbose_name = _("RemoteApp")
+        unique_together = [('org_id', 'name')]
+        ordering = ('name', )
+
+    def __str__(self):
+        return self.name
+
+    @property
+    def parameters(self):
+        """
+        返回Guacamole需要的RemoteApp配置参数信息中的parameters参数
+        """
+        _parameters = list()
+        _parameters.append(self.type)
+        path = '\"%s\"' % self.path
+        _parameters.append(path)
+        for field in const.REMOTE_APP_TYPE_MAP_FIELDS[self.type]:
+            value = self.params.get(field['name'])
+            if value is None:
+                continue
+            _parameters.append(value)
+        _parameters = ' '.join(_parameters)
+        return _parameters
+
+    @property
+    def asset_info(self):
+        return {
+            'id': self.asset.id,
+            'hostname': self.asset.hostname
+        }
--- a/apps/applications/serializers/init.py
+++ b/apps/applications/serializers/init.py
@@ -0,0 +1 @@
+from .remote_app import *
--- a/apps/applications/serializers/remote_app.py
+++ b/apps/applications/serializers/remote_app.py
@@ -0,0 +1,103 @@
+# coding: utf-8
+#
+
+
+from rest_framework import serializers
+
+from common.serializers import AdaptedBulkListSerializer
+from orgs.mixins.serializers import BulkOrgResourceModelSerializer
+
+from .. import const
+from ..models import RemoteApp
+
+
+__all__ = [
+    'RemoteAppSerializer', 'RemoteAppConnectionInfoSerializer',
+]
+
+
+class RemoteAppParamsDictField(serializers.DictField):
+    """
+    RemoteApp field => params
+    """
+    @staticmethod
+    def filter_attribute(attribute, instance):
+        """
+        过滤掉params字段值中write_only特性的key-value值
+        For example, the chrome_password field is not returned when serializing
+        {
+            'chrome_target': 'http://www.jumpserver.org/',
+            'chrome_username': 'admin',
+            'chrome_password': 'admin',
+        }
+        """
+        for field in const.REMOTE_APP_TYPE_MAP_FIELDS[instance.type]:
+            if field.get('write_only', False):
+                attribute.pop(field['name'], None)
+        return attribute
+
+    def get_attribute(self, instance):
+        """
+        序列化时调用
+        """
+        attribute = super().get_attribute(instance)
+        attribute = self.filter_attribute(attribute, instance)
+        return attribute
+
+    @staticmethod
+    def filter_value(dictionary, value):
+        """
+        过滤掉不属于当前app_type所包含的key-value值
+        """
+        app_type = dictionary.get('type', const.REMOTE_APP_TYPE_CHROME)
+        fields = const.REMOTE_APP_TYPE_MAP_FIELDS[app_type]
+        fields_names = [field['name'] for field in fields]
+        no_need_keys = [k for k in value.keys() if k not in fields_names]
+        for k in no_need_keys:
+            value.pop(k)
+        return value
+
+    def get_value(self, dictionary):
+        """
+        反序列化时调用
+        """
+        value = super().get_value(dictionary)
+        value = self.filter_value(dictionary, value)
+        return value
+
+
+class RemoteAppSerializer(BulkOrgResourceModelSerializer):
+    params = RemoteAppParamsDictField()
+
+    class Meta:
+        model = RemoteApp
+        list_serializer_class = AdaptedBulkListSerializer
+        fields = [
+            'id', 'name', 'asset', 'type', 'path', 'params',
+            'comment', 'created_by', 'date_created', 'asset_info',
+            'get_type_display',
+        ]
+        read_only_fields = [
+            'created_by', 'date_created', 'asset_info',
+            'get_type_display'
+        ]
+
+
+class RemoteAppConnectionInfoSerializer(serializers.ModelSerializer):
+    parameter_remote_app = serializers.SerializerMethodField()
+
+    class Meta:
+        model = RemoteApp
+        fields = [
+            'id', 'name', 'asset', 'parameter_remote_app',
+        ]
+        read_only_fields = ['parameter_remote_app']
+
+    @staticmethod
+    def get_parameter_remote_app(obj):
+        parameter = {
+            'program': const.REMOTE_APP_BOOT_PROGRAM_NAME,
+            'working_directory': '',
+            'parameters': obj.parameters,
+        }
+        return parameter
--- a/apps/applications/templates/applications/remote_app_create_update.html
+++ b/apps/applications/templates/applications/remote_app_create_update.html
@@ -0,0 +1,158 @@
+{% extends '_base_create_update.html' %}
+{% load static %}
+{% load bootstrap3 %}
+{% load i18n %}
+
+{% block form %}
+    <form id="appForm" method="post" class="form-horizontal">
+        {% if form.non_field_errors %}
+            <div class="alert alert-danger">
+                {{ form.non_field_errors }}
+            </div>
+        {% endif %}
+        {% csrf_token %}
+        {% bootstrap_field form.name layout="horizontal" %}
+        {% bootstrap_field form.asset layout="horizontal" %}
+        {% bootstrap_field form.type layout="horizontal" %}
+        {% bootstrap_field form.path layout="horizontal" %}
+
+        <div class="hr-line-dashed"></div>
+
+        {# chrome #}
+        <div class="chrome-fields">
+        {% bootstrap_field form.chrome_target layout="horizontal" %}
+        {% bootstrap_field form.chrome_username layout="horizontal" %}
+        {% bootstrap_field form.chrome_password layout="horizontal" %}
+        </div>
+
+        {# mysql workbench #}
+        <div class="mysql_workbench-fields">
+            {% bootstrap_field form.mysql_workbench_ip layout="horizontal" %}
+            {% bootstrap_field form.mysql_workbench_name layout="horizontal" %}
+            {% bootstrap_field form.mysql_workbench_username layout="horizontal" %}
+            {% bootstrap_field form.mysql_workbench_password layout="horizontal" %}
+        </div>
+
+        {# vmware #}
+        <div class="vmware_client-fields">
+        {% bootstrap_field form.vmware_target layout="horizontal" %}
+        {% bootstrap_field form.vmware_username layout="horizontal" %}
+        {% bootstrap_field form.vmware_password layout="horizontal" %}
+        </div>
+
+        {# custom #}
+        <div class="custom-fields">
+        {% bootstrap_field form.custom_cmdline layout="horizontal" %}
+        {% bootstrap_field form.custom_target layout="horizontal" %}
+        {% bootstrap_field form.custom_username layout="horizontal" %}
+        {% bootstrap_field form.custom_password layout="horizontal" %}
+        </div>
+
+        {% bootstrap_field form.comment layout="horizontal" %}
+        <div class="hr-line-dashed"></div>
+        <div class="form-group">
+            <div class="col-sm-4 col-sm-offset-2">
+                <button class="btn btn-default" type="reset"> {% trans 'Reset' %}</button>
+
+                <button id="submit_button" class="btn btn-primary" type="submit">{% trans 'Submit' %}</button>
+            </div>
+        </div>
+
+    </form>
+{% endblock %}
+
+{% block custom_foot_js %}
+<script type="text/javascript">
+var app_type_id = '#' + '{{ form.type.id_for_label }}';
+var app_path_id = '#' + '{{ form.path.id_for_label }}';
+var all_type_fields = [
+    '.chrome-fields',
+    '.mysql_workbench-fields',
+    '.vmware_client-fields',
+    '.custom-fields'
+];
+var app_type_map_default_fields_value = {
+    'chrome': {
+        'app_path': 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'
+    },
+    'mysql_workbench': {
+        'app_path': 'C:\\Program Files\\MySQL\\MySQL Workbench 8.0 CE\\MySQLWorkbench.exe'
+    },
+    'vmware_client': {
+        'app_path': 'C:\\Program Files (x86)\\VMware\\Infrastructure\\Virtual Infrastructure Client\\Launcher\\VpxClient.exe'
+    },
+    'custom': {'app_path': ''}
+};
+function getAppType(){
+    return $(app_type_id+ " option:selected").val();
+}
+function initialDefaultValue(){
+    var app_type = getAppType();
+    var app_path = $(app_path_id).val();
+    if(app_path){
+        app_type_map_default_fields_value[app_type]['app_path'] = app_path
+    }
+}
+function setDefaultValue(){
+    // 设置类型相关字段的默认值
+    var app_type = getAppType();
+    var app_path = app_type_map_default_fields_value[app_type]['app_path'];
+    $(app_path_id).val(app_path)
+}
+function hiddenFields(){
+    var app_type = getAppType();
+    $.each(all_type_fields, function(index, value){
+        $(value).addClass('hidden')
+    });
+    $('.' + app_type + '-fields').removeClass('hidden');
+}
+function constructParams(data) {
+    var typeList = ['chrome', 'mysql_workbench', 'vmware_client', 'custom'];
+    var params = {};
+    $.each(typeList, function(index, value){
+        if (data.type === value){
+            for (var k in data){
+                if (k.startsWith(value)){
+                    params[k] = data[k]
+                }
+            }
+        }
+    });
+    return params;
+}
+$(document).ready(function () {
+    $('.select2').select2({
+        closeOnSelect: true
+    });
+    initialDefaultValue();
+    hiddenFields();
+    setDefaultValue();
+})
+.on('change', app_type_id, function(){
+    hiddenFields();
+    setDefaultValue();
+})
+.on("submit", "form", function (evt) {
+    evt.preventDefault();
+    var the_url = '{% url "api-applications:remote-app-list" %}';
+    var redirect_to = '{% url "applications:remote-app-list" %}';
+    var method = "POST";
+    {% if type == "update" %}
+        the_url = '{% url "api-applications:remote-app-detail" object.id %}';
+        method = "PUT";
+    {% endif %}
+    var form = $("form");
+    var data = form.serializeObject();
+    data["params"] = constructParams(data);
+    var props = {
+        url: the_url,
+        data: data,
+        method: method,
+        form: form,
+        redirect_to: redirect_to
+     };
+    formSubmit(props);
+ })
+;
+</script>
+{% endblock %}
--- a/apps/applications/templates/applications/remote_app_detail.html
+++ b/apps/applications/templates/applications/remote_app_detail.html
@@ -0,0 +1,105 @@
+{% extends 'base.html' %}
+{% load static %}
+{% load i18n %}
+
+{% block custom_head_css_js %}
+    <link href="{% static 'css/plugins/select2/select2.min.css' %}" rel="stylesheet">
+    <script src="{% static 'js/plugins/select2/select2.full.min.js' %}"></script>
+{% endblock %}
+
+{% block content %}
+    <div class="wrapper wrapper-content animated fadeInRight">
+        <div class="row">
+            <div class="col-sm-12">
+                <div class="ibox float-e-margins">
+                    <div class="panel-options">
+                        <ul class="nav nav-tabs">
+                            <li class="active">
+                                <a href="{% url 'applications:remote-app-detail' pk=remote_app.id %}" class="text-center"><i class="fa fa-laptop"></i> {% trans 'Detail' %} </a>
+                            </li>
+                            <li class="pull-right">
+                                <a class="btn btn-outline btn-default" href="{% url 'applications:remote-app-update' pk=remote_app.id %}"><i class="fa fa-edit"></i>{% trans 'Update' %}</a>
+                            </li>
+                            <li class="pull-right">
+                                <a class="btn btn-outline btn-danger btn-delete-application">
+                                    <i class="fa fa-trash-o"></i>{% trans 'Delete' %}
+                                </a>
+                            </li>
+                        </ul>
+                    </div>
+                    <div class="tab-content">
+                        <div class="col-sm-8" style="padding-left: 0;">
+                            <div class="ibox float-e-margins">
+                                <div class="ibox-title">
+                                    <span class="label"><b>{{ remote_app.name }}</b></span>
+                                    <div class="ibox-tools">
+                                        <a class="collapse-link">
+                                            <i class="fa fa-chevron-up"></i>
+                                        </a>
+                                        <a class="dropdown-toggle" data-toggle="dropdown" href="#">
+                                            <i class="fa fa-wrench"></i>
+                                        </a>
+                                        <ul class="dropdown-menu dropdown-user">
+                                        </ul>
+                                        <a class="close-link">
+                                            <i class="fa fa-times"></i>
+                                        </a>
+                                    </div>
+                                </div>
+                                <div class="ibox-content">
+                                    <table class="table">
+                                        <tbody>
+                                        <tr class="no-borders-tr">
+                                            <td>{% trans 'Name' %}:</td>
+                                            <td><b>{{ remote_app.name }}</b></td>
+                                        </tr>
+                                        <tr>
+                                            <td>{% trans 'Asset' %}:</td>
+                                            <td><b><a href="{% url 'assets:asset-detail' pk=remote_app.asset.id %}">{{ remote_app.asset.hostname }}</a></b></td>
+                                        </tr>
+                                        <tr>
+                                            <td>{% trans 'App type' %}:</td>
+                                            <td><b>{{ remote_app.get_type_display }}</b></td>
+                                        </tr>
+                                        <tr>
+                                            <td>{% trans 'App path' %}:</td>
+                                            <td><b>{{ remote_app.path }}</b></td>
+                                        </tr>
+                                        <tr>
+                                            <td>{% trans 'Date created' %}:</td>
+                                            <td><b>{{ remote_app.date_created }}</b></td>
+                                        </tr>
+                                        <tr>
+                                            <td>{% trans 'Created by' %}:</td>
+                                            <td><b>{{ remote_app.created_by  }}</b></td>
+                                        </tr>
+                                        <tr>
+                                            <td>{% trans 'Comment' %}:</td>
+                                            <td><b>{{ remote_app.comment }}</b></td>
+                                        </tr>
+                                        </tbody>
+                                    </table>
+                                </div>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+{% endblock %}
+{% block custom_foot_js %}
+<script>
+jumpserver.nodes_selected = {};
+$(document).ready(function () {
+})
+.on('click', '.btn-delete-application', function () {
+    var $this = $(this);
+    var name = "{{ remote_app.name }}";
+    var rid = "{{ remote_app.id }}";
+    var the_url = '{% url "api-applications:remote-app-detail" pk=DEFAULT_PK %}'.replace('{{ DEFAULT_PK }}', rid);
+    var redirect_url = "{% url 'applications:remote-app-list' %}";
+    objectDelete($this, name, the_url, redirect_url);
+})
+</script>
+{% endblock %}
--- a/apps/applications/templates/applications/remote_app_list.html
+++ b/apps/applications/templates/applications/remote_app_list.html
@@ -0,0 +1,87 @@
+{% extends '_base_list.html' %}
+{% load i18n static %}
+{% block help_message %}
+<div class="alert alert-info help-message">
+    {% trans 'Before using this feature, make sure that the application loader has been uploaded to the application server and successfully published as a RemoteApp application' %}
+    <b><a href="https://github.com/jumpserver/Jmservisor/releases" target="view_window" >{% trans 'Download application loader' %}</a></b>
+</div>
+{% endblock %}
+{% block table_search %}{% endblock %}
+{% block table_container %}
+    <div class="uc pull-left  m-r-5">
+        <a href="{% url 'applications:remote-app-create' %}" class="btn btn-sm btn-primary"> {% trans "Create RemoteApp" %} </a>
+    </div>
+    <table class="table table-striped table-bordered table-hover " id="remote_app_list_table" >
+        <thead>
+        <tr>
+            <th class="text-center">
+                <input type="checkbox" id="check_all" class="ipt_check_all" >
+            </th>
+            <th class="text-center">{% trans 'Name' %}</th>
+            <th class="text-center">{% trans 'App type' %}</th>
+            <th class="text-center">{% trans 'Asset' %}</th>
+            <th class="text-center">{% trans 'Comment' %}</th>
+            <th class="text-center">{% trans 'Action' %}</th>
+        </tr>
+        </thead>
+        <tbody>
+        </tbody>
+    </table>
+{% endblock %}
+{% block content_bottom_left %}{% endblock %}
+{% block custom_foot_js %}
+<script>
+function initTable() {
+    var options = {
+        ele: $('#remote_app_list_table'),
+        columnDefs: [
+            {targets: 1, createdCell: function (td, cellData, rowData) {
+                    cellData = htmlEscape(cellData);
+                    {% url 'applications:remote-app-detail' pk=DEFAULT_PK as the_url  %}
+                    var detail_btn = '<a href="{{ the_url }}">' + cellData + '</a>';
+                    $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', rowData.id));
+                }},
+            {targets: 3, createdCell: function (td, cellData, rowData) {
+                    var hostname = htmlEscape(cellData.hostname);
+                    var detail_btn = '<a href="{% url 'assets:asset-detail' pk=DEFAULT_PK %}">' + hostname + '</a>';
+                    $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', cellData.id));
+                }},
+            {targets: 3, createdCell: function (td, cellData, rowData) {
+                    var comment = htmlEscape(cellData);
+                    $(td).html(comment)
+                }},
+            {targets: 5, createdCell: function (td, cellData, rowData) {
+                    var update_btn = '<a href="{% url "applications:remote-app-update" pk=DEFAULT_PK %}" class="btn btn-xs btn-info">{% trans "Update" %}</a>'.replace("{{ DEFAULT_PK }}", cellData);
+                    var del_btn = '<a class="btn btn-xs btn-danger m-l-xs btn-delete" data-rid="{{ DEFAULT_PK }}">{% trans "Delete" %}</a>'.replace('{{ DEFAULT_PK }}', cellData);
+                    $(td).html(update_btn + del_btn)
+                }}
+        ],
+        ajax_url: '{% url "api-applications:remote-app-list" %}',
+        columns: [
+            {data: "id"},
+            {data: "name" },
+            {data: "get_type_display", orderable: false},
+            {data: "asset_info", orderable: false},
+            {data: "comment"},
+            {data: "id", orderable: false}
+        ],
+        op_html: $('#actions').html()
+    };
+    jumpserver.initServerSideDataTable(options);
+}
+$(document).ready(function(){
+    initTable();
+})
+.on('click', '.btn-delete', function () {
+    var $this = $(this);
+    var $data_table = $('#remote_app_list_table').DataTable();
+    var name = $(this).closest("tr").find(":nth-child(2)").children('a').html();
+    var rid = $this.data('rid');
+    var the_url = '{% url "api-applications:remote-app-detail" pk=DEFAULT_PK %}'.replace('{{ DEFAULT_PK }}', rid);
+    objectDelete($this, name, the_url);
+    setTimeout( function () {
+        $data_table.ajax.reload();
+    }, 3000);
+});
+</script>
+{% endblock %}
--- a/apps/applications/templates/applications/user_remote_app_list.html
+++ b/apps/applications/templates/applications/user_remote_app_list.html
@@ -0,0 +1,73 @@
+{% extends 'base.html' %}
+{% load i18n static %}
+
+{% block custom_head_css_js %}
+    <script src="{% static 'js/jquery.form.min.js' %}"></script>
+{% endblock %}
+
+{% block content %}
+<div class="mail-box-header">
+    <table class="table table-striped table-bordered table-hover " id="remote_app_list_table" >
+        <thead>
+        <tr>
+            <th class="text-center">
+                <input type="checkbox" id="check_all" class="ipt_check_all" >
+            </th>
+            <th class="text-center">{% trans 'Name' %}</th>
+            <th class="text-center">{% trans 'App type' %}</th>
+            <th class="text-center">{% trans 'Asset' %}</th>
+            <th class="text-center">{% trans 'Comment' %}</th>
+            <th class="text-center">{% trans 'Action' %}</th>
+        </tr>
+        </thead>
+        <tbody>
+        </tbody>
+    </table>
+</div>
+{% endblock %}
+{% block custom_foot_js %}
+<script>
+var inited = false;
+var remote_app_table, url;
+
+function initTable() {
+    if (inited){
+        return
+    } else {
+        inited = true;
+    }
+    url = '{% url "api-perms:my-remote-apps" %}';
+    var options = {
+        ele: $('#remote_app_list_table'),
+        columnDefs: [
+            {targets: 1, createdCell: function (td, cellData, rowData) {
+                    var name = htmlEscape(cellData);
+                    $(td).html(name)
+                }},
+            {targets: 3, createdCell: function (td, cellData, rowData) {
+                    var hostname = htmlEscape(cellData.hostname);
+                    $(td).html(hostname);
+                }},
+            {targets: 5, createdCell: function (td, cellData, rowData) {
+                    var conn_btn = '<a href="{% url "luna-view" %}?type=remote_app&login_to=' +  cellData +'" class="btn btn-xs btn-primary" target="_blank">{% trans "Connect" %}</a>'.replace("{{ DEFAULT_PK }}", cellData);
+                    $(td).html(conn_btn)
+                }}
+        ],
+        ajax_url: url,
+        columns: [
+            {data: "id"},
+            {data: "name"},
+            {data: "get_type_display", orderable: false},
+            {data: "asset_info", orderable: false},
+            {data: "comment", orderable: false},
+            {data: "id", orderable: false}
+        ]
+    };
+    remote_app_table = jumpserver.initServerSideDataTable(options);
+    return remote_app_table
+}
+$(document).ready(function(){
+    initTable();
+})
+</script>
+{% endblock %}
--- a/apps/applications/tests.py
+++ b/apps/applications/tests.py
@@ -0,0 +1,3 @@
+from django.test import TestCase
+
+# Create your tests here.
--- a/apps/applications/urls/init.py
+++ b/apps/applications/urls/init.py
@@ -0,0 +1,7 @@
+#  coding: utf-8
+#
+
+
+__all__ = [
+
+]
--- a/apps/applications/urls/api_urls.py
+++ b/apps/applications/urls/api_urls.py
@@ -0,0 +1,22 @@
+# coding:utf-8
+#
+
+from django.urls import path, re_path
+from rest_framework_bulk.routes import BulkRouter
+
+from common import api as capi
+from .. import api
+
+app_name = 'applications'
+
+router = BulkRouter()
+router.register(r'remote-apps', api.RemoteAppViewSet, 'remote-app')
+
+urlpatterns = [
+    path('remote-apps/<uuid:pk>/connection-info/', api.RemoteAppConnectionInfoApi.as_view(), name='remote-app-connection-info'),
+]
+old_version_urlpatterns = [
+    re_path('(?P<resource>remote-app)/.*', capi.redirect_plural_name_api)
+]
+
+urlpatterns += router.urls + old_version_urlpatterns
--- a/apps/applications/urls/views_urls.py
+++ b/apps/applications/urls/views_urls.py
@@ -0,0 +1,16 @@
+# coding:utf-8
+from django.urls import path
+from .. import views
+
+app_name = 'applications'
+
+urlpatterns = [
+    # RemoteApp
+    path('remote-app/', views.RemoteAppListView.as_view(), name='remote-app-list'),
+    path('remote-app/create/', views.RemoteAppCreateView.as_view(), name='remote-app-create'),
+    path('remote-app/<uuid:pk>/update/', views.RemoteAppUpdateView.as_view(), name='remote-app-update'),
+    path('remote-app/<uuid:pk>/', views.RemoteAppDetailView.as_view(), name='remote-app-detail'),
+    # User RemoteApp view
+    path('user-remote-app/', views.UserRemoteAppListView.as_view(), name='user-remote-app-list')
+
+]
--- a/apps/applications/views/init.py
+++ b/apps/applications/views/init.py
@@ -0,0 +1 @@
+from .remote_app import *
--- a/apps/applications/views/remote_app.py
+++ b/apps/applications/views/remote_app.py
@@ -0,0 +1,105 @@
+#  coding: utf-8
+#
+
+from django.utils.translation import ugettext as _
+from django.views.generic import TemplateView
+from django.views.generic.edit import CreateView, UpdateView
+from django.views.generic.detail import DetailView
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+
+
+from common.permissions import PermissionsMixin, IsOrgAdmin, IsValidUser
+from common.const import create_success_msg, update_success_msg
+
+from ..models import RemoteApp
+from .. import forms
+
+
+__all__ = [
+    'RemoteAppListView', 'RemoteAppCreateView', 'RemoteAppUpdateView',
+    'RemoteAppDetailView', 'UserRemoteAppListView',
+]
+
+
+class RemoteAppListView(PermissionsMixin, TemplateView):
+    template_name = 'applications/remote_app_list.html'
+    permission_classes = [IsOrgAdmin]
+
+    def get_context_data(self, **kwargs):
+        context = {
+            'app': _('Applications'),
+            'action': _('RemoteApp list'),
+        }
+        kwargs.update(context)
+        return super().get_context_data(**kwargs)
+
+
+class RemoteAppCreateView(PermissionsMixin, SuccessMessageMixin, CreateView):
+    template_name = 'applications/remote_app_create_update.html'
+    model = RemoteApp
+    form_class = forms.RemoteAppCreateUpdateForm
+    success_url = reverse_lazy('applications:remote-app-list')
+    permission_classes = [IsOrgAdmin]
+
+    def get_context_data(self, **kwargs):
+        context = {
+            'app': _('Applications'),
+            'action': _('Create RemoteApp'),
+            'type': 'create'
+        }
+        kwargs.update(context)
+        return super().get_context_data(**kwargs)
+
+    def get_success_message(self, cleaned_data):
+        return create_success_msg % ({'name': cleaned_data['name']})
+
+
+class RemoteAppUpdateView(PermissionsMixin, SuccessMessageMixin, UpdateView):
+    template_name = 'applications/remote_app_create_update.html'
+    model = RemoteApp
+    form_class = forms.RemoteAppCreateUpdateForm
+    success_url = reverse_lazy('applications:remote-app-list')
+    permission_classes = [IsOrgAdmin]
+
+    def get_initial(self):
+        return {k: v for k, v in self.object.params.items()}
+
+    def get_context_data(self, **kwargs):
+        context = {
+            'app': _('Applications'),
+            'action': _('Update RemoteApp'),
+            'type': 'update'
+        }
+        kwargs.update(context)
+        return super().get_context_data(**kwargs)
+
+    def get_success_message(self, cleaned_data):
+        return update_success_msg % ({'name': cleaned_data['name']})
+
+
+class RemoteAppDetailView(PermissionsMixin, DetailView):
+    template_name = 'applications/remote_app_detail.html'
+    model = RemoteApp
+    context_object_name = 'remote_app'
+    permission_classes = [IsOrgAdmin]
+
+    def get_context_data(self, **kwargs):
+        context = {
+            'app': _('Applications'),
+            'action': _('RemoteApp detail'),
+        }
+        kwargs.update(context)
+        return super().get_context_data(**kwargs)
+
+
+class UserRemoteAppListView(PermissionsMixin, TemplateView):
+    template_name = 'applications/user_remote_app_list.html'
+    permission_classes = [IsValidUser]
+
+    def get_context_data(self, **kwargs):
+        context = {
+            'action': _('My RemoteApp'),
+        }
+        kwargs.update(context)
+        return super().get_context_data(**kwargs)
--- a/apps/assets/api/init.py
+++ b/apps/assets/api/init.py
@@ -4,3 +4,6 @@ from .label import *
 from .system_user import *
 from .node import *
 from .domain import *
+from .cmd_filter import *
+from .asset_user import *
+from .gathered_user import *
--- a/apps/assets/api/admin_user.py
+++ b/apps/assets/api/admin_user.py
@@ -14,29 +14,34 @@
 # limitations under the License.

 from django.db import transaction
+from django.shortcuts import get_object_or_404
 from rest_framework import generics
 from rest_framework.response import Response
-from rest_framework_bulk import BulkModelViewSet
+from orgs.mixins.api import OrgBulkModelViewSet

-from common.mixins import IDInFilterMixin
+from common.mixins import CommonApiMixin
 from common.utils import get_logger
 from ..hands import IsOrgAdmin
 from ..models import AdminUser, Asset
 from .. import serializers
-from ..tasks import test_admin_user_connectability_manual
+from ..tasks import test_admin_user_connectivity_manual


 logger = get_logger(__file__)
 __all__ = [
    'AdminUserViewSet', 'ReplaceNodesAdminUserApi',
    'AdminUserTestConnectiveApi', 'AdminUserAuthApi',
+    'AdminUserAssetsListView',
 ]


-class AdminUserViewSet(IDInFilterMixin, BulkModelViewSet):
+class AdminUserViewSet(OrgBulkModelViewSet):
    """
    Admin user api set, for add,delete,update,list,retrieve resource
    """
+
+    filter_fields = ("name", "username")
+    search_fields = filter_fields
    queryset = AdminUser.objects.all()
    serializer_class = serializers.AdminUserSerializer
    permission_classes = (IsOrgAdmin,)
@@ -72,12 +77,29 @@ class ReplaceNodesAdminUserApi(generics.UpdateAPIView):

 class AdminUserTestConnectiveApi(generics.RetrieveAPIView):
    """
-    Test asset admin user connectivity
+    Test asset admin user assets_connectivity
    """
    queryset = AdminUser.objects.all()
    permission_classes = (IsOrgAdmin,)
+    serializer_class = serializers.TaskIDSerializer

    def retrieve(self, request, *args, **kwargs):
        admin_user = self.get_object()
-        task = test_admin_user_connectability_manual.delay(admin_user)
+        task = test_admin_user_connectivity_manual.delay(admin_user)
        return Response({"task": task.id})
+
+
+class AdminUserAssetsListView(generics.ListAPIView):
+    permission_classes = (IsOrgAdmin,)
+    serializer_class = serializers.AssetSimpleSerializer
+    filter_fields = ("hostname", "ip")
+    http_method_names = ['get']
+    search_fields = filter_fields
+
+    def get_object(self):
+        pk = self.kwargs.get('pk')
+        return get_object_or_404(AdminUser, pk=pk)
+
+    def get_queryset(self):
+        admin_user = self.get_object()
+        return admin_user.get_related_assets()
--- a/apps/assets/api/asset.py
+++ b/apps/assets/api/asset.py
@@ -2,89 +2,55 @@
 #

 import random
-import time

-from rest_framework import generics, permissions
+from rest_framework import generics
 from rest_framework.response import Response
-from rest_framework_bulk import BulkModelViewSet
-from rest_framework_bulk import ListBulkCreateUpdateDestroyAPIView
-from rest_framework.pagination import LimitOffsetPagination
 from django.shortcuts import get_object_or_404
-from django.db.models import Q

-from common.mixins import IDInFilterMixin
-from common.utils import get_logger
-from common.permissions import IsOrgAdmin, IsAppUser, IsOrgAdminOrAppUser
-from ..models import Asset, SystemUser, AdminUser, Node
+from common.utils import get_logger, get_object_or_none
+from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser
+from orgs.mixins.api import OrgBulkModelViewSet
+from ..models import Asset, AdminUser, Node
 from .. import serializers
 from ..tasks import update_asset_hardware_info_manual, \
-    test_asset_connectability_manual
-from ..utils import LabelFilter
+    test_asset_connectivity_manual
+from ..filters import AssetByNodeFilterBackend, LabelFilterBackend


 logger = get_logger(__file__)
 __all__ = [
-    'AssetViewSet', 'AssetListUpdateApi',
+    'AssetViewSet',
    'AssetRefreshHardwareApi', 'AssetAdminUserTestApi',
-    'AssetGatewayApi'
+    'AssetGatewayApi',
 ]


-class AssetViewSet(IDInFilterMixin, LabelFilter, BulkModelViewSet):
+class AssetViewSet(OrgBulkModelViewSet):
    """
    API endpoint that allows Asset to be viewed or edited.
    """
-    filter_fields = ("hostname", "ip")
-    search_fields = filter_fields
+    filter_fields = ("hostname", "ip", "systemuser__id", "admin_user__id")
+    search_fields = ("hostname", "ip")
    ordering_fields = ("hostname", "ip", "port", "cpu_cores")
    queryset = Asset.objects.all()
    serializer_class = serializers.AssetSerializer
-    pagination_class = LimitOffsetPagination
-    permission_classes = (permissions.AllowAny,)
+    permission_classes = (IsOrgAdminOrAppUser,)
+    extra_filter_backends = [AssetByNodeFilterBackend, LabelFilterBackend]

-    def filter_node(self):
-        node_id = self.request.query_params.get("node_id")
+    def set_assets_node(self, assets):
+        if not isinstance(assets, list):
+            assets = [assets]
+        node_id = self.request.query_params.get('node_id')
        if not node_id:
            return
-
-        node = get_object_or_404(Node, id=node_id)
-        show_current_asset = self.request.query_params.get("show_current_asset")
-
-        if node.is_root():
-            if show_current_asset:
-                self.queryset = self.queryset.filter(
-                    Q(nodes=node_id) | Q(nodes__isnull=True)
-                ).distinct()
+        node = get_object_or_none(Node, pk=node_id)
+        if not node:
            return
-        if show_current_asset:
-            self.queryset = self.queryset.filter(nodes=node).distinct()
-        else:
-            self.queryset = self.queryset.filter(
-                nodes__key__regex='^{}(:[0-9]+)*$'.format(node.key),
-            ).distinct()
+        node.assets.add(*assets)

-    def filter_admin_user_id(self):
-        admin_user_id = self.request.query_params.get('admin_user_id')
-        if admin_user_id:
-            admin_user = get_object_or_404(AdminUser, id=admin_user_id)
-            self.queryset = self.queryset.filter(admin_user=admin_user)
-
-    def get_queryset(self):
-        self.queryset = super().get_queryset()\
-            .prefetch_related('labels', 'nodes')\
-            .select_related('admin_user')
-        self.filter_admin_user_id()
-        self.filter_node()
-        return self.queryset
-
-
-class AssetListUpdateApi(IDInFilterMixin, ListBulkCreateUpdateDestroyAPIView):
-    """
-    Asset bulk update api
-    """
-    queryset = Asset.objects.all()
-    serializer_class = serializers.AssetSerializer
-    permission_classes = (IsOrgAdmin,)
+    def perform_create(self, serializer):
+        assets = serializer.save()
+        self.set_assets_node(assets)


 class AssetRefreshHardwareApi(generics.RetrieveAPIView):
@@ -104,29 +70,31 @@ class AssetRefreshHardwareApi(generics.RetrieveAPIView):

 class AssetAdminUserTestApi(generics.RetrieveAPIView):
    """
-    Test asset admin user connectivity
+    Test asset admin user assets_connectivity
    """
    queryset = Asset.objects.all()
    permission_classes = (IsOrgAdmin,)
+    serializer_class = serializers.TaskIDSerializer

    def retrieve(self, request, *args, **kwargs):
        asset_id = kwargs.get('pk')
        asset = get_object_or_404(Asset, pk=asset_id)
-        task = test_asset_connectability_manual.delay(asset)
+        task = test_asset_connectivity_manual.delay(asset)
        return Response({"task": task.id})


 class AssetGatewayApi(generics.RetrieveAPIView):
    queryset = Asset.objects.all()
    permission_classes = (IsOrgAdminOrAppUser,)
+    serializer_class = serializers.GatewayWithAuthSerializer

    def retrieve(self, request, *args, **kwargs):
        asset_id = kwargs.get('pk')
        asset = get_object_or_404(Asset, pk=asset_id)

        if asset.domain and \
-                asset.domain.gateways.filter(protocol=asset.protocol).exists():
-            gateway = random.choice(asset.domain.gateways.filter(protocol=asset.protocol))
+                asset.domain.gateways.filter(protocol='ssh').exists():
+            gateway = random.choice(asset.domain.gateways.filter(protocol='ssh'))
            serializer = serializers.GatewayWithAuthSerializer(instance=gateway)
            return Response(serializer.data)
        else:
--- a/apps/assets/api/asset_user.py
+++ b/apps/assets/api/asset_user.py
@@ -0,0 +1,173 @@
+# -*- coding: utf-8 -*-
+#
+
+from rest_framework.response import Response
+from rest_framework import generics
+from rest_framework import filters
+from rest_framework_bulk import BulkModelViewSet
+from django.shortcuts import get_object_or_404
+from django.http import Http404
+
+from common.permissions import IsOrgAdminOrAppUser, NeedMFAVerify
+from common.utils import get_object_or_none, get_logger
+from common.mixins import CommonApiMixin
+from ..backends import AssetUserManager
+from ..models import Asset, Node, SystemUser, AdminUser
+from .. import serializers
+from ..tasks import test_asset_users_connectivity_manual
+
+
+__all__ = [
+    'AssetUserViewSet', 'AssetUserAuthInfoApi', 'AssetUserTestConnectiveApi',
+    'AssetUserExportViewSet',
+]
+
+
+logger = get_logger(__name__)
+
+
+class AssetUserFilterBackend(filters.BaseFilterBackend):
+    def filter_queryset(self, request, queryset, view):
+        kwargs = {}
+        for field in view.filter_fields:
+            value = request.GET.get(field)
+            if not value:
+                continue
+            if field in ("node_id", "system_user_id", "admin_user_id"):
+                continue
+            kwargs[field] = value
+        return queryset.filter(**kwargs)
+
+
+class AssetUserSearchBackend(filters.BaseFilterBackend):
+    def filter_queryset(self, request, queryset, view):
+        value = request.GET.get('search')
+        if not value:
+            return queryset
+        _queryset = AssetUserManager.none()
+        for field in view.search_fields:
+            if field in ("node_id", "system_user_id", "admin_user_id"):
+                continue
+            _queryset |= queryset.filter(**{field: value})
+        return _queryset.distinct()
+
+
+class AssetUserViewSet(CommonApiMixin, BulkModelViewSet):
+    serializer_class = serializers.AssetUserSerializer
+    permission_classes = [IsOrgAdminOrAppUser]
+    http_method_names = ['get', 'post']
+    filter_fields = [
+        "id", "ip", "hostname", "username", "asset_id", "node_id",
+        "system_user_id", "admin_user_id"
+    ]
+    search_fields = filter_fields
+    filter_backends = (
+        filters.OrderingFilter,
+        AssetUserFilterBackend, AssetUserSearchBackend,
+    )
+
+    def allow_bulk_destroy(self, qs, filtered):
+        return False
+
+    def get_queryset(self):
+        # 尽可能先返回更少的数据
+        username = self.request.GET.get('username')
+        asset_id = self.request.GET.get('asset_id')
+        node_id = self.request.GET.get('node_id')
+        admin_user_id = self.request.GET.get("admin_user_id")
+        system_user_id = self.request.GET.get("system_user_id")
+
+        kwargs = {}
+        assets = None
+
+        manager = AssetUserManager()
+        if system_user_id:
+            system_user = get_object_or_404(SystemUser, id=system_user_id)
+            assets = system_user.get_all_assets()
+            username = system_user.username
+        elif admin_user_id:
+            admin_user = get_object_or_404(AdminUser, id=admin_user_id)
+            assets = admin_user.assets.all()
+            username = admin_user.username
+            manager.prefer('admin_user')
+
+        if asset_id:
+            asset = get_object_or_404(Asset, id=asset_id)
+            assets = [asset]
+        elif node_id:
+            node = get_object_or_404(Node, id=node_id)
+            assets = node.get_all_assets()
+
+        if username:
+            kwargs['username'] = username
+        if assets is not None:
+            kwargs['assets'] = assets
+
+        queryset = manager.filter(**kwargs)
+        return queryset
+
+
+class AssetUserExportViewSet(AssetUserViewSet):
+    serializer_class = serializers.AssetUserExportSerializer
+    http_method_names = ['get']
+    permission_classes = [IsOrgAdminOrAppUser, NeedMFAVerify]
+
+
+class AssetUserAuthInfoApi(generics.RetrieveAPIView):
+    serializer_class = serializers.AssetUserAuthInfoSerializer
+    permission_classes = [IsOrgAdminOrAppUser, NeedMFAVerify]
+
+    def get_object(self):
+        query_params = self.request.query_params
+        username = query_params.get('username')
+        asset_id = query_params.get('asset_id')
+        prefer = query_params.get("prefer")
+        asset = get_object_or_none(Asset, pk=asset_id)
+        try:
+            manger = AssetUserManager()
+            instance = manger.get(username, asset, prefer=prefer)
+        except Exception as e:
+            raise Http404("Not found")
+        else:
+            return instance
+
+
+class AssetUserTestConnectiveApi(generics.RetrieveAPIView):
+    """
+    Test asset users connective
+    """
+    permission_classes = (IsOrgAdminOrAppUser,)
+    serializer_class = serializers.TaskIDSerializer
+
+    def get_asset_users(self):
+        username = self.request.GET.get('username')
+        asset_id = self.request.GET.get('asset_id')
+        prefer = self.request.GET.get("prefer")
+        asset = get_object_or_none(Asset, pk=asset_id)
+        manager = AssetUserManager()
+        asset_users = manager.filter(username=username, assets=[asset], prefer=prefer)
+        return asset_users
+
+    def retrieve(self, request, *args, **kwargs):
+        asset_users = self.get_asset_users()
+        prefer = self.request.GET.get("prefer")
+        kwargs = {}
+        if prefer == "admin_user":
+            kwargs["run_as_admin"] = True
+        task = test_asset_users_connectivity_manual.delay(asset_users, **kwargs)
+        return Response({"task": task.id})
+
+
+class AssetUserPushApi(generics.CreateAPIView):
+    """
+    Test asset users connective
+    """
+    serializer_class = serializers.AssetUserPushSerializer
+    permission_classes = (IsOrgAdminOrAppUser,)
+
+    def create(self, request, *args, **kwargs):
+        serializer = self.get_serializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        asset = serializer.validated_data["asset"]
+        username = serializer.validated_data["username"]
+        pass
--- a/apps/assets/api/cmd_filter.py
+++ b/apps/assets/api/cmd_filter.py
@@ -0,0 +1,36 @@
+# -*- coding: utf-8 -*-
+#
+
+from django.shortcuts import get_object_or_404
+
+from orgs.mixins.api import OrgBulkModelViewSet
+from ..hands import IsOrgAdmin
+from ..models import CommandFilter, CommandFilterRule
+from .. import serializers
+
+
+__all__ = ['CommandFilterViewSet', 'CommandFilterRuleViewSet']
+
+
+class CommandFilterViewSet(OrgBulkModelViewSet):
+    filter_fields = ("name",)
+    search_fields = filter_fields
+    permission_classes = (IsOrgAdmin,)
+    queryset = CommandFilter.objects.all()
+    serializer_class = serializers.CommandFilterSerializer
+
+
+class CommandFilterRuleViewSet(OrgBulkModelViewSet):
+    filter_fields = ("content",)
+    search_fields = filter_fields
+    permission_classes = (IsOrgAdmin,)
+    serializer_class = serializers.CommandFilterRuleSerializer
+
+    def get_queryset(self):
+        fpk = self.kwargs.get('filter_pk')
+        if not fpk:
+            return CommandFilterRule.objects.none()
+        cmd_filter = get_object_or_404(CommandFilter, pk=fpk)
+        return cmd_filter.rules.all()
+
+
--- a/apps/assets/api/domain.py
+++ b/apps/assets/api/domain.py
@@ -1,14 +1,12 @@
 # ~*~ coding: utf-8 ~*~

-from rest_framework_bulk import BulkModelViewSet
 from rest_framework.views import APIView, Response
-
 from django.views.generic.detail import SingleObjectMixin

 from common.utils import get_logger
-from common.permissions import IsOrgAdmin, IsAppUser, IsOrgAdminOrAppUser
+from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser
+from orgs.mixins.api import OrgBulkModelViewSet
 from ..models import Domain, Gateway
-from ..utils import test_gateway_connectability
 from .. import serializers


@@ -16,9 +14,9 @@ logger = get_logger(__file__)
 __all__ = ['DomainViewSet', 'GatewayViewSet', "GatewayTestConnectionApi"]


-class DomainViewSet(BulkModelViewSet):
+class DomainViewSet(OrgBulkModelViewSet):
    queryset = Domain.objects.all()
-    permission_classes = (IsOrgAdmin,)
+    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = serializers.DomainSerializer

    def get_serializer_class(self):
@@ -26,14 +24,9 @@ class DomainViewSet(BulkModelViewSet):
            return serializers.DomainWithGatewaySerializer
        return super().get_serializer_class()

-    def get_permissions(self):
-        if self.request.query_params.get('gateway'):
-            self.permission_classes = (IsOrgAdminOrAppUser,)
-        return super().get_permissions()

-
-class GatewayViewSet(BulkModelViewSet):
-    filter_fields = ("domain",)
+class GatewayViewSet(OrgBulkModelViewSet):
+    filter_fields = ("domain__name", "name", "username", "ip", "domain")
    search_fields = filter_fields
    queryset = Gateway.objects.all()
    permission_classes = (IsOrgAdmin,)
@@ -45,9 +38,10 @@ class GatewayTestConnectionApi(SingleObjectMixin, APIView):
    model = Gateway
    object = None

-    def get(self, request, *args, **kwargs):
+    def post(self, request, *args, **kwargs):
        self.object = self.get_object(Gateway.objects.all())
-        ok, e = test_gateway_connectability(self.object)
+        local_port = self.request.data.get('port') or self.object.port
+        ok, e = self.object.test_connective(local_port=local_port)
        if ok:
            return Response("ok")
        else:
--- a/apps/assets/api/gathered_user.py
+++ b/apps/assets/api/gathered_user.py
@@ -0,0 +1,24 @@
+# -*- coding: utf-8 -*-
+#
+
+from orgs.mixins.api import OrgModelViewSet
+from assets.models import GatheredUser
+from common.permissions import IsOrgAdmin
+
+from ..serializers import GatheredUserSerializer
+from ..filters import AssetRelatedByNodeFilterBackend
+
+
+__all__ = ['GatheredUserViewSet']
+
+
+class GatheredUserViewSet(OrgModelViewSet):
+    queryset = GatheredUser.objects.all()
+    serializer_class = GatheredUserSerializer
+    permission_classes = [IsOrgAdmin]
+    extra_filter_backends = [AssetRelatedByNodeFilterBackend]
+
+    filter_fields = ['asset', 'username', 'present']
+    search_fields = ['username', 'asset__ip', 'asset__hostname']
+
+
--- a/apps/assets/api/label.py
+++ b/apps/assets/api/label.py
@@ -13,10 +13,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-from rest_framework_bulk import BulkModelViewSet
 from django.db.models import Count

 from common.utils import get_logger
+from orgs.mixins.api import OrgBulkModelViewSet
 from ..hands import IsOrgAdmin
 from ..models import Label
 from .. import serializers
@@ -26,7 +26,9 @@ logger = get_logger(__file__)
 __all__ = ['LabelViewSet']


-class LabelViewSet(BulkModelViewSet):
+class LabelViewSet(OrgBulkModelViewSet):
+    filter_fields = ("name", "value")
+    search_fields = filter_fields
    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.LabelSerializer

--- a/apps/assets/api/node.py
+++ b/apps/assets/api/node.py
@@ -13,19 +13,19 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-from rest_framework import generics, mixins, viewsets
+from rest_framework import generics
 from rest_framework.serializers import ValidationError
 from rest_framework.views import APIView
 from rest_framework.response import Response
-from rest_framework_bulk import BulkModelViewSet
 from django.utils.translation import ugettext_lazy as _
 from django.shortcuts import get_object_or_404
-from django.db.models import Count

 from common.utils import get_logger, get_object_or_none
+from common.tree import TreeNodeSerializer
+from orgs.mixins.api import OrgModelViewSet
 from ..hands import IsOrgAdmin
 from ..models import Node
-from ..tasks import update_assets_hardware_info_util, test_asset_connectability_util
+from ..tasks import update_assets_hardware_info_util, test_asset_connectivity_util
 from .. import serializers


@@ -34,100 +34,152 @@ __all__ = [
    'NodeViewSet', 'NodeChildrenApi', 'NodeAssetsApi',
    'NodeAddAssetsApi', 'NodeRemoveAssetsApi', 'NodeReplaceAssetsApi',
    'NodeAddChildrenApi', 'RefreshNodeHardwareInfoApi',
-    'TestNodeConnectiveApi'
+    'TestNodeConnectiveApi', 'NodeListAsTreeApi',
+    'NodeChildrenAsTreeApi', 'RefreshNodesCacheApi',
 ]


-class NodeViewSet(viewsets.ModelViewSet):
+class NodeViewSet(OrgModelViewSet):
+    filter_fields = ('value', 'key', 'id')
+    search_fields = ('value', )
    queryset = Node.objects.all()
    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.NodeSerializer

-    def get_queryset(self):
-        queryset = super().get_queryset().annotate(Count('assets'))
-        return queryset
-
+    # 仅支持根节点指直接创建，子节点下的节点需要通过children接口创建
    def perform_create(self, serializer):
-        child_key = Node.root().get_next_child_key()
+        child_key = Node.org_root().get_next_child_key()
        serializer.validated_data["key"] = child_key
        serializer.save()

+    def perform_update(self, serializer):
+        node = self.get_object()
+        if node.is_org_root() and node.value != serializer.validated_data['value']:
+            msg = _("You can't update the root node name")
+            raise ValidationError({"error": msg})
+        return super().perform_update(serializer)

-class NodeChildrenApi(mixins.ListModelMixin, generics.CreateAPIView):
+
+class NodeListAsTreeApi(generics.ListAPIView):
+    """
+    获取节点列表树
+    [
+      {
+        "id": "",
+        "name": "",
+        "pId": "",
+        "meta": ""
+      }
+    ]
+    """
+    permission_classes = (IsOrgAdmin,)
+    serializer_class = TreeNodeSerializer
+
+    @staticmethod
+    def to_tree_queryset(queryset):
+        queryset = [node.as_tree_node() for node in queryset]
+        return queryset
+
+    def get_queryset(self):
+        queryset = Node.objects.all()
+        return queryset
+
+    def filter_queryset(self, queryset):
+        queryset = super().filter_queryset(queryset)
+        queryset = self.to_tree_queryset(queryset)
+        return queryset
+
+
+class NodeChildrenApi(generics.ListCreateAPIView):
    queryset = Node.objects.all()
    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.NodeSerializer
    instance = None
+    is_initial = False

-    def counter(self):
-        values = [
-            child.value[child.value.rfind(' '):]
-            for child in self.get_object().get_children()
-            if child.value.startswith("新节点 ")
-        ]
-        values = [int(value) for value in values if value.strip().isdigit()]
-        count = max(values)+1 if values else 1
-        return count
+    def initial(self, request, *args, **kwargs):
+        self.instance = self.get_object()
+        return super().initial(request, *args, **kwargs)

-    def post(self, request, *args, **kwargs):
-        if not request.data.get("value"):
-            request.data["value"] = _("New node {}").format(self.counter())
-        return super().post(request, *args, **kwargs)
-
-    def create(self, request, *args, **kwargs):
-        instance = self.get_object()
-        value = request.data.get("value")
-        values = [child.value for child in instance.get_children()]
-        if value in values:
-            raise ValidationError(
-                'The same level node name cannot be the same'
-            )
-        node = instance.create_child(value=value)
-        return Response(
-            {"id": node.id, "key": node.key, "value": node.value},
-            status=201,
-        )
+    def perform_create(self, serializer):
+        data = serializer.validated_data
+        _id = data.get("id")
+        value = data.get("value")
+        if not value:
+            value = self.instance.get_next_child_preset_name()
+        node = self.instance.create_child(value=value, _id=_id)
+        # 避免查询 full value
+        node._full_value = node.value
+        serializer.instance = node

    def get_object(self):
        pk = self.kwargs.get('pk') or self.request.query_params.get('id')
-        if not pk:
-            node = None
-        else:
+        key = self.request.query_params.get("key")
+        if not pk and not key:
+            node = Node.org_root()
+            self.is_initial = True
+            return node
+        if pk:
            node = get_object_or_404(Node, pk=pk)
+        else:
+            node = get_object_or_404(Node, key=key)
        return node

    def get_queryset(self):
-        queryset = []
-        query_all = self.request.query_params.get("all")
-        query_assets = self.request.query_params.get('assets')
-        node = self.get_object()
+        query_all = self.request.query_params.get("all", "0") == "all"
+        if not self.instance:
+            return Node.objects.none()

-        if node is None:
-            node = Node.root()
-            node.assets__count = node.get_all_assets().count()
-            queryset.append(node)
+        if self.is_initial:
+            with_self = True
+        else:
+            with_self = False

        if query_all:
-            children = node.get_all_children().annotate(Count("assets"))
+            queryset = self.instance.get_all_children(with_self=with_self)
        else:
-            children = node.get_children().annotate(Count("assets"))
-        queryset.extend(list(children))
-
-        if query_assets:
-            assets = node.get_assets()
-            for asset in assets:
-                node_fake = Node()
-                node_fake.assets__count = 0
-                node_fake.id = asset.id
-                node_fake.is_node = False
-                node_fake.key = node.key + ':0'
-                node_fake.value = asset.hostname
-                queryset.append(node_fake)
-        queryset = sorted(queryset, key=lambda x: x.is_node, reverse=True)
+            queryset = self.instance.get_children(with_self=with_self)
        return queryset

-    def get(self, request, *args, **kwargs):
-        return super().list(request, *args, **kwargs)
+
+class NodeChildrenAsTreeApi(NodeChildrenApi):
+    """
+    节点子节点作为树返回，
+    [
+      {
+        "id": "",
+        "name": "",
+        "pId": "",
+        "meta": ""
+      }
+    ]
+
+    """
+    serializer_class = TreeNodeSerializer
+    http_method_names = ['get']
+
+    def get_queryset(self):
+        queryset = super().get_queryset()
+        queryset = [node.as_tree_node() for node in queryset]
+        queryset = self.add_assets_if_need(queryset)
+        queryset = sorted(queryset)
+        return queryset
+
+    def add_assets_if_need(self, queryset):
+        include_assets = self.request.query_params.get('assets', '0') == '1'
+        if not include_assets:
+            return queryset
+        assets = self.instance.get_assets().only(
+            "id", "hostname", "ip", 'platform', "os",
+            "org_id", "protocols",
+        )
+        for asset in assets:
+            queryset.append(asset.as_tree_node(self.instance))
+        return queryset
+
+    def check_need_refresh_nodes(self):
+        if self.request.query_params.get('refresh', '0') == '1':
+            Node.refresh_nodes()


 class NodeAssetsApi(generics.ListAPIView):
@@ -182,7 +234,7 @@ class NodeRemoveAssetsApi(generics.UpdateAPIView):
    def perform_update(self, serializer):
        assets = serializer.validated_data.get('assets')
        instance = self.get_object()
-        if instance != Node.root():
+        if instance != Node.org_root():
            instance.assets.remove(*tuple(assets))
        else:
            assets = [asset for asset in assets if asset.nodes.count() > 1]
@@ -209,8 +261,9 @@ class RefreshNodeHardwareInfoApi(APIView):
    def get(self, request, *args, **kwargs):
        node_id = kwargs.get('pk')
        node = get_object_or_404(self.model, id=node_id)
-        assets = node.assets.all()
-        task_name = _("更新节点资产硬件信息: {}".format(node.name))
+        assets = node.get_all_assets()
+        # task_name = _("更新节点资产硬件信息: {}".format(node.name))
+        task_name = _("Update node asset hardware information: {}").format(node.name)
        task = update_assets_hardware_info_util.delay(assets, task_name=task_name)
        return Response({"task": task.id})

@@ -222,7 +275,20 @@ class TestNodeConnectiveApi(APIView):
    def get(self, request, *args, **kwargs):
        node_id = kwargs.get('pk')
        node = get_object_or_404(self.model, id=node_id)
-        assets = node.assets.all()
-        task_name = _("测试节点下资产是否可连接: {}".format(node.name))
-        task = test_asset_connectability_util.delay(assets, task_name=task_name)
+        assets = node.get_all_assets()
+        # task_name = _("测试节点下资产是否可连接: {}".format(node.name))
+        task_name = _("Test if the assets under the node are connectable: {}".format(node.name))
+        task = test_asset_connectivity_util.delay(assets, task_name=task_name)
        return Response({"task": task.id})
+
+
+class RefreshNodesCacheApi(APIView):
+    permission_classes = (IsOrgAdmin,)
+
+    def get(self, request, *args, **kwargs):
+        Node.refresh_nodes()
+        return Response("Ok")
+
+    def delete(self, *args, **kwargs):
+        self.get(*args, **kwargs)
+        return Response(status=204)
--- a/apps/assets/api/system_user.py
+++ b/apps/assets/api/system_user.py
@@ -13,33 +13,46 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+from django.shortcuts import get_object_or_404
 from rest_framework import generics
 from rest_framework.response import Response
-from rest_framework_bulk import BulkModelViewSet

+from common.serializers import CeleryTaskSerializer
 from common.utils import get_logger
 from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser
-from ..models import SystemUser
+from orgs.mixins.api import OrgBulkModelViewSet
+from ..models import SystemUser, Asset
 from .. import serializers
-from ..tasks import push_system_user_to_assets_manual, \
-    test_system_user_connectability_manual
+from ..tasks import (
+    push_system_user_to_assets_manual, test_system_user_connectivity_manual,
+    push_system_user_a_asset_manual, test_system_user_connectivity_a_asset,
+)


 logger = get_logger(__file__)
 __all__ = [
-    'SystemUserViewSet', 'SystemUserAuthInfoApi',
-    'SystemUserPushApi', 'SystemUserTestConnectiveApi'
+    'SystemUserViewSet', 'SystemUserAuthInfoApi', 'SystemUserAssetAuthInfoApi',
+    'SystemUserPushApi', 'SystemUserTestConnectiveApi',
+    'SystemUserAssetsListView', 'SystemUserPushToAssetApi',
+    'SystemUserTestAssetConnectivityApi', 'SystemUserCommandFilterRuleListApi',
+
 ]


-class SystemUserViewSet(BulkModelViewSet):
+class SystemUserViewSet(OrgBulkModelViewSet):
    """
    System user api set, for add,delete,update,list,retrieve resource
    """
+    filter_fields = ("name", "username")
+    search_fields = filter_fields
    queryset = SystemUser.objects.all()
    serializer_class = serializers.SystemUserSerializer
    permission_classes = (IsOrgAdminOrAppUser,)

+    def get_queryset(self):
+        queryset = super().get_queryset().all()
+        return queryset
+

 class SystemUserAuthInfoApi(generics.RetrieveUpdateDestroyAPIView):
    """
@@ -55,12 +68,29 @@ class SystemUserAuthInfoApi(generics.RetrieveUpdateDestroyAPIView):
        return Response(status=204)


+class SystemUserAssetAuthInfoApi(generics.RetrieveAPIView):
+    """
+    Get system user with asset auth info
+    """
+    queryset = SystemUser.objects.all()
+    permission_classes = (IsOrgAdminOrAppUser,)
+    serializer_class = serializers.SystemUserAuthSerializer
+
+    def get_object(self):
+        instance = super().get_object()
+        aid = self.kwargs.get('aid')
+        asset = get_object_or_404(Asset, pk=aid)
+        instance.load_specific_asset_auth(asset)
+        return instance
+
+
 class SystemUserPushApi(generics.RetrieveAPIView):
    """
    Push system user to cluster assets api
    """
    queryset = SystemUser.objects.all()
    permission_classes = (IsOrgAdmin,)
+    serializer_class = CeleryTaskSerializer

    def retrieve(self, request, *args, **kwargs):
        system_user = self.get_object()
@@ -77,8 +107,64 @@ class SystemUserTestConnectiveApi(generics.RetrieveAPIView):
    """
    queryset = SystemUser.objects.all()
    permission_classes = (IsOrgAdmin,)
+    serializer_class = CeleryTaskSerializer

    def retrieve(self, request, *args, **kwargs):
        system_user = self.get_object()
-        task = test_system_user_connectability_manual.delay(system_user)
+        task = test_system_user_connectivity_manual.delay(system_user)
        return Response({"task": task.id})
+
+
+class SystemUserAssetsListView(generics.ListAPIView):
+    permission_classes = (IsOrgAdmin,)
+    serializer_class = serializers.AssetSimpleSerializer
+    filter_fields = ("hostname", "ip")
+    http_method_names = ['get']
+    search_fields = filter_fields
+
+    def get_object(self):
+        pk = self.kwargs.get('pk')
+        return get_object_or_404(SystemUser, pk=pk)
+
+    def get_queryset(self):
+        system_user = self.get_object()
+        return system_user.assets.all()
+
+
+class SystemUserPushToAssetApi(generics.RetrieveAPIView):
+    queryset = SystemUser.objects.all()
+    permission_classes = (IsOrgAdmin,)
+    serializer_class = serializers.TaskIDSerializer
+
+    def retrieve(self, request, *args, **kwargs):
+        system_user = self.get_object()
+        asset_id = self.kwargs.get('aid')
+        asset = get_object_or_404(Asset, id=asset_id)
+        task = push_system_user_a_asset_manual.delay(system_user, asset)
+        return Response({"task": task.id})
+
+
+class SystemUserTestAssetConnectivityApi(generics.RetrieveAPIView):
+    queryset = SystemUser.objects.all()
+    permission_classes = (IsOrgAdmin,)
+    serializer_class = serializers.TaskIDSerializer
+
+    def retrieve(self, request, *args, **kwargs):
+        system_user = self.get_object()
+        asset_id = self.kwargs.get('aid')
+        asset = get_object_or_404(Asset, id=asset_id)
+        task = test_system_user_connectivity_a_asset.delay(system_user, asset)
+        return Response({"task": task.id})
+
+
+class SystemUserCommandFilterRuleListApi(generics.ListAPIView):
+    permission_classes = (IsOrgAdminOrAppUser,)
+
+    def get_serializer_class(self):
+        from ..serializers import CommandFilterRuleSerializer
+        return CommandFilterRuleSerializer
+
+    def get_queryset(self):
+        pk = self.kwargs.get('pk', None)
+        system_user = get_object_or_404(SystemUser, pk=pk)
+        return system_user.cmd_filter_rules
--- a/apps/assets/apps.py
+++ b/apps/assets/apps.py
@@ -1,11 +1,25 @@
 from __future__ import unicode_literals

 from django.apps import AppConfig
+from django.db.models.signals import post_migrate
+
+
+def initial_some_nodes():
+    from .models import Node
+    Node.initial_some_nodes()
+
+
+def initial_some_nodes_callback(sender, **kwargs):
+    initial_some_nodes()


 class AssetsConfig(AppConfig):
    name = 'assets'

    def ready(self):
-        from . import signals_handler
        super().ready()
+        from . import signals_handler
+        try:
+            initial_some_nodes()
+        except Exception:
+            post_migrate.connect(initial_some_nodes_callback, sender=self)
--- a/apps/assets/backends/init.py
+++ b/apps/assets/backends/init.py
@@ -0,0 +1 @@
+from .manager import AssetUserManager
--- a/apps/assets/backends/admin_user.py
+++ b/apps/assets/backends/admin_user.py
@@ -0,0 +1,10 @@
+# -*- coding: utf-8 -*-
+#
+
+from ..models import AdminUser
+from .asset_user import AssetUserBackend
+
+
+class AdminUserBackend(AssetUserBackend):
+    model = AdminUser
+    backend = 'AdminUser'
--- a/apps/assets/backends/asset_user.py
+++ b/apps/assets/backends/asset_user.py
@@ -0,0 +1,58 @@
+# -*- coding: utf-8 -*-
+#
+from collections import defaultdict
+from .base import BaseBackend
+
+
+class AssetUserBackend(BaseBackend):
+    model = None
+    backend = "AssetUser"
+
+    @classmethod
+    def filter_queryset_more(cls, queryset):
+        return queryset
+
+    @classmethod
+    def filter(cls, username=None, assets=None, **kwargs):
+        queryset = cls.model.objects.all()
+        prefer_id = kwargs.get('prefer_id')
+        if prefer_id:
+            queryset = queryset.filter(id=prefer_id)
+            instances = cls.construct_authbook_objects(queryset, assets)
+            return instances
+        if username:
+            queryset = queryset.filter(username=username)
+        if assets:
+            queryset = queryset.filter(assets__in=assets).distinct()
+
+        queryset = cls.filter_queryset_more(queryset)
+        instances = cls.construct_authbook_objects(queryset, assets)
+        return instances
+
+    @classmethod
+    def construct_authbook_objects(cls, asset_users, assets):
+        instances = []
+        assets_user_assets_map = defaultdict(set)
+        if isinstance(asset_users, list):
+            assets_user_assets_map = {
+                asset_user.id: asset_user.assets.values_list('id', flat=True)
+                for asset_user in asset_users
+            }
+        else:
+            assets_user_assets = asset_users.values_list('id', 'assets')
+            for i, asset_id in assets_user_assets:
+                assets_user_assets_map[i].add(asset_id)
+
+        for asset_user in asset_users:
+            if not assets:
+                related_assets = asset_user.assets.all()
+            else:
+                assets_map = {a.id: a for a in assets}
+                related_assets = [
+                    assets_map.get(i) for i in assets_user_assets_map.get(asset_user.id) if i in assets_map
+                ]
+            for asset in related_assets:
+                instance = asset_user.construct_to_authbook(asset)
+                instance.backend = cls.backend
+                instances.append(instance)
+        return instances
--- a/apps/assets/backends/base.py
+++ b/apps/assets/backends/base.py
@@ -0,0 +1,91 @@
+# -*- coding: utf-8 -*-
+#
+import uuid
+from abc import abstractmethod
+
+
+class BaseBackend:
+    @classmethod
+    @abstractmethod
+    def filter(cls, username=None, assets=None, latest=True, prefer=None, prefer_id=None):
+        """
+        :param username: 用户名
+        :param assets: <Asset>对象
+        :param latest: 是否是最新记录
+        :param prefer: 优先使用
+        :param prefer_id: 使用id
+        :return: 元素为<AuthBook>的可迭代对象(<list> or <QuerySet>)
+        """
+        pass
+
+
+class AssetUserQuerySet(list):
+    def order_by(self, *ordering):
+        _ordering = []
+        reverse = False
+        for i in ordering:
+            if i[0] == '-':
+                reverse = True
+                i = i[1:]
+            _ordering.append(i)
+        self.sort(key=lambda obj: [getattr(obj, j) for j in _ordering], reverse=reverse)
+        return self
+
+    def filter_in(self, kwargs):
+        in_kwargs = {}
+        queryset = []
+        for k, v in kwargs.items():
+            if len(v) == 0:
+                return self
+            if k.find("__in") >= 0:
+                in_kwargs[k] = v
+        for k in in_kwargs:
+            kwargs.pop(k)
+
+        if len(in_kwargs) == 0:
+            return self
+        for i in self:
+            matched = True
+            for k, v in in_kwargs.items():
+                key = k.split('__')[0]
+                attr = getattr(i, key, None)
+                # 如果属性或者value中是uuid,则转换成string
+                if isinstance(v[0], uuid.UUID):
+                    v = [str(i) for i in v]
+                if isinstance(attr, uuid.UUID):
+                    attr = str(attr)
+                if attr not in v:
+                    matched = False
+            if matched:
+                queryset.append(i)
+        return AssetUserQuerySet(queryset)
+
+    def filter_equal(self, kwargs):
+        def filter_it(obj):
+            wanted = []
+            real = []
+            for k, v in kwargs.items():
+                wanted.append(v)
+                value = getattr(obj, k)
+                if isinstance(value, uuid.UUID):
+                    value = str(value)
+                real.append(value)
+            return wanted == real
+        if len(kwargs) > 0:
+            queryset = AssetUserQuerySet([i for i in self if filter_it(i)])
+        else:
+            queryset = self
+        return queryset
+
+    def filter(self, **kwargs):
+        queryset = self.filter_in(kwargs).filter_equal(kwargs)
+        return queryset
+
+    def distinct(self):
+        items = list(set(self))
+        self[:] = items
+        return self
+
+    def __or__(self, other):
+        self.extend(other)
+        return self
--- a/apps/assets/backends/db.py
+++ b/apps/assets/backends/db.py
@@ -0,0 +1,29 @@
+# -*- coding: utf-8 -*-
+#
+
+from ..models import AuthBook
+from .base import BaseBackend
+
+
+class AuthBookBackend(BaseBackend):
+    @classmethod
+    def filter(cls, username=None, assets=None, latest=True, **kwargs):
+        queryset = AuthBook.objects.all()
+        if username is not None:
+            queryset = queryset.filter(username=username)
+        if assets:
+            queryset = queryset.filter(asset__in=assets)
+        if latest:
+            queryset = queryset.latest_version()
+        return queryset
+
+    @classmethod
+    def create(cls, **kwargs):
+        auth_info = {
+            'password': kwargs.pop('password', ''),
+            'public_key': kwargs.pop('public_key', ''),
+            'private_key': kwargs.pop('private_key', '')
+        }
+        obj = AuthBook.objects.create(**kwargs)
+        obj.set_auth(**auth_info)
+        return obj
--- a/apps/assets/backends/manager.py
+++ b/apps/assets/backends/manager.py
@@ -0,0 +1,110 @@
+# -*- coding: utf-8 -*-
+#
+from django.core.exceptions import MultipleObjectsReturned, ObjectDoesNotExist
+
+from .base import AssetUserQuerySet
+from .db import AuthBookBackend
+from .system_user import SystemUserBackend
+from .admin_user import AdminUserBackend
+
+
+class NotSupportError(Exception):
+    pass
+
+
+class AssetUserManager:
+    """
+    资产用户管理器
+    """
+    ObjectDoesNotExist = ObjectDoesNotExist
+    MultipleObjectsReturned = MultipleObjectsReturned
+    NotSupportError = NotSupportError
+    MSG_NOT_EXIST = '{} Object matching query does not exist'
+    MSG_MULTIPLE = '{} get() returned more than one object ' \
+                   '-- it returned {}!'
+
+    backends = (
+        ('db', AuthBookBackend),
+        ('system_user', SystemUserBackend),
+        ('admin_user', AdminUserBackend),
+    )
+
+    _prefer = "system_user"
+
+    def filter(self, username=None, assets=None, latest=True, prefer=None, prefer_id=None):
+        if assets is not None and not assets:
+            return AssetUserQuerySet([])
+
+        if prefer:
+            self._prefer = prefer
+
+        instances_map = {}
+        instances = []
+        for name, backend in self.backends:
+            if name != "db" and self._prefer != name:
+                continue
+            _instances = backend.filter(
+                username=username, assets=assets, latest=latest,
+                prefer=self._prefer, prefer_id=prefer_id,
+            )
+            instances_map[name] = _instances
+
+        # 如果不是获取最新版本，就不再merge
+        if not latest:
+            for _instances in instances_map.values():
+                instances.extend(_instances)
+            return AssetUserQuerySet(instances)
+
+        # merge的顺序
+        ordering = ["db"]
+        if self._prefer == "system_user":
+            ordering.extend(["system_user", "admin_user"])
+        else:
+            ordering.extend(["admin_user", "system_user"])
+        # 根据prefer决定优先使用系统用户或管理用户谁的
+        ordering_instances = [instances_map.get(i, []) for i in ordering]
+        instances = self._merge_instances(*ordering_instances)
+        return AssetUserQuerySet(instances)
+
+    def get(self, username, asset, **kwargs):
+        instances = self.filter(username, assets=[asset], **kwargs)
+        if len(instances) == 1:
+            return instances[0]
+        elif len(instances) == 0:
+            self.raise_does_not_exist(self.__class__.__name__)
+        else:
+            self.raise_multiple_return(self.__class__.__name__, len(instances))
+
+    def raise_does_not_exist(self, name):
+        raise self.ObjectDoesNotExist(self.MSG_NOT_EXIST.format(name))
+
+    def raise_multiple_return(self, name, length):
+        raise self.MultipleObjectsReturned(self.MSG_MULTIPLE.format(name, length))
+
+    @staticmethod
+    def create(**kwargs):
+        instance = AuthBookBackend.create(**kwargs)
+        return instance
+
+    def all(self):
+        return self.filter()
+
+    def prefer(self, s):
+        self._prefer = s
+        return self
+
+    @staticmethod
+    def none():
+        return AssetUserQuerySet()
+
+    @staticmethod
+    def _merge_instances(*args):
+        instances = list(args[0])
+        keywords = [obj.keyword for obj in instances]
+
+        for _instances in args[1:]:
+            need_merge_instances = [obj for obj in _instances if obj.keyword not in keywords]
+            need_merge_keywords = [obj.keyword for obj in need_merge_instances]
+            instances.extend(need_merge_instances)
+            keywords.extend(need_merge_keywords)
+        return instances
--- a/apps/assets/backends/system_user.py
+++ b/apps/assets/backends/system_user.py
@@ -0,0 +1,30 @@
+# -*- coding: utf-8 -*-
+#
+
+import itertools
+
+from assets.models import SystemUser
+from .asset_user import AssetUserBackend
+
+
+class SystemUserBackend(AssetUserBackend):
+    model = SystemUser
+    backend = 'SystemUser'
+
+    @classmethod
+    def filter_queryset_more(cls, queryset):
+        queryset = cls._distinct_system_users_by_username(queryset)
+        return queryset
+
+    @classmethod
+    def _distinct_system_users_by_username(cls, system_users):
+        system_users = sorted(
+            system_users,
+            key=lambda su: (su.username, su.priority, su.date_updated),
+            reverse=True,
+        )
+        results = itertools.groupby(system_users, key=lambda su: su.username)
+        system_users = [next(result[1]) for result in results]
+        return system_users
+
+
--- a/apps/assets/backends/utils.py
+++ b/apps/assets/backends/utils.py
@@ -0,0 +1,16 @@
+# -*- coding: utf-8 -*-
+#
+
+# from django.conf import settings
+
+from .db import AuthBookBackend
+# from .vault import VaultBackend
+
+
+def get_backend():
+    default_backend = AuthBookBackend
+
+    # if settings.BACKEND_ASSET_USER_AUTH_VAULT:
+    #     return VaultBackend
+
+    return default_backend
--- a/apps/assets/backends/vault.py
+++ b/apps/assets/backends/vault.py
@@ -0,0 +1,11 @@
+# -*- coding: utf-8 -*-
+#
+
+from .base import BaseBackend
+
+
+class VaultBackend(BaseBackend):
+
+    @classmethod
+    def filter(cls, username=None, asset=None, latest=True):
+        pass
--- a/apps/assets/const.py
+++ b/apps/assets/const.py
@@ -1,38 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-
-UPDATE_ASSETS_HARDWARE_TASKS = [
-   {
-       'name': "setup",
-       'action': {
-           'module': 'setup'
-       }
-   }
-]
-
-ADMIN_USER_CONN_CACHE_KEY = "ADMIN_USER_CONN_{}"
-TEST_ADMIN_USER_CONN_TASKS = [
-    {
-        "name": "ping",
-        "action": {
-            "module": "ping",
-        }
-    }
-]
-
-ASSET_ADMIN_CONN_CACHE_KEY = "ASSET_ADMIN_USER_CONN_{}"
-
-SYSTEM_USER_CONN_CACHE_KEY = "SYSTEM_USER_CONN_{}"
-TEST_SYSTEM_USER_CONN_TASKS = [
-   {
-       "name": "ping",
-       "action": {
-           "module": "ping",
-       }
-   }
-]
-
-TASK_OPTIONS = {
-    'timeout': 10,
-    'forks': 10,
-}
--- a/apps/assets/filters.py
+++ b/apps/assets/filters.py
@@ -0,0 +1,115 @@
+# -*- coding: utf-8 -*-
+#
+
+import coreapi
+from rest_framework import filters
+from django.db.models import Q
+
+from common.utils import dict_get_any, is_uuid, get_object_or_none
+from .models import Node, Label
+
+
+class AssetByNodeFilterBackend(filters.BaseFilterBackend):
+    fields = ['node', 'all']
+
+    def get_schema_fields(self, view):
+        return [
+            coreapi.Field(
+                name=field, location='query', required=False,
+                type='string', example='', description='', schema=None,
+            )
+            for field in self.fields
+        ]
+
+    @staticmethod
+    def is_query_all(request):
+        query_all_arg = request.query_params.get('all')
+        show_current_asset_arg = request.query_params.get('show_current_asset')
+
+        query_all = query_all_arg == '1'
+        if show_current_asset_arg is not None:
+            query_all = show_current_asset_arg != '1'
+        return query_all
+
+    @staticmethod
+    def get_query_node(request):
+        node_id = dict_get_any(request.query_params, ['node', 'node_id'])
+        if not node_id:
+            return None, False
+
+        if is_uuid(node_id):
+            node = get_object_or_none(Node, id=node_id)
+        else:
+            node = get_object_or_none(Node, key=node_id)
+        return node, True
+
+    @staticmethod
+    def perform_query(pattern, queryset):
+        return queryset.filter(nodes__key__regex=pattern).distinct()
+
+    def filter_queryset(self, request, queryset, view):
+        node, has_query_arg = self.get_query_node(request)
+        if not has_query_arg:
+            return queryset
+
+        if node is None:
+            return queryset.none()
+        query_all = self.is_query_all(request)
+        if query_all:
+            pattern = node.get_all_children_pattern(with_self=True)
+        else:
+            pattern = node.get_children_key_pattern(with_self=True)
+        return self.perform_query(pattern, queryset)
+
+
+class LabelFilterBackend(filters.BaseFilterBackend):
+    sep = '#'
+    query_arg = 'label'
+
+    def get_schema_fields(self, view):
+        example = self.sep.join(['os', 'linux'])
+        return [
+            coreapi.Field(
+                name=self.query_arg, location='query', required=False,
+                type='string', example=example, description=''
+            )
+        ]
+
+    def get_query_labels(self, request):
+        labels_query = request.query_params.getlist(self.query_arg)
+        if not labels_query:
+            return None
+
+        q = None
+        for kv in labels_query:
+            if self.sep not in kv:
+                continue
+            key, value = kv.strip().split(self.sep)[:2]
+            if not all([key, value]):
+                continue
+            if q:
+                q |= Q(name=key, value=value)
+            else:
+                q = Q(name=key, value=value)
+        if not q:
+            return []
+        labels = Label.objects.filter(q, is_active=True)\
+            .values_list('id', flat=True)
+        return labels
+
+    def filter_queryset(self, request, queryset, view):
+        labels = self.get_query_labels(request)
+        if labels is None:
+            return queryset
+        if len(labels) == 0:
+            return queryset.none()
+        for label in labels:
+            queryset = queryset.filter(labels=label)
+        return queryset
+
+
+class AssetRelatedByNodeFilterBackend(AssetByNodeFilterBackend):
+    @staticmethod
+    def perform_query(pattern, queryset):
+        return queryset.filter(asset__nodes__key__regex=pattern).distinct()
+
--- a/apps/assets/forms/init.py
+++ b/apps/assets/forms/init.py
@@ -4,3 +4,4 @@ from .asset import *
 from .label import *
 from .user import *
 from .domain import *
+from .cmd_filter import *
--- a/apps/assets/forms/asset.py
+++ b/apps/assets/forms/asset.py
@@ -4,27 +4,59 @@ from django import forms
 from django.utils.translation import gettext_lazy as _

 from common.utils import get_logger
-from orgs.mixins import OrgModelForm
+from orgs.mixins.forms import OrgModelForm

-from ..models import Asset, AdminUser
+from ..models import Asset, Node


 logger = get_logger(__file__)
-__all__ = ['AssetCreateForm', 'AssetUpdateForm', 'AssetBulkUpdateForm']
+__all__ = [
+    'AssetCreateForm', 'AssetUpdateForm', 'AssetBulkUpdateForm', 'ProtocolForm',
+]
+
+HELP_TEXTS_ASSET_HOSTNAME = _(
+    'Only Numbers、letters、 chinese and characters ( {} ) are allowed'
+).format(" ".join(['.', '_', '@']))
+
+
+class ProtocolForm(forms.Form):
+    name = forms.ChoiceField(
+        choices=Asset.PROTOCOL_CHOICES, label=_("Name"), initial='ssh',
+        widget=forms.Select(attrs={'class': 'form-control protocol-name'})
+    )
+    port = forms.IntegerField(
+        max_value=65534, min_value=1, label=_("Port"), initial=22,
+        widget=forms.TextInput(attrs={'class': 'form-control protocol-port'})
+    )


 class AssetCreateForm(OrgModelForm):
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        if self.data:
+            return
+        nodes_field = self.fields['nodes']
+        if self.instance:
+            nodes_field.choices = [(n.id, n.full_value) for n in
+                                   self.instance.nodes.all()]
+        else:
+            nodes_field.choices = []
+
+    def add_nodes_initial(self, node):
+        nodes_field = self.fields['nodes']
+        nodes_field.choices.append((node.id, node.full_value))
+        nodes_field.initial = [node]
+
    class Meta:
        model = Asset
        fields = [
-            'hostname', 'ip', 'public_ip', 'port',  'comment',
+            'hostname', 'ip', 'public_ip', 'protocols', 'comment',
            'nodes', 'is_active', 'admin_user', 'labels', 'platform',
-            'domain', 'protocol',
-
+            'domain',
        ]
        widgets = {
            'nodes': forms.SelectMultiple(attrs={
-                'class': 'select2', 'data-placeholder': _('Nodes')
+                'class': 'nodes-select2', 'data-placeholder': _('Nodes')
            }),
            'admin_user': forms.Select(attrs={
                'class': 'select2', 'data-placeholder': _('Admin user')
@@ -32,7 +64,6 @@ class AssetCreateForm(OrgModelForm):
            'labels': forms.SelectMultiple(attrs={
                'class': 'select2', 'data-placeholder': _('Label')
            }),
-            'port': forms.TextInput(),
            'domain': forms.Select(attrs={
                'class': 'select2', 'data-placeholder': _('Domain')
            }),
@@ -41,29 +72,38 @@ class AssetCreateForm(OrgModelForm):
            'nodes': _("Node"),
        }
        help_texts = {
-            'hostname': '* required',
-            'ip': '* required',
-            'port': '* required',
+            'hostname': HELP_TEXTS_ASSET_HOSTNAME,
            'admin_user': _(
                'root or other NOPASSWD sudo privilege user existed in asset,'
                'If asset is windows or other set any one, more see admin user left menu'
            ),
-            # 'platform': _("* required Must set exact system platform, Windows, Linux ..."),
+            'platform': _("Windows 2016 RDP protocol is different, If is window 2016, set it"),
            'domain': _("If your have some network not connect with each other, you can set domain")
        }


 class AssetUpdateForm(OrgModelForm):
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        if self.data:
+            return
+        nodes_field = self.fields['nodes']
+        if self.instance:
+            nodes_field.choices = ((n.id, n.full_value) for n in
+                                   self.instance.nodes.all())
+        else:
+            nodes_field.choices = []
+
    class Meta:
        model = Asset
        fields = [
-            'hostname', 'ip', 'port', 'nodes',  'is_active', 'platform',
+            'hostname', 'ip', 'protocols', 'nodes',  'is_active', 'platform',
            'public_ip', 'number', 'comment', 'admin_user', 'labels',
-            'domain', 'protocol',
+            'domain',
        ]
        widgets = {
            'nodes': forms.SelectMultiple(attrs={
-                'class': 'select2', 'data-placeholder': _('Node')
+                'class': 'nodes-select2', 'data-placeholder': _('Node')
            }),
            'admin_user': forms.Select(attrs={
                'class': 'select2', 'data-placeholder': _('Admin user')
@@ -71,7 +111,6 @@ class AssetUpdateForm(OrgModelForm):
            'labels': forms.SelectMultiple(attrs={
                'class': 'select2', 'data-placeholder': _('Label')
            }),
-            'port': forms.TextInput(),
            'domain': forms.Select(attrs={
                'class': 'select2', 'data-placeholder': _('Domain')
            }),
@@ -80,22 +119,19 @@ class AssetUpdateForm(OrgModelForm):
            'nodes': _("Node"),
        }
        help_texts = {
-            'hostname': '* required',
-            'ip': '* required',
-            'port': '* required',
-            'cluster': '* required',
+            'hostname': HELP_TEXTS_ASSET_HOSTNAME,
            'admin_user': _(
                'root or other NOPASSWD sudo privilege user existed in asset,'
                'If asset is windows or other set any one, more see admin user left menu'
            ),
-            # 'platform': _("* required Must set exact system platform, Windows, Linux ..."),
+            'platform': _("Windows 2016 RDP protocol is different, If is window 2016, set it"),
            'domain': _("If your have some network not connect with each other, you can set domain")
        }


 class AssetBulkUpdateForm(OrgModelForm):
    assets = forms.ModelMultipleChoiceField(
-        required=True, help_text='* required',
+        required=True,
        label=_('Select assets'), queryset=Asset.objects.all(),
        widget=forms.SelectMultiple(
            attrs={
@@ -104,24 +140,12 @@ class AssetBulkUpdateForm(OrgModelForm):
            }
        )
    )
-    port = forms.IntegerField(
-        label=_('Port'), required=False, min_value=1, max_value=65535,
-    )
-    admin_user = forms.ModelChoiceField(
-        required=False, queryset=AdminUser.objects,
-        label=_("Admin user"),
-        widget=forms.Select(
-            attrs={
-                'class': 'select2',
-                'data-placeholder': _('Admin user')
-            }
-        )
-    )

    class Meta:
        model = Asset
        fields = [
-            'assets', 'port',  'admin_user', 'labels', 'nodes', 'platform'
+            'assets', 'admin_user', 'labels', 'platform',
+            'domain',
        ]
        widgets = {
            'labels': forms.SelectMultiple(
@@ -132,6 +156,13 @@ class AssetBulkUpdateForm(OrgModelForm):
            ),
        }

+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        # 重写其他字段为不再required
+        for name, field in self.fields.items():
+            if name != 'assets':
+                field.required = False
+
    def save(self, commit=True):
        changed_fields = []
        for field in self._meta.fields:
@@ -142,14 +173,14 @@ class AssetBulkUpdateForm(OrgModelForm):
                        if k in changed_fields}
        assets = cleaned_data.pop('assets')
        labels = cleaned_data.pop('labels', [])
-        nodes = cleaned_data.pop('nodes')
+        nodes = cleaned_data.pop('nodes', None)
        assets = Asset.objects.filter(id__in=[asset.id for asset in assets])
        assets.update(**cleaned_data)

        if labels:
-            for label in labels:
-                label.assets.add(*tuple(assets))
+            for asset in assets:
+                asset.labels.set(labels)
        if nodes:
-            for node in nodes:
-                node.assets.add(*tuple(assets))
+            for asset in assets:
+                asset.nodes.set(nodes)
        return assets
--- a/apps/assets/forms/cmd_filter.py
+++ b/apps/assets/forms/cmd_filter.py
@@ -0,0 +1,40 @@
+# -*- coding: utf-8 -*-
+#
+from django import forms
+from django.core.exceptions import ValidationError
+from django.utils.translation import ugettext_lazy as _
+import re
+
+from orgs.mixins.forms import OrgModelForm
+from ..models import CommandFilter, CommandFilterRule
+
+__all__ = ['CommandFilterForm', 'CommandFilterRuleForm']
+
+
+class CommandFilterForm(OrgModelForm):
+    class Meta:
+        model = CommandFilter
+        fields = ['name', 'comment']
+
+
+class CommandFilterRuleForm(OrgModelForm):
+    invalid_pattern = re.compile(r'[\.\*\+\[\\\?\{\}\^\$\|\(\)\#\<\>]')
+
+    class Meta:
+        model = CommandFilterRule
+        fields = [
+            'filter', 'type', 'content', 'priority', 'action', 'comment'
+        ]
+        widgets = {
+            'content':  forms.Textarea(attrs={
+                'placeholder': 'eg:\r\nreboot\r\nrm -rf'
+            }),
+        }
+
+    def clean_content(self):
+        content = self.cleaned_data.get("content")
+        if self.invalid_pattern.search(content):
+            invalid_char = self.invalid_pattern.pattern.replace('\\', '')
+            msg = _("Content should not be contain: {}").format(invalid_char)
+            raise ValidationError(msg)
+        return content
--- a/apps/assets/forms/domain.py
+++ b/apps/assets/forms/domain.py
@@ -3,7 +3,7 @@
 from django import forms
 from django.utils.translation import gettext_lazy as _

-from orgs.mixins import OrgModelForm
+from orgs.mixins.forms import OrgModelForm
 from ..models import Domain, Asset, Gateway
 from .user import PasswordAndKeyAuthForm

@@ -28,6 +28,15 @@ class DomainForm(forms.ModelForm):
            initial['assets'] = kwargs['instance'].assets.all()
        super().__init__(*args, **kwargs)

+        # 前端渲染优化, 防止过多资产
+        assets_field = self.fields.get('assets')
+        if not self.data:
+            instance = kwargs.get('instance')
+            if instance:
+                assets_field.queryset = instance.assets.all()
+            else:
+                assets_field.queryset = Asset.objects.none()
+
    def save(self, commit=True):
        instance = super().save(commit=commit)
        assets = self.cleaned_data['assets']
@@ -36,6 +45,12 @@ class DomainForm(forms.ModelForm):


 class GatewayForm(PasswordAndKeyAuthForm, OrgModelForm):
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        password_field = self.fields.get('password')
+        password_field.help_text = _('Password should not contain special characters')
+        protocol_field = self.fields.get('protocol')
+        protocol_field.choices = [Gateway.PROTOCOL_CHOICES[0]]

    def save(self, commit=True):
        # Because we define custom field, so we need rewrite :method: `save`
@@ -49,13 +64,12 @@ class GatewayForm(PasswordAndKeyAuthForm, OrgModelForm):
        model = Gateway
        fields = [
            'name', 'ip', 'port', 'username', 'protocol', 'domain', 'password',
-            'private_key_file',  'is_active', 'comment',
+            'private_key',  'is_active', 'comment',
        ]
+        help_texts = {
+            'protocol': _("SSH gateway support proxy SSH,RDP,VNC")
+        }
        widgets = {
            'name': forms.TextInput(attrs={'placeholder': _('Name')}),
            'username': forms.TextInput(attrs={'placeholder': _('Username')}),
        }
-        help_texts = {
-            'name': '* required',
-            'username': '* required',
-        }
--- a/apps/assets/forms/label.py
+++ b/apps/assets/forms/label.py
@@ -26,6 +26,15 @@ class LabelForm(forms.ModelForm):
            initial['assets'] = kwargs['instance'].assets.all()
        super().__init__(*args, **kwargs)

+        # 前端渲染优化, 防止过多资产
+        assets_field = self.fields.get('assets')
+        if not self.data:
+            instance = kwargs.get('instance')
+            if instance:
+                assets_field.queryset = instance.assets.all()
+            else:
+                assets_field.queryset = Asset.objects.none()
+
    def save(self, commit=True):
        label = super().save(commit=commit)
        assets = self.cleaned_data['assets']
--- a/apps/assets/forms/user.py
+++ b/apps/assets/forms/user.py
@@ -3,8 +3,9 @@
 from django import forms
 from django.utils.translation import gettext_lazy as _

-from ..models import AdminUser, SystemUser
 from common.utils import validate_ssh_private_key, ssh_pubkey_gen, get_logger
+from orgs.mixins.forms import OrgModelForm
+from ..models import AdminUser, SystemUser

 logger = get_logger(__file__)
 __all__ = [
@@ -25,126 +26,82 @@ class PasswordAndKeyAuthForm(forms.ModelForm):
        label=_("Password"),
    )
    # Need use upload private key file except paste private key content
-    private_key_file = forms.FileField(required=False, label=_("Private key"))
+    private_key = forms.FileField(required=False, label=_("Private key"))

-    def clean_private_key_file(self):
-        private_key_file = self.cleaned_data['private_key_file']
+    def clean_private_key(self):
+        private_key_f = self.cleaned_data['private_key']
        password = self.cleaned_data['password']

-        if private_key_file:
-            key_string = private_key_file.read()
-            private_key_file.seek(0)
+        if private_key_f:
+            key_string = private_key_f.read()
+            private_key_f.seek(0)
+            key_string = key_string.decode()
+
            if not validate_ssh_private_key(key_string, password):
-                raise forms.ValidationError(_('Invalid private key'))
-        return private_key_file
+                msg = _('Invalid private key, Only support '
+                        'RSA/DSA format key')
+                raise forms.ValidationError(msg)
+        return private_key_f

    def validate_password_key(self):
        password = self.cleaned_data['password']
-        private_key_file = self.cleaned_data.get('private_key_file', '')
+        private_key_f = self.cleaned_data.get('private_key', '')

-        if not password and not private_key_file:
+        if not password and not private_key_f:
            raise forms.ValidationError(_(
                'Password and private key file must be input one'
            ))

    def gen_keys(self):
        password = self.cleaned_data.get('password', '') or None
-        private_key_file = self.cleaned_data['private_key_file']
+        private_key_f = self.cleaned_data['private_key']
        public_key = private_key = None

-        if private_key_file:
-            private_key = private_key_file.read().strip().decode('utf-8')
+        if private_key_f:
+            private_key = private_key_f.read().strip().decode('utf-8')
            public_key = ssh_pubkey_gen(private_key=private_key, password=password)
        return private_key, public_key


 class AdminUserForm(PasswordAndKeyAuthForm):
    def save(self, commit=True):
-        # Because we define custom field, so we need rewrite :method: `save`
-        admin_user = super().save(commit=commit)
-        password = self.cleaned_data.get('password', '') or None
-        private_key, public_key = super().gen_keys()
-        admin_user.set_auth(password=password, public_key=public_key, private_key=private_key)
-        return admin_user
-
-    def clean(self):
-        super().clean()
-        if not self.instance:
-            super().validate_password_key()
+        raise forms.ValidationError("Use api to save")

    class Meta:
        model = AdminUser
-        fields = ['name', 'username', 'password', 'private_key_file', 'comment']
+        fields = ['name', 'username', 'password', 'private_key', 'comment']
        widgets = {
            'name': forms.TextInput(attrs={'placeholder': _('Name')}),
            'username': forms.TextInput(attrs={'placeholder': _('Username')}),
        }
-        help_texts = {
-            'name': '* required',
-            'username': '* required',
-        }


-class SystemUserForm(PasswordAndKeyAuthForm):
+class SystemUserForm(OrgModelForm, PasswordAndKeyAuthForm):
    # Admin user assets define, let user select, save it in form not in view
    auto_generate_key = forms.BooleanField(initial=True, required=False)

    def save(self, commit=True):
-        # Because we define custom field, so we need rewrite :method: `save`
-        system_user = super().save()
-        password = self.cleaned_data.get('password', '') or None
-        login_mode = self.cleaned_data.get('login_mode', '') or None
-        protocol = self.cleaned_data.get('protocol') or None
-        auto_generate_key = self.cleaned_data.get('auto_generate_key', False)
-        private_key, public_key = super().gen_keys()
-
-        if login_mode == SystemUser.MANUAL_LOGIN or protocol == SystemUser.TELNET_PROTOCOL:
-            system_user.auto_push = 0
-            system_user.save()
-
-        if auto_generate_key:
-            logger.info('Auto generate key and set system user auth')
-            system_user.auto_gen_auth()
-        else:
-            system_user.set_auth(password=password, private_key=private_key, public_key=public_key)
-
-        return system_user
-
-    def clean(self):
-        super().clean()
-        auto_generate = self.cleaned_data.get('auto_generate_key')
-        if not self.instance and not auto_generate:
-            super().validate_password_key()
-
-    def is_valid(self):
-        validated = super().is_valid()
-        username = self.cleaned_data.get('username')
-        login_mode = self.cleaned_data.get('login_mode')
-        if login_mode == SystemUser.AUTO_LOGIN and not username:
-            self.add_error(
-                "username", _('* Automatic login mode,'
-                              ' must fill in the username.')
-            )
-            return False
-        return validated
+        raise forms.ValidationError("Use api to save")

    class Meta:
        model = SystemUser
        fields = [
            'name', 'username', 'protocol', 'auto_generate_key',
-            'password', 'private_key_file', 'auto_push', 'sudo',
-            'comment', 'shell', 'priority', 'login_mode',
+            'password', 'private_key', 'auto_push', 'sudo',
+            'comment', 'shell', 'priority', 'login_mode', 'cmd_filters',
        ]
        widgets = {
            'name': forms.TextInput(attrs={'placeholder': _('Name')}),
            'username': forms.TextInput(attrs={'placeholder': _('Username')}),
+            'cmd_filters': forms.SelectMultiple(attrs={
+                'class': 'select2', 'data-placeholder': _('Command filter')
+            }),
        }
        help_texts = {
-            'name': '* required',
-            'username': '* required',
            'auto_push': _('Auto push system user to asset'),
-            'priority': _('High level will be using login asset as default, '
+            'priority': _('1-100, High level will be using login asset as default, '
                          'if user was granted more than 2 system user'),
            'login_mode': _('If you choose manual login mode, you do not '
-                            'need to fill in the username and password.')
+                            'need to fill in the username and password.'),
+            'sudo': _("Use comma split multi command, ex: /bin/whoami,/bin/ifconfig")
        }
--- a/apps/assets/hands.py
+++ b/apps/assets/hands.py
@@ -11,6 +11,5 @@
 """


-from common.permissions import AdminUserRequiredMixin
 from common.permissions import IsAppUser, IsOrgAdmin, IsValidUser, IsOrgAdminOrAppUser
 from users.models import User, UserGroup
--- a/apps/assets/migrations/0002_auto_20180105_1807_squashed_0009_auto_20180307_1212.py
+++ b/apps/assets/migrations/0002_auto_20180105_1807_squashed_0009_auto_20180307_1212.py
@@ -0,0 +1,158 @@
+# Generated by Django 2.1.7 on 2019-02-28 10:16
+
+import assets.models.asset
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    replaces = [('assets', '0002_auto_20180105_1807'), ('assets', '0003_auto_20180109_2331'), ('assets', '0004_auto_20180125_1218'), ('assets', '0005_auto_20180126_1637'), ('assets', '0006_auto_20180130_1502'), ('assets', '0007_auto_20180225_1815'), ('assets', '0008_auto_20180306_1804'), ('assets', '0009_auto_20180307_1212')]
+
+    dependencies = [
+        ('assets', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='adminuser',
+            options={'ordering': ['name'], 'verbose_name': 'Admin user'},
+        ),
+        migrations.AlterModelOptions(
+            name='asset',
+            options={'verbose_name': 'Asset'},
+        ),
+        migrations.AlterModelOptions(
+            name='assetgroup',
+            options={'ordering': ['name'], 'verbose_name': 'Asset group'},
+        ),
+        migrations.AlterModelOptions(
+            name='cluster',
+            options={'ordering': ['name'], 'verbose_name': 'Cluster'},
+        ),
+        migrations.AlterModelOptions(
+            name='systemuser',
+            options={'ordering': ['name'], 'verbose_name': 'System user'},
+        ),
+        migrations.RemoveField(
+            model_name='asset',
+            name='cluster',
+        ),
+        migrations.AlterField(
+            model_name='assetgroup',
+            name='created_by',
+            field=models.CharField(blank=True, max_length=32, null=True, verbose_name='Created by'),
+        ),
+        migrations.CreateModel(
+            name='Label',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=128, verbose_name='Name')),
+                ('value', models.CharField(max_length=128, verbose_name='Value')),
+                ('category', models.CharField(choices=[('S', 'System'), ('U', 'User')], default='U', max_length=128, verbose_name='Category')),
+                ('is_active', models.BooleanField(default=True, verbose_name='Is active')),
+                ('comment', models.TextField(blank=True, null=True, verbose_name='Comment')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+            ],
+            options={
+                'db_table': 'assets_label',
+            },
+        ),
+        migrations.AlterUniqueTogether(
+            name='label',
+            unique_together={('name', 'value')},
+        ),
+        migrations.AddField(
+            model_name='asset',
+            name='labels',
+            field=models.ManyToManyField(blank=True, related_name='assets', to='assets.Label', verbose_name='Labels'),
+        ),
+        migrations.RemoveField(
+            model_name='asset',
+            name='cabinet_no',
+        ),
+        migrations.RemoveField(
+            model_name='asset',
+            name='cabinet_pos',
+        ),
+        migrations.RemoveField(
+            model_name='asset',
+            name='env',
+        ),
+        migrations.RemoveField(
+            model_name='asset',
+            name='remote_card_ip',
+        ),
+        migrations.RemoveField(
+            model_name='asset',
+            name='status',
+        ),
+        migrations.RemoveField(
+            model_name='asset',
+            name='type',
+        ),
+        migrations.CreateModel(
+            name='Node',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('key', models.CharField(max_length=64, unique=True, verbose_name='Key')),
+                ('value', models.CharField(max_length=128, verbose_name='Value')),
+                ('child_mark', models.IntegerField(default=0)),
+                ('date_create', models.DateTimeField(auto_now_add=True)),
+            ],
+        ),
+        migrations.RemoveField(
+            model_name='asset',
+            name='groups',
+        ),
+        migrations.RemoveField(
+            model_name='systemuser',
+            name='cluster',
+        ),
+        migrations.AlterField(
+            model_name='asset',
+            name='admin_user',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.PROTECT, to='assets.AdminUser', verbose_name='Admin user'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='protocol',
+            field=models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp')], default='ssh', max_length=16, verbose_name='Protocol'),
+        ),
+        migrations.AddField(
+            model_name='asset',
+            name='nodes',
+            field=models.ManyToManyField(default=assets.models.asset.default_node, related_name='assets', to='assets.Node', verbose_name='Nodes'),
+        ),
+        migrations.AddField(
+            model_name='systemuser',
+            name='nodes',
+            field=models.ManyToManyField(blank=True, to='assets.Node', verbose_name='Nodes'),
+        ),
+        migrations.AlterField(
+            model_name='adminuser',
+            name='created_by',
+            field=models.CharField(max_length=128, null=True, verbose_name='Created by'),
+        ),
+        migrations.AlterField(
+            model_name='adminuser',
+            name='username',
+            field=models.CharField(max_length=128, verbose_name='Username'),
+        ),
+        migrations.AlterField(
+            model_name='asset',
+            name='platform',
+            field=models.CharField(choices=[('Linux', 'Linux'), ('Unix', 'Unix'), ('MacOS', 'MacOS'), ('BSD', 'BSD'), ('Windows', 'Windows'), ('Other', 'Other')], default='Linux', max_length=128, verbose_name='Platform'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='created_by',
+            field=models.CharField(max_length=128, null=True, verbose_name='Created by'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='username',
+            field=models.CharField(max_length=128, verbose_name='Username'),
+        ),
+    ]
--- a/apps/assets/migrations/0010_auto_20180307_1749_squashed_0019_auto_20180816_1320.py
+++ b/apps/assets/migrations/0010_auto_20180307_1749_squashed_0019_auto_20180816_1320.py
@@ -0,0 +1,220 @@
+# Generated by Django 2.1.7 on 2019-02-28 10:16
+
+import assets.models.utils
+import django.core.validators
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+# Functions from the following migrations need manual copying.
+# Move them and any dependencies into this file, then update the
+# RunPython operations to refer to the local versions:
+# assets.migrations.0017_auto_20180702_1415
+
+def migrate_win_to_ssh_protocol(apps, schema_editor):
+    asset_model = apps.get_model("assets", "Asset")
+    db_alias = schema_editor.connection.alias
+    asset_model.objects.using(db_alias).filter(platform__startswith='Win').update(protocol='rdp')
+
+
+class Migration(migrations.Migration):
+
+    replaces = [('assets', '0010_auto_20180307_1749'), ('assets', '0011_auto_20180326_0957'), ('assets', '0012_auto_20180404_1302'), ('assets', '0013_auto_20180411_1135'), ('assets', '0014_auto_20180427_1245'), ('assets', '0015_auto_20180510_1235'), ('assets', '0016_auto_20180511_1203'), ('assets', '0017_auto_20180702_1415'), ('assets', '0018_auto_20180807_1116'), ('assets', '0019_auto_20180816_1320')]
+
+    dependencies = [
+        ('assets', '0009_auto_20180307_1212'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='node',
+            name='value',
+            field=models.CharField(max_length=128, unique=True, verbose_name='Value'),
+        ),
+        migrations.CreateModel(
+            name='Domain',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=128, unique=True, verbose_name='Name')),
+                ('comment', models.TextField(blank=True, verbose_name='Comment')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='Gateway',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=128, unique=True, verbose_name='Name')),
+                ('username', models.CharField(blank=True, max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username')),
+                ('_password', models.CharField(blank=True, max_length=256, null=True, verbose_name='Password')),
+                ('_private_key', models.TextField(blank=True, max_length=4096, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key')),
+                ('_public_key', models.TextField(blank=True, max_length=4096, verbose_name='SSH public key')),
+                ('date_created', models.DateTimeField(auto_now_add=True)),
+                ('date_updated', models.DateTimeField(auto_now=True)),
+                ('created_by', models.CharField(max_length=128, null=True, verbose_name='Created by')),
+                ('ip', models.GenericIPAddressField(db_index=True, verbose_name='IP')),
+                ('port', models.IntegerField(default=22, verbose_name='Port')),
+                ('protocol', models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp')], default='ssh', max_length=16, verbose_name='Protocol')),
+                ('comment', models.CharField(blank=True, max_length=128, null=True, verbose_name='Comment')),
+                ('is_active', models.BooleanField(default=True, verbose_name='Is active')),
+                ('domain', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='assets.Domain', verbose_name='Domain')),
+            ],
+            options={
+                'abstract': False,
+            },
+        ),
+        migrations.AddField(
+            model_name='asset',
+            name='domain',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='assets', to='assets.Domain', verbose_name='Domain'),
+        ),
+        migrations.AddField(
+            model_name='systemuser',
+            name='assets',
+            field=models.ManyToManyField(blank=True, to='assets.Asset', verbose_name='Assets'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='sudo',
+            field=models.TextField(default='/bin/whoami', verbose_name='Sudo'),
+        ),
+        migrations.AlterField(
+            model_name='adminuser',
+            name='username',
+            field=models.CharField(max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_-]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='username',
+            field=models.CharField(max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_-]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+        migrations.AlterField(
+            model_name='adminuser',
+            name='username',
+            field=models.CharField(max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='username',
+            field=models.CharField(max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+        migrations.AlterField(
+            model_name='node',
+            name='value',
+            field=models.CharField(max_length=128, verbose_name='Value'),
+        ),
+        migrations.AddField(
+            model_name='asset',
+            name='protocol',
+            field=models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp'), ('telnet', 'telnet (beta)')], default='ssh', max_length=128, verbose_name='Protocol'),
+        ),
+        migrations.AddField(
+            model_name='systemuser',
+            name='login_mode',
+            field=models.CharField(choices=[('auto', 'Automatic login'), ('manual', 'Manually login')], default='auto', max_length=10, verbose_name='Login mode'),
+        ),
+        migrations.AlterField(
+            model_name='adminuser',
+            name='username',
+            field=models.CharField(blank=True, max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+        migrations.AlterField(
+            model_name='asset',
+            name='platform',
+            field=models.CharField(choices=[('Linux', 'Linux'), ('Unix', 'Unix'), ('MacOS', 'MacOS'), ('BSD', 'BSD'), ('Windows', 'Windows'), ('Windows2016', 'Windows(2016)'), ('Other', 'Other')], default='Linux', max_length=128, verbose_name='Platform'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='protocol',
+            field=models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp'), ('telnet', 'telnet (beta)')], default='ssh', max_length=16, verbose_name='Protocol'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='username',
+            field=models.CharField(blank=True, max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+        migrations.RunPython(
+            code=migrate_win_to_ssh_protocol,
+        ),
+        migrations.AddField(
+            model_name='adminuser',
+            name='org_id',
+            field=models.CharField(blank=True, default=None, max_length=36, null=True),
+        ),
+        migrations.AddField(
+            model_name='asset',
+            name='org_id',
+            field=models.CharField(blank=True, default=None, max_length=36, null=True),
+        ),
+        migrations.AddField(
+            model_name='domain',
+            name='org_id',
+            field=models.CharField(blank=True, default=None, max_length=36, null=True),
+        ),
+        migrations.AddField(
+            model_name='gateway',
+            name='org_id',
+            field=models.CharField(blank=True, default=None, max_length=36, null=True),
+        ),
+        migrations.AddField(
+            model_name='label',
+            name='org_id',
+            field=models.CharField(blank=True, default=None, max_length=36, null=True),
+        ),
+        migrations.AddField(
+            model_name='node',
+            name='org_id',
+            field=models.CharField(blank=True, default=None, max_length=36, null=True),
+        ),
+        migrations.AddField(
+            model_name='systemuser',
+            name='org_id',
+            field=models.CharField(blank=True, default=None, max_length=36, null=True),
+        ),
+        migrations.AlterField(
+            model_name='adminuser',
+            name='name',
+            field=models.CharField(max_length=128, verbose_name='Name'),
+        ),
+        migrations.AlterField(
+            model_name='asset',
+            name='hostname',
+            field=models.CharField(max_length=128, verbose_name='Hostname'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='name',
+            field=models.CharField(max_length=128, verbose_name='Name'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='name',
+            field=models.CharField(max_length=128, verbose_name='Name'),
+        ),
+        migrations.AlterUniqueTogether(
+            name='adminuser',
+            unique_together={('name', 'org_id')},
+        ),
+        migrations.AddField(
+            model_name='asset',
+            name='cpu_vcpus',
+            field=models.IntegerField(null=True, verbose_name='CPU vcpus'),
+        ),
+        migrations.AlterUniqueTogether(
+            name='asset',
+            unique_together={('org_id', 'hostname')},
+        ),
+        migrations.AlterUniqueTogether(
+            name='gateway',
+            unique_together={('name', 'org_id')},
+        ),
+        migrations.AlterUniqueTogether(
+            name='systemuser',
+            unique_together={('name', 'org_id')},
+        ),
+        migrations.AlterUniqueTogether(
+            name='label',
+            unique_together={('name', 'value', 'org_id')},
+        ),
+    ]
--- a/apps/assets/migrations/0020_auto_20180816_1652.py
+++ b/apps/assets/migrations/0020_auto_20180816_1652.py
@@ -0,0 +1,48 @@
+# Generated by Django 2.0.7 on 2018-08-16 08:52
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0019_auto_20180816_1320'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='adminuser',
+            name='org_id',
+            field=models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization'),
+        ),
+        migrations.AlterField(
+            model_name='asset',
+            name='org_id',
+            field=models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization'),
+        ),
+        migrations.AlterField(
+            model_name='domain',
+            name='org_id',
+            field=models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='org_id',
+            field=models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization'),
+        ),
+        migrations.AlterField(
+            model_name='label',
+            name='org_id',
+            field=models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization'),
+        ),
+        migrations.AlterField(
+            model_name='node',
+            name='org_id',
+            field=models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='org_id',
+            field=models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization'),
+        ),
+    ]
--- a/apps/assets/migrations/0021_auto_20180903_1132.py
+++ b/apps/assets/migrations/0021_auto_20180903_1132.py
@@ -0,0 +1,25 @@
+# Generated by Django 2.1 on 2018-09-03 03:32
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0020_auto_20180816_1652'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='domain',
+            options={'verbose_name': 'Domain'},
+        ),
+        migrations.AlterModelOptions(
+            name='gateway',
+            options={'verbose_name': 'Gateway'},
+        ),
+        migrations.AlterModelOptions(
+            name='node',
+            options={'verbose_name': 'Node'},
+        ),
+    ]
--- a/apps/assets/migrations/0022_auto_20181012_1717.py
+++ b/apps/assets/migrations/0022_auto_20181012_1717.py
@@ -0,0 +1,56 @@
+# Generated by Django 2.1.1 on 2018-10-12 09:17
+
+import django.core.validators
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0021_auto_20180903_1132'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='CommandFilter',
+            fields=[
+                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=64, verbose_name='Name')),
+                ('is_active', models.BooleanField(default=True, verbose_name='Is active')),
+                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
+                ('date_created', models.DateTimeField(auto_now_add=True)),
+                ('date_updated', models.DateTimeField(auto_now=True)),
+                ('created_by', models.CharField(blank=True, default='', max_length=128, verbose_name='Created by')),
+            ],
+            options={
+                'abstract': False,
+            },
+        ),
+        migrations.CreateModel(
+            name='CommandFilterRule',
+            fields=[
+                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('type', models.CharField(choices=[('regex', 'Regex'), ('command', 'Command')], default='command', max_length=16, verbose_name='Type')),
+                ('priority', models.IntegerField(default=50, help_text='1-100, the lower will be match first', validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(100)], verbose_name='Priority')),
+                ('content', models.TextField(help_text='One line one command', max_length=1024, verbose_name='Content')),
+                ('action', models.IntegerField(choices=[(0, 'Deny'), (1, 'Allow')], default=0, verbose_name='Action')),
+                ('comment', models.CharField(blank=True, default='', max_length=64, verbose_name='Comment')),
+                ('date_created', models.DateTimeField(auto_now_add=True)),
+                ('date_updated', models.DateTimeField(auto_now=True)),
+                ('created_by', models.CharField(blank=True, default='', max_length=128, verbose_name='Created by')),
+                ('filter', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='rules', to='assets.CommandFilter', verbose_name='Filter')),
+            ],
+            options={
+                'ordering': ('priority', 'action'),
+            },
+        ),
+        migrations.AddField(
+            model_name='systemuser',
+            name='cmd_filters',
+            field=models.ManyToManyField(blank=True, related_name='system_users', to='assets.CommandFilter', verbose_name='Command filter'),
+        ),
+    ]
--- a/apps/assets/migrations/0023_auto_20181016_1650.py
+++ b/apps/assets/migrations/0023_auto_20181016_1650.py
@@ -0,0 +1,28 @@
+# Generated by Django 2.1.1 on 2018-10-16 08:50
+
+import django.core.validators
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0022_auto_20181012_1717'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='commandfilterrule',
+            options={'ordering': ('-priority', 'action')},
+        ),
+        migrations.AlterField(
+            model_name='commandfilterrule',
+            name='priority',
+            field=models.IntegerField(default=50, help_text='1-100, the higher will be match first', validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(100)], verbose_name='Priority'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='priority',
+            field=models.IntegerField(default=20, validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(100)], verbose_name='Priority'),
+        ),
+    ]
--- a/apps/assets/migrations/0024_auto_20181219_1614.py
+++ b/apps/assets/migrations/0024_auto_20181219_1614.py
@@ -0,0 +1,23 @@
+# Generated by Django 2.1.4 on 2018-12-19 08:14
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0023_auto_20181016_1650'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='asset',
+            name='protocol',
+            field=models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp'), ('telnet', 'telnet (beta)'), ('vnc', 'vnc')], default='ssh', max_length=128, verbose_name='Protocol'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='protocol',
+            field=models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp'), ('telnet', 'telnet (beta)'), ('vnc', 'vnc')], default='ssh', max_length=16, verbose_name='Protocol'),
+        ),
+    ]
--- a/apps/assets/migrations/0025_auto_20190221_1902.py
+++ b/apps/assets/migrations/0025_auto_20190221_1902.py
@@ -0,0 +1,21 @@
+# Generated by Django 2.1.7 on 2019-02-21 11:02
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0024_auto_20181219_1614'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='commandfilter',
+            options={'verbose_name': 'Command filter'},
+        ),
+        migrations.AlterModelOptions(
+            name='commandfilterrule',
+            options={'ordering': ('-priority', 'action'), 'verbose_name': 'Command filter rule'},
+        ),
+    ]
--- a/apps/assets/migrations/0026_auto_20190325_2035.py
+++ b/apps/assets/migrations/0026_auto_20190325_2035.py
@@ -0,0 +1,43 @@
+# Generated by Django 2.1.7 on 2019-03-25 12:35
+
+import assets.models.utils
+import django.core.validators
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0025_auto_20190221_1902'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='AuthBook',
+            fields=[
+                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=128, verbose_name='Name')),
+                ('username', models.CharField(blank=True, max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username')),
+                ('_password', models.CharField(blank=True, max_length=256, null=True, verbose_name='Password')),
+                ('_private_key', models.TextField(blank=True, max_length=4096, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key')),
+                ('_public_key', models.TextField(blank=True, max_length=4096, verbose_name='SSH public key')),
+                ('comment', models.TextField(blank=True, verbose_name='Comment')),
+                ('date_created', models.DateTimeField(auto_now_add=True)),
+                ('date_updated', models.DateTimeField(auto_now=True)),
+                ('created_by', models.CharField(max_length=128, null=True, verbose_name='Created by')),
+                ('is_latest', models.BooleanField(default=False, verbose_name='Latest version')),
+                ('version', models.IntegerField(default=1, verbose_name='Version')),
+                ('asset', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='assets.Asset', verbose_name='Asset')),
+            ],
+            options={
+                'verbose_name': 'AuthBook',
+            },
+        ),
+        migrations.AlterModelOptions(
+            name='node',
+            options={'ordering': ['key'], 'verbose_name': 'Node'},
+        ),
+    ]
--- a/apps/assets/migrations/0027_auto_20190521_1703.py
+++ b/apps/assets/migrations/0027_auto_20190521_1703.py
@@ -0,0 +1,23 @@
+# Generated by Django 2.1.7 on 2019-05-21 09:03
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0026_auto_20190325_2035'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='asset',
+            name='ip',
+            field=models.CharField(db_index=True, max_length=128, verbose_name='IP'),
+        ),
+        migrations.AlterField(
+            model_name='asset',
+            name='public_ip',
+            field=models.CharField(blank=True, max_length=128, null=True, verbose_name='Public IP'),
+        ),
+    ]
--- a/apps/assets/migrations/0028_protocol.py
+++ b/apps/assets/migrations/0028_protocol.py
@@ -0,0 +1,29 @@
+# Generated by Django 2.1.7 on 2019-05-22 02:58
+
+import django.core.validators
+from django.db import migrations, models
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0027_auto_20190521_1703'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Protocol',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp'), ('telnet', 'telnet (beta)'), ('vnc', 'vnc')], default='ssh', max_length=16, verbose_name='Name')),
+                ('port', models.IntegerField(default=22, validators=[django.core.validators.MaxValueValidator(65535), django.core.validators.MinValueValidator(1)], verbose_name='Port')),
+            ],
+        ),
+        migrations.AddField(
+            model_name='asset',
+            name='protocols',
+            field=models.ManyToManyField(to='assets.Protocol',
+                                         verbose_name='Protocol'),
+        ),
+    ]
--- a/apps/assets/migrations/0029_auto_20190522_1114.py
+++ b/apps/assets/migrations/0029_auto_20190522_1114.py
@@ -0,0 +1,13 @@
+# Generated by Django 2.1.7 on 2019-05-22 03:14
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0028_protocol'),
+    ]
+
+    operations = [
+    ]
--- a/apps/assets/migrations/0030_auto_20190619_1135.py
+++ b/apps/assets/migrations/0030_auto_20190619_1135.py
@@ -0,0 +1,19 @@
+# Generated by Django 2.1.7 on 2019-06-19 03:35
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0029_auto_20190522_1114'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='asset',
+            name='admin_user',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.PROTECT, related_name='assets', to='assets.AdminUser', verbose_name='Admin user'),
+        ),
+    ]
--- a/apps/assets/migrations/0031_auto_20190621_1332.py
+++ b/apps/assets/migrations/0031_auto_20190621_1332.py
@@ -0,0 +1,53 @@
+# Generated by Django 2.1.7 on 2019-06-21 05:32
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0030_auto_20190619_1135'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='adminuser',
+            name='date_created',
+            field=models.DateTimeField(auto_now_add=True, verbose_name='Date created'),
+        ),
+        migrations.AlterField(
+            model_name='adminuser',
+            name='date_updated',
+            field=models.DateTimeField(auto_now=True, verbose_name='Date updated'),
+        ),
+        migrations.AlterField(
+            model_name='authbook',
+            name='date_created',
+            field=models.DateTimeField(auto_now_add=True, verbose_name='Date created'),
+        ),
+        migrations.AlterField(
+            model_name='authbook',
+            name='date_updated',
+            field=models.DateTimeField(auto_now=True, verbose_name='Date updated'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='date_created',
+            field=models.DateTimeField(auto_now_add=True, verbose_name='Date created'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='date_updated',
+            field=models.DateTimeField(auto_now=True, verbose_name='Date updated'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='date_created',
+            field=models.DateTimeField(auto_now_add=True, verbose_name='Date created'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='date_updated',
+            field=models.DateTimeField(auto_now=True, verbose_name='Date updated'),
+        ),
+    ]
--- a/apps/assets/migrations/0032_auto_20190624_2108.py
+++ b/apps/assets/migrations/0032_auto_20190624_2108.py
@@ -0,0 +1,75 @@
+# Generated by Django 2.1.7 on 2019-06-24 13:08
+
+import assets.models.utils
+import common.fields.model
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0031_auto_20190621_1332'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='adminuser',
+            name='_password',
+            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+        ),
+        migrations.AlterField(
+            model_name='adminuser',
+            name='_private_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+        ),
+        migrations.AlterField(
+            model_name='adminuser',
+            name='_public_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+        ),
+        migrations.AlterField(
+            model_name='authbook',
+            name='_password',
+            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+        ),
+        migrations.AlterField(
+            model_name='authbook',
+            name='_private_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+        ),
+        migrations.AlterField(
+            model_name='authbook',
+            name='_public_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='_password',
+            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='_private_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='_public_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='_password',
+            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='_private_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='_public_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+        ),
+    ]
--- a/apps/assets/migrations/0033_auto_20190624_2108.py
+++ b/apps/assets/migrations/0033_auto_20190624_2108.py
@@ -0,0 +1,73 @@
+# Generated by Django 2.1.7 on 2019-06-24 13:08
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0032_auto_20190624_2108'),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name='adminuser',
+            old_name='_private_key',
+            new_name='private_key',
+        ),
+        migrations.RenameField(
+            model_name='adminuser',
+            old_name='_public_key',
+            new_name='public_key',
+        ),
+        migrations.RenameField(
+            model_name='authbook',
+            old_name='_private_key',
+            new_name='private_key',
+        ),
+        migrations.RenameField(
+            model_name='authbook',
+            old_name='_public_key',
+            new_name='public_key',
+        ),
+        migrations.RenameField(
+            model_name='gateway',
+            old_name='_private_key',
+            new_name='private_key',
+        ),
+        migrations.RenameField(
+            model_name='gateway',
+            old_name='_public_key',
+            new_name='public_key',
+        ),
+        migrations.RenameField(
+            model_name='systemuser',
+            old_name='_private_key',
+            new_name='private_key',
+        ),
+        migrations.RenameField(
+            model_name='systemuser',
+            old_name='_public_key',
+            new_name='public_key',
+        ),
+        migrations.RenameField(
+            model_name='adminuser',
+            old_name='_password',
+            new_name='password',
+        ),
+        migrations.RenameField(
+            model_name='authbook',
+            old_name='_password',
+            new_name='password',
+        ),
+        migrations.RenameField(
+            model_name='gateway',
+            old_name='_password',
+            new_name='password',
+        ),
+        migrations.RenameField(
+            model_name='systemuser',
+            old_name='_password',
+            new_name='password',
+        ),
+    ]
--- a/apps/assets/migrations/0034_auto_20190705_1348.py
+++ b/apps/assets/migrations/0034_auto_20190705_1348.py
@@ -0,0 +1,39 @@
+# Generated by Django 2.1.7 on 2019-07-05 05:48
+
+from django.db import migrations
+from django.db.models import F
+from django.db.models import CharField, Value as V
+from django.db.models.functions import Concat
+
+
+def migrate_assets_protocol(apps, schema_editor):
+    asset_model = apps.get_model("assets", "Asset")
+    db_alias = schema_editor.connection.alias
+    assets = asset_model.objects.using(db_alias).all().annotate(
+        protocols_new=Concat(
+            'protocol', V('/'), 'port',
+            output_field=CharField(),
+        ),
+    )
+    assets.update(protocols=F('protocols_new'))
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0033_auto_20190624_2108'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='asset',
+            name='protocols',
+        ),
+        migrations.AddField(
+            model_name='asset',
+            name='protocols',
+            field=CharField(blank=True, default='ssh/22', max_length=128, verbose_name='Protocols'),
+        ),
+        migrations.RunPython(migrate_assets_protocol),
+        migrations.DeleteModel(name='Protocol'),
+    ]
--- a/apps/assets/migrations/0035_auto_20190711_2018.py
+++ b/apps/assets/migrations/0035_auto_20190711_2018.py
@@ -0,0 +1,34 @@
+# Generated by Django 2.1.7 on 2019-07-11 12:18
+
+import common.fields.model
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0034_auto_20190705_1348'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='adminuser',
+            name='private_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+        ),
+        migrations.AlterField(
+            model_name='authbook',
+            name='private_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='private_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='private_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+        ),
+    ]
--- a/apps/assets/migrations/0036_auto_20190716_1535.py
+++ b/apps/assets/migrations/0036_auto_20190716_1535.py
@@ -0,0 +1,18 @@
+# Generated by Django 2.1.7 on 2019-07-16 07:35
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0035_auto_20190711_2018'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='commandfilter',
+            name='name',
+            field=models.CharField(max_length=64, unique=True, verbose_name='Name'),
+        ),
+    ]
--- a/apps/assets/migrations/0037_auto_20190724_2002.py
+++ b/apps/assets/migrations/0037_auto_20190724_2002.py
@@ -0,0 +1,18 @@
+# Generated by Django 2.1.7 on 2019-07-24 12:02
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0036_auto_20190716_1535'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='adminuser',
+            name='_become_pass',
+            field=models.CharField(blank=True, default='', max_length=128),
+        ),
+    ]
--- a/apps/assets/migrations/0038_auto_20190911_1634.py
+++ b/apps/assets/migrations/0038_auto_20190911_1634.py
@@ -0,0 +1,23 @@
+# Generated by Django 2.1.7 on 2019-09-11 08:34
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0037_auto_20190724_2002'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='asset',
+            name='protocol',
+            field=models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp'), ('telnet', 'telnet'), ('vnc', 'vnc')], default='ssh', max_length=128, verbose_name='Protocol'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='protocol',
+            field=models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp'), ('telnet', 'telnet'), ('vnc', 'vnc')], default='ssh', max_length=16, verbose_name='Protocol'),
+        ),
+    ]
--- a/apps/assets/migrations/0039_authbook_is_active.py
+++ b/apps/assets/migrations/0039_authbook_is_active.py
@@ -0,0 +1,18 @@
+# Generated by Django 2.1.7 on 2019-09-17 12:22
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0038_auto_20190911_1634'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='authbook',
+            name='is_active',
+            field=models.BooleanField(default=True, verbose_name='Is active'),
+        ),
+    ]
--- a/apps/assets/migrations/0040_auto_20190917_2056.py
+++ b/apps/assets/migrations/0040_auto_20190917_2056.py
@@ -0,0 +1,36 @@
+# Generated by Django 2.1.7 on 2019-09-17 12:56
+
+import django.core.validators
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0039_authbook_is_active'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='adminuser',
+            name='username',
+            field=models.CharField(blank=True, db_index=True, max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+        migrations.AlterField(
+            model_name='authbook',
+            name='username',
+            field=models.CharField(blank=True, db_index=True, max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='username',
+            field=models.CharField(blank=True, db_index=True, max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='username',
+            field=models.CharField(blank=True, db_index=True, max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+    ]
--- a/apps/assets/migrations/0041_gathereduser.py
+++ b/apps/assets/migrations/0041_gathereduser.py
@@ -0,0 +1,28 @@
+# Generated by Django 2.1.7 on 2019-09-18 04:10
+
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0040_auto_20190917_2056'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='GatheredUser',
+            fields=[
+                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('username', models.CharField(blank=True, db_index=True, max_length=32, verbose_name='Username')),
+                ('present', models.BooleanField(default=True, verbose_name='Present')),
+                ('date_created', models.DateTimeField(auto_now_add=True, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('asset', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='assets.Asset', verbose_name='Asset')),
+            ],
+            options={'ordering': ['asset'], 'verbose_name': 'GatherUser'},
+        ),
+    ]
--- a/apps/assets/models/init.py
+++ b/apps/assets/models/init.py
@@ -1,11 +1,12 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-#
-from .user import AdminUser, SystemUser
+from .asset import *
 from .label import Label
+from .user import *
 from .cluster import *
 from .group import *
 from .domain import *
 from .node import *
-from .asset import *
+from .cmd_filter import *
+from .authbook import *
 from .utils import *
+from .authbook import *
+from .gathered_user import *
--- a/apps/assets/models/asset.py
+++ b/apps/assets/models/asset.py
@@ -6,16 +6,15 @@ import uuid
 import logging
 import random
 from functools import reduce
+from collections import OrderedDict

 from django.db import models
 from django.utils.translation import ugettext_lazy as _
-from django.core.cache import cache

-from ..const import ASSET_ADMIN_CONN_CACHE_KEY
-from .user import AdminUser, SystemUser
-from orgs.mixins import OrgModelMixin,OrgManager
+from .utils import Connectivity
+from orgs.mixins.models import OrgModelMixin, OrgManager

-__all__ = ['Asset']
+__all__ = ['Asset', 'ProtocolsMixin']
 logger = logging.getLogger(__name__)


@@ -32,7 +31,8 @@ def default_cluster():
 def default_node():
    try:
        from .node import Node
-        return Node.root()
+        root = Node.org_root()
+        return root
    except:
        return None

@@ -44,8 +44,82 @@ class AssetQuerySet(models.QuerySet):
    def valid(self):
        return self.active()

+    def has_protocol(self, name):
+        return self.filter(protocols__contains=name)

-class Asset(OrgModelMixin):
+
+class ProtocolsMixin:
+    protocols = ''
+    PROTOCOL_SSH = 'ssh'
+    PROTOCOL_RDP = 'rdp'
+    PROTOCOL_TELNET = 'telnet'
+    PROTOCOL_VNC = 'vnc'
+    PROTOCOL_CHOICES = (
+        (PROTOCOL_SSH, 'ssh'),
+        (PROTOCOL_RDP, 'rdp'),
+        (PROTOCOL_TELNET, 'telnet'),
+        (PROTOCOL_VNC, 'vnc'),
+    )
+
+    @property
+    def protocols_as_list(self):
+        if not self.protocols:
+            return []
+        return self.protocols.split(' ')
+
+    @property
+    def protocols_as_dict(self):
+        d = OrderedDict()
+        protocols = self.protocols_as_list
+        for i in protocols:
+            if '/' not in i:
+                continue
+            name, port = i.split('/')[:2]
+            if not all([name, port]):
+                continue
+            d[name] = int(port)
+        return d
+
+    @property
+    def protocols_as_json(self):
+        return [
+            {"name": name, "port": port}
+            for name, port in self.protocols_as_dict.items()
+        ]
+
+    def has_protocol(self, name):
+        return name in self.protocols_as_dict
+
+    @property
+    def ssh_port(self):
+        return self.protocols_as_dict.get("ssh", 22)
+
+
+class NodesRelationMixin:
+    NODES_CACHE_KEY = 'ASSET_NODES_{}'
+    ALL_ASSET_NODES_CACHE_KEY = 'ALL_ASSETS_NODES'
+    CACHE_TIME = 3600 * 24 * 7
+    id = ""
+    _all_nodes_keys = None
+
+    def get_nodes(self):
+        from .node import Node
+        nodes = self.nodes.all()
+        if not nodes:
+            nodes = Node.objects.filter(id=Node.org_root().id)
+        return nodes
+
+    def get_all_nodes(self, flat=False):
+        nodes = []
+        for node in self.get_nodes():
+            _nodes = node.get_ancestors(with_self=True)
+            nodes.append(_nodes)
+        if flat:
+            nodes = list(reduce(lambda x, y: set(x) | set(y), nodes))
+        return nodes
+
+
+class Asset(ProtocolsMixin, NodesRelationMixin, OrgModelMixin):
    # Important
    PLATFORM_CHOICES = (
        ('Linux', 'Linux'),
@@ -57,77 +131,52 @@ class Asset(OrgModelMixin):
        ('Other', 'Other'),
    )

-    SSH_PROTOCOL = 'ssh'
-    RDP_PROTOCOL = 'rdp'
-    TELNET_PROTOCOL = 'telnet'
-    PROTOCOL_CHOICES = (
-        (SSH_PROTOCOL, 'ssh'),
-        (RDP_PROTOCOL, 'rdp'),
-        (TELNET_PROTOCOL, 'telnet (beta)'),
-    )
-
    id = models.UUIDField(default=uuid.uuid4, primary_key=True)
-    ip = models.GenericIPAddressField(max_length=32, verbose_name=_('IP'), db_index=True)
+    ip = models.CharField(max_length=128, verbose_name=_('IP'), db_index=True)
    hostname = models.CharField(max_length=128, verbose_name=_('Hostname'))
-    protocol = models.CharField(max_length=128, default=SSH_PROTOCOL, choices=PROTOCOL_CHOICES, verbose_name=_('Protocol'))
+    protocol = models.CharField(max_length=128, default=ProtocolsMixin.PROTOCOL_SSH,
+                                choices=ProtocolsMixin.PROTOCOL_CHOICES,
+                                verbose_name=_('Protocol'))
    port = models.IntegerField(default=22, verbose_name=_('Port'))
+
+    protocols = models.CharField(max_length=128, default='ssh/22', blank=True, verbose_name=_("Protocols"))
    platform = models.CharField(max_length=128, choices=PLATFORM_CHOICES, default='Linux', verbose_name=_('Platform'))
-    domain = models.ForeignKey("assets.Domain", null=True, blank=True,
-                               related_name='assets', verbose_name=_("Domain"),
-                               on_delete=models.SET_NULL)
-    nodes = models.ManyToManyField('assets.Node', default=default_node,
-                                   related_name='assets',
-                                   verbose_name=_("Nodes"))
+    domain = models.ForeignKey("assets.Domain", null=True, blank=True, related_name='assets', verbose_name=_("Domain"), on_delete=models.SET_NULL)
+    nodes = models.ManyToManyField('assets.Node', default=default_node, related_name='assets', verbose_name=_("Nodes"))
    is_active = models.BooleanField(default=True, verbose_name=_('Is active'))

    # Auth
-    admin_user = models.ForeignKey('assets.AdminUser', on_delete=models.PROTECT,
-                                   null=True, verbose_name=_("Admin user"))
+    admin_user = models.ForeignKey('assets.AdminUser', on_delete=models.PROTECT, null=True, verbose_name=_("Admin user"), related_name='assets')

    # Some information
-    public_ip = models.GenericIPAddressField(max_length=32, blank=True, null=True, verbose_name=_('Public IP'))
+    public_ip = models.CharField(max_length=128, blank=True, null=True, verbose_name=_('Public IP'))
    number = models.CharField(max_length=32, null=True, blank=True, verbose_name=_('Asset number'))

    # Collect
-    vendor = models.CharField(max_length=64, null=True, blank=True,
-                              verbose_name=_('Vendor'))
-    model = models.CharField(max_length=54, null=True, blank=True,
-                             verbose_name=_('Model'))
-    sn = models.CharField(max_length=128, null=True, blank=True,
-                          verbose_name=_('Serial number'))
+    vendor = models.CharField(max_length=64, null=True, blank=True, verbose_name=_('Vendor'))
+    model = models.CharField(max_length=54, null=True, blank=True, verbose_name=_('Model'))
+    sn = models.CharField(max_length=128, null=True, blank=True, verbose_name=_('Serial number'))

-    cpu_model = models.CharField(max_length=64, null=True, blank=True,
-                                 verbose_name=_('CPU model'))
+    cpu_model = models.CharField(max_length=64, null=True, blank=True, verbose_name=_('CPU model'))
    cpu_count = models.IntegerField(null=True, verbose_name=_('CPU count'))
    cpu_cores = models.IntegerField(null=True, verbose_name=_('CPU cores'))
-    memory = models.CharField(max_length=64, null=True, blank=True,
-                              verbose_name=_('Memory'))
-    disk_total = models.CharField(max_length=1024, null=True, blank=True,
-                                  verbose_name=_('Disk total'))
-    disk_info = models.CharField(max_length=1024, null=True, blank=True,
-                                 verbose_name=_('Disk info'))
+    cpu_vcpus = models.IntegerField(null=True, verbose_name=_('CPU vcpus'))
+    memory = models.CharField(max_length=64, null=True, blank=True, verbose_name=_('Memory'))
+    disk_total = models.CharField(max_length=1024, null=True, blank=True, verbose_name=_('Disk total'))
+    disk_info = models.CharField(max_length=1024, null=True, blank=True, verbose_name=_('Disk info'))

-    os = models.CharField(max_length=128, null=True, blank=True,
-                          verbose_name=_('OS'))
-    os_version = models.CharField(max_length=16, null=True, blank=True,
-                                  verbose_name=_('OS version'))
-    os_arch = models.CharField(max_length=16, blank=True, null=True,
-                               verbose_name=_('OS arch'))
-    hostname_raw = models.CharField(max_length=128, blank=True, null=True,
-                                    verbose_name=_('Hostname raw'))
+    os = models.CharField(max_length=128, null=True, blank=True, verbose_name=_('OS'))
+    os_version = models.CharField(max_length=16, null=True, blank=True, verbose_name=_('OS version'))
+    os_arch = models.CharField(max_length=16, blank=True, null=True, verbose_name=_('OS arch'))
+    hostname_raw = models.CharField(max_length=128, blank=True, null=True, verbose_name=_('Hostname raw'))

-    labels = models.ManyToManyField('assets.Label', blank=True,
-                                    related_name='assets',
-                                    verbose_name=_("Labels"))
-    created_by = models.CharField(max_length=32, null=True, blank=True,
-                                  verbose_name=_('Created by'))
-    date_created = models.DateTimeField(auto_now_add=True, null=True,
-                                        blank=True,
-                                        verbose_name=_('Date created'))
-    comment = models.TextField(max_length=128, default='', blank=True,
-                               verbose_name=_('Comment'))
+    labels = models.ManyToManyField('assets.Label', blank=True, related_name='assets', verbose_name=_("Labels"))
+    created_by = models.CharField(max_length=32, null=True, blank=True, verbose_name=_('Created by'))
+    date_created = models.DateTimeField(auto_now_add=True, null=True, blank=True, verbose_name=_('Date created'))
+    comment = models.TextField(max_length=128, default='', blank=True, verbose_name=_('Comment'))

    objects = OrgManager.from_queryset(AssetQuerySet)()
+    _connectivity = None

    def __str__(self):
        return '{0.hostname}({0.ip})'.format(self)
@@ -137,94 +186,109 @@ class Asset(OrgModelMixin):
        warning = ''
        if not self.is_active:
            warning += ' inactive'
-        else:
-            return True, ''
-        return False, warning
+        if warning:
+            return False, warning
+        return True, warning

-    def is_unixlike(self):
-        if self.platform not in ("Windows", "Windows2016"):
+    def is_windows(self):
+        if self.platform in ("Windows", "Windows2016"):
            return True
        else:
            return False

-    def get_nodes(self):
-        from .node import Node
-        nodes = self.nodes.all() or [Node.root()]
-        return nodes
+    def is_unixlike(self):
+        if self.platform not in ("Windows", "Windows2016", "Other"):
+            return True
+        else:
+            return False

-    def get_all_nodes(self, flat=False):
-        nodes = []
-        for node in self.get_nodes():
-            _nodes = node.get_ancestor(with_self=True)
-            _nodes.append(_nodes)
-        if flat:
-            nodes = list(reduce(lambda x, y: set(x) | set(y), nodes))
-        return nodes
+    def is_support_ansible(self):
+        return self.has_protocol('ssh') and self.platform not in ("Other",)

    @property
-    def org_name(self):
-        from orgs.models import Organization
-        org = Organization.get_instance(self.org_id)
-        return org.name
+    def cpu_info(self):
+        info = ""
+        if self.cpu_model:
+            info += self.cpu_model
+        if self.cpu_count and self.cpu_cores:
+            info += "{}*{}".format(self.cpu_count, self.cpu_cores)
+        return info

    @property
    def hardware_info(self):
        if self.cpu_count:
            return '{} Core {} {}'.format(
-                self.cpu_count * self.cpu_cores,
+                self.cpu_vcpus or self.cpu_count * self.cpu_cores,
                self.memory, self.disk_total
            )
        else:
            return ''

    @property
-    def is_connective(self):
-        if not self.is_unixlike():
-            return True
-        val = cache.get(ASSET_ADMIN_CONN_CACHE_KEY.format(self.hostname))
-        if val == 1:
-            return True
-        else:
-            return False
+    def connectivity(self):
+        if self._connectivity:
+            return self._connectivity
+        if not self.admin_user:
+            return Connectivity.unknown()
+        connectivity = self.admin_user.get_asset_connectivity(self)
+        return connectivity

-    def to_json(self):
-        info = {
-            'id': self.id,
-            'hostname': self.hostname,
-            'ip': self.ip,
-            'port': self.port,
-        }
-        if self.domain and self.domain.gateway_set.all():
-            info["gateways"] = [d.id for d in self.domain.gateway_set.all()]
-        return info
+    @connectivity.setter
+    def connectivity(self, value):
+        if not self.admin_user:
+            return
+        self.admin_user.set_asset_connectivity(self, value)

    def get_auth_info(self):
-        if self.admin_user:
-            return {
-                'username': self.admin_user.username,
-                'password': self.admin_user.password,
-                'private_key': self.admin_user.private_key_file,
-                'become': self.admin_user.become_info,
+        if not self.admin_user:
+            return {}
+
+        self.admin_user.load_specific_asset_auth(self)
+        info = {
+            'username': self.admin_user.username,
+            'password': self.admin_user.password,
+            'private_key': self.admin_user.private_key_file,
+        }
+        return info
+
+    def as_node(self):
+        from .node import Node
+        fake_node = Node()
+        fake_node.id = self.id
+        fake_node.key = self.id
+        fake_node.value = self.hostname
+        fake_node.asset = self
+        fake_node.is_node = False
+        return fake_node
+
+    def as_tree_node(self, parent_node):
+        from common.tree import TreeNode
+        icon_skin = 'file'
+        if self.platform.lower() == 'windows':
+            icon_skin = 'windows'
+        elif self.platform.lower() == 'linux':
+            icon_skin = 'linux'
+        data = {
+            'id': str(self.id),
+            'name': self.hostname,
+            'title': self.ip,
+            'pId': parent_node.key,
+            'isParent': False,
+            'open': False,
+            'iconSkin': icon_skin,
+            'meta': {
+                'type': 'asset',
+                'asset': {
+                    'id': self.id,
+                    'hostname': self.hostname,
+                    'ip': self.ip,
+                    'protocols': self.protocols_as_list,
+                    'platform': self.platform,
+                }
            }
-
-    def _to_secret_json(self):
-        """
-        Ansible use it create inventory, First using asset user,
-        otherwise using cluster admin user
-
-        Todo: May be move to ops implements it
-        """
-        data = self.to_json()
-        if self.admin_user:
-            admin_user = self.admin_user
-            data.update({
-                'username': admin_user.username,
-                'password': admin_user.password,
-                'private_key': admin_user.private_key_file,
-                'become': admin_user.become_info,
-                'groups': [node.value for node in self.nodes.all()],
-            })
-        return data
+        }
+        tree_node = TreeNode(**data)
+        return tree_node

    class Meta:
        unique_together = [('org_id', 'hostname')]
@@ -232,21 +296,32 @@ class Asset(OrgModelMixin):

    @classmethod
    def generate_fake(cls, count=100):
+        from .user import AdminUser, SystemUser
        from random import seed, choice
-        import forgery_py
        from django.db import IntegrityError
+        from .node import Node
+        from orgs.utils import get_current_org
+        from orgs.models import Organization
+        org = get_current_org()
+        if not org or not org.is_real():
+            Organization.default().change_to()

+        nodes = list(Node.objects.all())
        seed()
        for i in range(count):
            ip = [str(i) for i in random.sample(range(255), 4)]
            asset = cls(ip='.'.join(ip),
-                        hostname=forgery_py.internet.user_name(True),
+                        hostname='.'.join(ip),
                        admin_user=choice(AdminUser.objects.all()),
-                        port=22,
                        created_by='Fake')
            try:
                asset.save()
-                asset.system_users = [choice(SystemUser.objects.all()) for i in range(3)]
+                asset.protocols = 'ssh/22'
+                if nodes and len(nodes) > 3:
+                    _nodes = random.sample(nodes, 3)
+                else:
+                    _nodes = [Node.default_node()]
+                asset.nodes.set(_nodes)
                logger.debug('Generate fake asset : %s' % asset.ip)
            except IntegrityError:
                print('Error continue')
--- a/apps/assets/models/authbook.py
+++ b/apps/assets/models/authbook.py
@@ -0,0 +1,91 @@
+# -*- coding: utf-8 -*-
+#
+
+from django.db import models
+from django.utils.translation import ugettext_lazy as _
+
+from orgs.mixins.models import OrgManager
+from .base import AssetUser
+
+__all__ = ['AuthBook']
+
+
+class AuthBookQuerySet(models.QuerySet):
+
+    def latest_version(self):
+        return self.filter(is_latest=True).filter(is_active=True)
+
+
+class AuthBookManager(OrgManager):
+    pass
+
+
+class AuthBook(AssetUser):
+    asset = models.ForeignKey('assets.Asset', on_delete=models.CASCADE, verbose_name=_('Asset'))
+    is_latest = models.BooleanField(default=False, verbose_name=_('Latest version'))
+    version = models.IntegerField(default=1, verbose_name=_('Version'))
+    is_active = models.BooleanField(default=True, verbose_name=_("Is active"))
+
+    objects = AuthBookManager.from_queryset(AuthBookQuerySet)()
+    backend = "db"
+    # 用于system user和admin_user的动态设置
+    _connectivity = None
+    CONN_CACHE_KEY = "ASSET_USER_CONN_{}"
+
+    class Meta:
+        verbose_name = _('AuthBook')
+
+    def set_to_latest(self):
+        self.remove_pre_latest()
+        self.is_latest = True
+        self.save()
+
+    def get_pre_latest(self):
+        pre_obj = self.__class__.objects.filter(
+            username=self.username, asset=self.asset
+        ).latest_version().first()
+        return pre_obj
+
+    def remove_pre_latest(self):
+        pre_obj = self.get_pre_latest()
+        if pre_obj:
+            pre_obj.is_latest = False
+            pre_obj.save()
+
+    def set_version(self):
+        pre_obj = self.get_pre_latest()
+        if pre_obj:
+            self.version = pre_obj.version + 1
+        else:
+            self.version = 1
+        self.save()
+
+    def set_version_and_latest(self):
+        self.set_version()
+        self.set_to_latest()
+
+    def get_related_assets(self):
+        return [self.asset]
+
+    def generate_id_with_asset(self, asset):
+        return self.id
+
+    @property
+    def connectivity(self):
+        return self.get_asset_connectivity(self.asset)
+
+    @property
+    def keyword(self):
+        return '{}_#_{}'.format(self.username, str(self.asset.id))
+
+    @property
+    def hostname(self):
+        return self.asset.hostname
+
+    @property
+    def ip(self):
+        return self.asset.ip
+
+    def __str__(self):
+        return '{}@{}'.format(self.username, self.asset)
+
--- a/apps/assets/models/base.py
+++ b/apps/assets/models/base.py
@@ -5,57 +5,47 @@ import uuid
 from hashlib import md5

 import sshpubkeys
+from django.core.cache import cache
 from django.db import models
 from django.utils.translation import ugettext_lazy as _
 from django.conf import settings

-from common.utils import get_signer, ssh_key_string_to_obj, ssh_key_gen
+from common.utils import (
+    get_signer, ssh_key_string_to_obj, ssh_key_gen, get_logger
+)
 from common.validators import alphanumeric
-from orgs.mixins import OrgModelMixin
-from .utils import private_key_validator
+from common import fields
+from orgs.mixins.models import OrgModelMixin
+from .utils import private_key_validator, Connectivity

 signer = get_signer()

+logger = get_logger(__file__)
+

 class AssetUser(OrgModelMixin):
    id = models.UUIDField(default=uuid.uuid4, primary_key=True)
    name = models.CharField(max_length=128, verbose_name=_('Name'))
-    username = models.CharField(max_length=32, blank=True, verbose_name=_('Username'), validators=[alphanumeric])
-    _password = models.CharField(max_length=256, blank=True, null=True, verbose_name=_('Password'))
-    _private_key = models.TextField(max_length=4096, blank=True, null=True, verbose_name=_('SSH private key'), validators=[private_key_validator, ])
-    _public_key = models.TextField(max_length=4096, blank=True, verbose_name=_('SSH public key'))
+    username = models.CharField(max_length=32, blank=True, verbose_name=_('Username'), validators=[alphanumeric], db_index=True)
+    password = fields.EncryptCharField(max_length=256, blank=True, null=True, verbose_name=_('Password'))
+    private_key = fields.EncryptTextField(blank=True, null=True, verbose_name=_('SSH private key'))
+    public_key = fields.EncryptTextField(blank=True, null=True, verbose_name=_('SSH public key'))
    comment = models.TextField(blank=True, verbose_name=_('Comment'))
-    date_created = models.DateTimeField(auto_now_add=True)
-    date_updated = models.DateTimeField(auto_now=True)
+    date_created = models.DateTimeField(auto_now_add=True, verbose_name=_("Date created"))
+    date_updated = models.DateTimeField(auto_now=True, verbose_name=_("Date updated"))
    created_by = models.CharField(max_length=128, null=True, verbose_name=_('Created by'))

-    @property
-    def password(self):
-        if self._password:
-            return signer.unsign(self._password)
-        else:
-            return None
+    CONNECTIVITY_ASSET_CACHE_KEY = "ASSET_USER_{}_{}_ASSET_CONNECTIVITY"
+    CONNECTIVITY_AMOUNT_CACHE_KEY = "ASSET_USER_{}_{}_CONNECTIVITY_AMOUNT"
+    ASSETS_AMOUNT_CACHE_KEY = "ASSET_USER_{}_ASSETS_AMOUNT"
+    ASSET_USER_CACHE_TIME = 3600 * 24

-    @password.setter
-    def password(self, password_raw):
-        raise AttributeError("Using set_auth do that")
-        # self._password = signer.sign(password_raw)
-
-    @property
-    def private_key(self):
-        if self._private_key:
-            return signer.unsign(self._private_key)
-
-    @private_key.setter
-    def private_key(self, private_key_raw):
-        raise AttributeError("Using set_auth do that")
-        # self._private_key = signer.sign(private_key_raw)
+    _prefer = "system_user"

    @property
    def private_key_obj(self):
-        if self._private_key:
-            key_str = signer.unsign(self._private_key)
-            return ssh_key_string_to_obj(key_str, password=self.password)
+        if self.private_key:
+            return ssh_key_string_to_obj(self.private_key, password=self.password)
        else:
            return None

@@ -65,22 +55,13 @@ class AssetUser(OrgModelMixin):
            return None
        project_dir = settings.PROJECT_DIR
        tmp_dir = os.path.join(project_dir, 'tmp')
-        key_str = signer.unsign(self._private_key)
-        key_name = '.' + md5(key_str.encode('utf-8')).hexdigest()
+        key_name = '.' + md5(self.private_key.encode('utf-8')).hexdigest()
        key_path = os.path.join(tmp_dir, key_name)
        if not os.path.exists(key_path):
            self.private_key_obj.write_private_key_file(key_path)
            os.chmod(key_path, 0o400)
        return key_path

-    @property
-    def public_key(self):
-        key = signer.unsign(self._public_key)
-        if key:
-            return key
-        else:
-            return None
-
    @property
    def public_key_obj(self):
        if self.public_key:
@@ -90,35 +71,153 @@ class AssetUser(OrgModelMixin):
                pass
        return None

+    @property
+    def part_id(self):
+        i = '-'.join(str(self.id).split('-')[:3])
+        return i
+
+    def get_related_assets(self):
+        assets = self.assets.all()
+        return assets
+
    def set_auth(self, password=None, private_key=None, public_key=None):
        update_fields = []
        if password:
-            self._password = signer.sign(password)
-            update_fields.append('_password')
+            self.password = password
+            update_fields.append('password')
        if private_key:
-            self._private_key = signer.sign(private_key)
-            update_fields.append('_private_key')
+            self.private_key = private_key
+            update_fields.append('private_key')
        if public_key:
-            self._public_key = signer.sign(public_key)
-            update_fields.append('_public_key')
+            self.public_key = public_key
+            update_fields.append('public_key')

        if update_fields:
            self.save(update_fields=update_fields)

+    def set_connectivity(self, summary):
+        unreachable = summary.get('dark', {}).keys()
+        reachable = summary.get('contacted', {}).keys()
+
+        assets = self.get_related_assets()
+        if not isinstance(assets, list):
+            assets = assets.only('id', 'hostname', 'admin_user__id')
+        for asset in assets:
+            if asset.hostname in unreachable:
+                self.set_asset_connectivity(asset, Connectivity.unreachable())
+            elif asset.hostname in reachable:
+                self.set_asset_connectivity(asset, Connectivity.reachable())
+            else:
+                self.set_asset_connectivity(asset, Connectivity.unknown())
+        cache_key = self.CONNECTIVITY_AMOUNT_CACHE_KEY.format(self.username, self.part_id)
+        cache.delete(cache_key)
+
+    @property
+    def connectivity(self):
+        assets = self.get_related_assets()
+        if not isinstance(assets, list):
+            assets = assets.only('id', 'hostname', 'admin_user__id')
+        data = {
+            'unreachable': [],
+            'reachable': [],
+            'unknown': [],
+        }
+        for asset in assets:
+            connectivity = self.get_asset_connectivity(asset)
+            if connectivity.is_reachable():
+                data["reachable"].append(asset.hostname)
+            elif connectivity.is_unreachable():
+                data["unreachable"].append(asset.hostname)
+            else:
+                data["unknown"].append(asset.hostname)
+        return data
+
+    @property
+    def connectivity_amount(self):
+        cache_key = self.CONNECTIVITY_AMOUNT_CACHE_KEY.format(self.username, self.part_id)
+        amount = cache.get(cache_key)
+        if not amount:
+            amount = {k: len(v) for k, v in self.connectivity.items()}
+            cache.set(cache_key, amount, self.ASSET_USER_CACHE_TIME)
+        return amount
+
+    @property
+    def assets_amount(self):
+        cache_key = self.ASSETS_AMOUNT_CACHE_KEY.format(self.id)
+        cached = cache.get(cache_key)
+        if not cached:
+            cached = self.get_related_assets().count()
+            cache.set(cache_key, cached, self.ASSET_USER_CACHE_TIME)
+        return cached
+
+    def expire_assets_amount(self):
+        cache_key = self.ASSETS_AMOUNT_CACHE_KEY.format(self.id)
+        cache.delete(cache_key)
+
+    def get_asset_connectivity(self, asset):
+        key = self.get_asset_connectivity_key(asset)
+        return Connectivity.get(key)
+
+    def get_asset_connectivity_key(self, asset):
+        return self.CONNECTIVITY_ASSET_CACHE_KEY.format(self.username, asset.id)
+
+    def set_asset_connectivity(self, asset, c):
+        key = self.get_asset_connectivity_key(asset)
+        Connectivity.set(key, c)
+
+    def get_asset_user(self, asset):
+        from ..backends import AssetUserManager
+        try:
+            manager = AssetUserManager().prefer(self._prefer)
+            other = manager.get(username=self.username, asset=asset, prefer_id=self.id)
+            return other
+        except Exception as e:
+            logger.error(e, exc_info=True)
+            return None
+
+    def load_specific_asset_auth(self, asset):
+        instance = self.get_asset_user(asset)
+        if instance:
+            self._merge_auth(instance)
+
+    def _merge_auth(self, other):
+        if other.password:
+            self.password = other.password
+        if other.public_key:
+            self.public_key = other.public_key
+        if other.private_key:
+            self.private_key = other.private_key
+
    def clear_auth(self):
-        self._password = ''
-        self._private_key = ''
-        self._public_key = ''
+        self.password = ''
+        self.private_key = ''
+        self.public_key = ''
        self.save()

+    @staticmethod
+    def gen_password():
+        return str(uuid.uuid4())
+
+    @staticmethod
+    def gen_key(username):
+        private_key, public_key = ssh_key_gen(
+            username=username
+        )
+        return private_key, public_key
+
    def auto_gen_auth(self):
        password = str(uuid.uuid4())
        private_key, public_key = ssh_key_gen(
            username=self.username
        )
-        self.set_auth(password=password,
-                      private_key=private_key,
-                      public_key=public_key)
+        self.set_auth(
+            password=password, private_key=private_key,
+            public_key=public_key
+        )
+
+    def auto_gen_auth_password(self):
+        password = str(uuid.uuid4())
+        self.set_auth(password=password)

    def _to_secret_json(self):
        """Push system user use it"""
@@ -130,5 +229,26 @@ class AssetUser(OrgModelMixin):
            'private_key': self.private_key_file,
        }

+    def generate_id_with_asset(self, asset):
+        user_id = [self.part_id]
+        asset_id = str(asset.id).split('-')[3:]
+        ids = user_id + asset_id
+        return '-'.join(ids)
+
+    def construct_to_authbook(self, asset):
+        from . import AuthBook
+        fields = [
+            'name', 'username', 'comment', 'org_id',
+            'password', 'private_key', 'public_key',
+            'date_created', 'date_updated', 'created_by'
+        ]
+        i = self.generate_id_with_asset(asset)
+        obj = AuthBook(id=i, asset=asset, version=0, is_latest=True)
+        for field in fields:
+            value = getattr(self, field)
+            setattr(obj, field, value)
+        return obj
+
    class Meta:
        abstract = True
+
--- a/apps/assets/models/cluster.py
+++ b/apps/assets/models/cluster.py
@@ -52,7 +52,8 @@ class Cluster(models.Model):
                          contact=forgery_py.name.full_name(),
                          phone=forgery_py.address.phone(),
                          address=forgery_py.address.city() + forgery_py.address.street_address(),
-                          operator=choice(['北京联通', '北京电信', 'BGP全网通']),
+                          # operator=choice(['北京联通', '北京电信', 'BGP全网通']),
+                          operator=choice([_('Beijing unicom'), _('Beijing telecom'), _('BGP full netcom')]),
                          comment=forgery_py.lorem_ipsum.sentence(),
                          created_by='Fake')
            try:
--- a/apps/assets/models/cmd_filter.py
+++ b/apps/assets/models/cmd_filter.py
@@ -0,0 +1,91 @@
+# -*- coding: utf-8 -*-
+#
+import uuid
+import re
+
+from django.db import models
+from django.core.validators import MinValueValidator, MaxValueValidator
+from django.utils.translation import ugettext_lazy as _
+
+from orgs.mixins.models import OrgModelMixin
+
+
+__all__ = [
+    'CommandFilter', 'CommandFilterRule'
+]
+
+
+class CommandFilter(OrgModelMixin):
+    id = models.UUIDField(default=uuid.uuid4, primary_key=True)
+    name = models.CharField(max_length=64, unique=True, verbose_name=_("Name"))
+    is_active = models.BooleanField(default=True, verbose_name=_('Is active'))
+    comment = models.TextField(blank=True, default='', verbose_name=_("Comment"))
+    date_created = models.DateTimeField(auto_now_add=True)
+    date_updated = models.DateTimeField(auto_now=True)
+    created_by = models.CharField(max_length=128, blank=True, default='', verbose_name=_('Created by'))
+
+    def __str__(self):
+        return self.name
+
+    class Meta:
+        verbose_name = _("Command filter")
+
+
+class CommandFilterRule(OrgModelMixin):
+    TYPE_REGEX = 'regex'
+    TYPE_COMMAND = 'command'
+    TYPE_CHOICES = (
+        (TYPE_REGEX, _('Regex')),
+        (TYPE_COMMAND, _('Command')),
+    )
+
+    ACTION_DENY, ACTION_ALLOW, ACTION_UNKNOWN = range(3)
+    ACTION_CHOICES = (
+        (ACTION_DENY, _('Deny')),
+        (ACTION_ALLOW, _('Allow')),
+    )
+
+    id = models.UUIDField(default=uuid.uuid4, primary_key=True)
+    filter = models.ForeignKey('CommandFilter', on_delete=models.CASCADE, verbose_name=_("Filter"), related_name='rules')
+    type = models.CharField(max_length=16, default=TYPE_COMMAND, choices=TYPE_CHOICES, verbose_name=_("Type"))
+    priority = models.IntegerField(default=50, verbose_name=_("Priority"), help_text=_("1-100, the higher will be match first"),
+                                   validators=[MinValueValidator(1), MaxValueValidator(100)])
+    content = models.TextField(max_length=1024, verbose_name=_("Content"), help_text=_("One line one command"))
+    action = models.IntegerField(default=ACTION_DENY, choices=ACTION_CHOICES, verbose_name=_("Action"))
+    comment = models.CharField(max_length=64, blank=True, default='', verbose_name=_("Comment"))
+    date_created = models.DateTimeField(auto_now_add=True)
+    date_updated = models.DateTimeField(auto_now=True)
+    created_by = models.CharField(max_length=128, blank=True, default='', verbose_name=_('Created by'))
+
+    __pattern = None
+
+    class Meta:
+        ordering = ('-priority', 'action')
+        verbose_name = _("Command filter rule")
+
+    @property
+    def _pattern(self):
+        if self.__pattern:
+            return self.__pattern
+        if self.type == 'command':
+            regex = []
+            for cmd in self.content.split('\r\n'):
+                cmd = cmd.replace(' ', '\s+')
+                regex.append(r'\b{0}\b'.format(cmd))
+            self.__pattern = re.compile(r'{}'.format('|'.join(regex)))
+        else:
+            self.__pattern = re.compile(r'{0}'.format(self.content))
+        return self.__pattern
+
+    def match(self, data):
+        found = self._pattern.search(data)
+        if not found:
+            return self.ACTION_UNKNOWN, ''
+
+        if self.action == self.ACTION_ALLOW:
+            return self.ACTION_ALLOW, found.group()
+        else:
+            return self.ACTION_DENY, found.group()
+
+    def __str__(self):
+        return '{} % {}'.format(self.type, self.content)
--- a/apps/assets/models/domain.py
+++ b/apps/assets/models/domain.py
@@ -4,10 +4,12 @@
 import uuid
 import random

+import paramiko
+
 from django.db import models
 from django.utils.translation import ugettext_lazy as _

-from orgs.mixins import OrgModelMixin
+from orgs.mixins.models import OrgModelMixin
 from .base import AssetUser

 __all__ = ['Domain', 'Gateway']
@@ -20,6 +22,9 @@ class Domain(OrgModelMixin):
    date_created = models.DateTimeField(auto_now_add=True, null=True,
                                        verbose_name=_('Date created'))

+    class Meta:
+        verbose_name = _("Domain")
+
    def __str__(self):
        return self.name

@@ -35,15 +40,15 @@ class Domain(OrgModelMixin):


 class Gateway(AssetUser):
-    SSH_PROTOCOL = 'ssh'
-    RDP_PROTOCOL = 'rdp'
+    PROTOCOL_SSH = 'ssh'
+    PROTOCOL_RDP = 'rdp'
    PROTOCOL_CHOICES = (
-        (SSH_PROTOCOL, 'ssh'),
-        (RDP_PROTOCOL, 'rdp'),
+        (PROTOCOL_SSH, 'ssh'),
+        (PROTOCOL_RDP, 'rdp'),
    )
    ip = models.GenericIPAddressField(max_length=32, verbose_name=_('IP'), db_index=True)
    port = models.IntegerField(default=22, verbose_name=_('Port'))
-    protocol = models.CharField(choices=PROTOCOL_CHOICES, max_length=16, default=SSH_PROTOCOL, verbose_name=_("Protocol"))
+    protocol = models.CharField(choices=PROTOCOL_CHOICES, max_length=16, default=PROTOCOL_SSH, verbose_name=_("Protocol"))
    domain = models.ForeignKey(Domain, on_delete=models.CASCADE, verbose_name=_("Domain"))
    comment = models.CharField(max_length=128, blank=True, null=True, verbose_name=_("Comment"))
    is_active = models.BooleanField(default=True, verbose_name=_("Is active"))
@@ -53,3 +58,40 @@ class Gateway(AssetUser):

    class Meta:
        unique_together = [('name', 'org_id')]
+        verbose_name = _("Gateway")
+
+    def test_connective(self, local_port=None):
+        if local_port is None:
+            local_port = self.port
+        client = paramiko.SSHClient()
+        client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+        proxy = paramiko.SSHClient()
+        proxy.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+
+        try:
+            proxy.connect(self.ip, port=self.port,
+                          username=self.username,
+                          password=self.password,
+                          pkey=self.private_key_obj)
+        except(paramiko.AuthenticationException,
+               paramiko.BadAuthenticationType,
+               paramiko.SSHException,
+               paramiko.ssh_exception.NoValidConnectionsError) as e:
+            return False, str(e)
+
+        try:
+            sock = proxy.get_transport().open_channel(
+                'direct-tcpip', ('127.0.0.1', local_port), ('127.0.0.1', 0)
+            )
+            client.connect("127.0.0.1", port=local_port,
+                           username=self.username,
+                           password=self.password,
+                           key_filename=self.private_key_file,
+                           sock=sock,
+                           timeout=5)
+        except (paramiko.SSHException, paramiko.ssh_exception.SSHException,
+                paramiko.AuthenticationException, TimeoutError) as e:
+            return False, str(e)
+        finally:
+            client.close()
+        return True, None
--- a/apps/assets/models/gathered_user.py
+++ b/apps/assets/models/gathered_user.py
@@ -0,0 +1,39 @@
+# -*- coding: utf-8 -*-
+#
+import uuid
+from django.db import models
+from django.utils.translation import ugettext_lazy as _
+
+from orgs.mixins.models import OrgModelMixin
+
+__all__ = ['GatheredUser']
+
+
+class GatheredUser(OrgModelMixin):
+    id = models.UUIDField(default=uuid.uuid4, primary_key=True)
+    asset = models.ForeignKey('assets.Asset', on_delete=models.CASCADE, verbose_name=_("Asset"))
+    username = models.CharField(max_length=32, blank=True, db_index=True,
+                                verbose_name=_('Username'))
+    present = models.BooleanField(default=True, verbose_name=_("Present"))
+    date_created = models.DateTimeField(auto_now_add=True,
+                                        verbose_name=_("Date created"))
+    date_updated = models.DateTimeField(auto_now=True,
+                                        verbose_name=_("Date updated"))
+
+    @property
+    def hostname(self):
+        return self.asset.hostname
+
+    @property
+    def ip(self):
+        return self.asset.ip
+
+    class Meta:
+        verbose_name = _('GatherUser')
+        ordering = ['asset']
+
+    def __str__(self):
+        return '{}: {}'.format(self.asset.hostname, self.username)
+
+
+
--- a/apps/assets/models/label.py
+++ b/apps/assets/models/label.py
@@ -4,7 +4,7 @@
 import uuid
 from django.db import models
 from django.utils.translation import ugettext_lazy as _
-from orgs.mixins import OrgModelMixin
+from orgs.mixins.models import OrgModelMixin


 class Label(OrgModelMixin):
@@ -17,7 +17,8 @@ class Label(OrgModelMixin):
    id = models.UUIDField(default=uuid.uuid4, primary_key=True)
    name = models.CharField(max_length=128, verbose_name=_("Name"))
    value = models.CharField(max_length=128, verbose_name=_("Value"))
-    category = models.CharField(max_length=128, choices=CATEGORY_CHOICES, default=USER_CATEGORY, verbose_name=_("Category"))
+    category = models.CharField(max_length=128, choices=CATEGORY_CHOICES,
+                                default=USER_CATEGORY, verbose_name=_("Category"))
    is_active = models.BooleanField(default=True, verbose_name=_("Is active"))
    comment = models.TextField(blank=True, null=True, verbose_name=_("Comment"))
    date_created = models.DateTimeField(
@@ -35,4 +36,4 @@ class Label(OrgModelMixin):

    class Meta:
        db_table = "assets_label"
-        unique_together = [('name', 'value')]
+        unique_together = [('name', 'value', 'org_id')]
--- a/apps/assets/models/node.py
+++ b/apps/assets/models/node.py
@@ -1,60 +1,157 @@
 # -*- coding: utf-8 -*-
 #
 import uuid
+import re
+import time

 from django.db import models, transaction
 from django.db.models import Q
 from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import ugettext
+from django.core.cache import cache

-from orgs.mixins import OrgModelMixin
-from orgs.utils import current_org, set_current_org, get_current_org
+from common.utils import get_logger, timeit, lazyproperty
+from orgs.mixins.models import OrgModelMixin, OrgManager
+from orgs.utils import set_current_org, get_current_org, tmp_to_org
 from orgs.models import Organization

+
 __all__ = ['Node']
+logger = get_logger(__name__)


-class Node(OrgModelMixin):
-    id = models.UUIDField(default=uuid.uuid4, primary_key=True)
-    key = models.CharField(unique=True, max_length=64, verbose_name=_("Key"))  # '1:1:1:1'
-    value = models.CharField(max_length=128, verbose_name=_("Value"))
-    child_mark = models.IntegerField(default=0)
-    date_create = models.DateTimeField(auto_now_add=True)
+class NodeQuerySet(models.QuerySet):
+    def delete(self):
+        raise PermissionError("Bulk delete node deny")

+
+class TreeMixin:
+    tree_created_time = None
+    tree_updated_time_cache_key = 'NODE_TREE_UPDATED_AT'
+    tree_cache_time = 3600
+    tree_assets_cache_key = 'NODE_TREE_ASSETS_UPDATED_AT'
+    tree_assets_created_time = None
+    _tree_service = None
+
+    @classmethod
+    def tree(cls):
+        from ..utils import TreeService
+        tree_updated_time = cache.get(cls.tree_updated_time_cache_key, 0)
+        now = time.time()
+        # 什么时候重新初始化 _tree_service
+        if not cls.tree_created_time or \
+                tree_updated_time > cls.tree_created_time:
+            logger.debug("Create node tree")
+            tree = TreeService.new()
+            cls.tree_created_time = now
+            cls.tree_assets_created_time = now
+            cls._tree_service = tree
+            return tree
+        # 是否要重新初始化节点资产
+        node_assets_updated_time = cache.get(cls.tree_assets_cache_key, 0)
+        if not cls.tree_assets_created_time or \
+                node_assets_updated_time > cls.tree_assets_created_time:
+            cls._tree_service.init_assets()
+            cls.tree_assets_created_time = now
+            logger.debug("Refresh node tree assets")
+        return cls._tree_service
+
+    @classmethod
+    def refresh_tree(cls, t=None):
+        logger.debug("Refresh node tree")
+        key = cls.tree_updated_time_cache_key
+        ttl = cls.tree_cache_time
+        if not t:
+            t = time.time()
+        cache.set(key, t, ttl)
+
+    @classmethod
+    def refresh_node_assets(cls, t=None):
+        logger.debug("Refresh node tree assets")
+        key = cls.tree_assets_cache_key
+        ttl = cls.tree_cache_time
+        if not t:
+            t = time.time()
+        cache.set(key, t, ttl)
+
+    @staticmethod
+    def refresh_user_tree_cache():
+        """
+        当节点-节点关系，节点-资产关系发生变化时，应该刷新用户授权树缓存
+        :return:
+        """
+        from perms.utils.asset_permission import AssetPermissionUtilV2
+        AssetPermissionUtilV2.expire_all_user_tree_cache()
+
+
+class FamilyMixin:
+    __parents = None
+    __children = None
+    __all_children = None
    is_node = True

-    def __str__(self):
-        return self.value
-        # return self.full_value
+    @staticmethod
+    def clean_children_keys(nodes_keys):
+        nodes_keys = sorted(list(nodes_keys), key=lambda x: (len(x), x))
+        nodes_keys_clean = []
+        for key in nodes_keys[::-1]:
+            found = False
+            for k in nodes_keys:
+                if key.startswith(k + ':'):
+                    found = True
+                    break
+            if not found:
+                nodes_keys_clean.append(key)
+        return nodes_keys_clean

-    def __eq__(self, other):
-        return self.key == other.key
+    @classmethod
+    def get_node_all_children_key_pattern(cls, key, with_self=True):
+        pattern = r'^{0}:'.format(key)
+        if with_self:
+            pattern += r'|^{0}$'.format(key)
+        return pattern

-    def __gt__(self, other):
-        if self.is_root():
-            return True
-        self_key = [int(k) for k in self.key.split(':')]
-        other_key = [int(k) for k in other.key.split(':')]
-        if len(self_key) < len(other_key):
-            return True
-        elif len(self_key) > len(other_key):
-            return False
-        else:
-            return self_key[-1] < other_key[-1]
+    @classmethod
+    def get_node_children_key_pattern(cls, key, with_self=True):
+        pattern = r'^{0}:[0-9]+$'.format(key)
+        if with_self:
+            pattern += r'|^{0}$'.format(key)
+        return pattern
+
+    def get_children_key_pattern(self, with_self=False):
+        return self.get_node_children_key_pattern(self.key, with_self=with_self)
+
+    def get_all_children_pattern(self, with_self=False):
+        return self.get_node_all_children_key_pattern(self.key, with_self=with_self)
+
+    def is_children(self, other):
+        children_pattern = other.get_children_key_pattern(with_self=False)
+        return re.match(children_pattern, self.key)
+
+    def get_children(self, with_self=False):
+        pattern = self.get_children_key_pattern(with_self=with_self)
+        return Node.objects.filter(key__regex=pattern)
+
+    def get_all_children(self, with_self=False):
+        pattern = self.get_all_children_pattern(with_self=with_self)
+        children = Node.objects.filter(key__regex=pattern)
+        return children

    @property
-    def name(self):
-        return self.value
+    def children(self):
+        return self.get_children(with_self=False)

    @property
-    def full_value(self):
-        ancestor = [a.value for a in self.get_ancestor(with_self=True)]
-        if self.is_root():
-            return self.value
-        return ' / '.join(ancestor)
+    def all_children(self):
+        return self.get_all_children(with_self=False)

-    @property
-    def level(self):
-        return len(self.key.split(':'))
+    def create_child(self, value, _id=None):
+        with transaction.atomic():
+            child_key = self.get_next_child_key()
+            child = self.__class__.objects.create(
+                id=_id, key=child_key, value=value
+            )
+            return child

    def get_next_child_key(self):
        mark = self.child_mark
@@ -62,88 +159,56 @@ class Node(OrgModelMixin):
        self.save()
        return "{}:{}".format(self.key, mark)

-    def create_child(self, value):
-        with transaction.atomic():
-            child_key = self.get_next_child_key()
-            child = self.__class__.objects.create(key=child_key, value=value)
-            return child
+    def get_next_child_preset_name(self):
+        name = ugettext("New node")
+        values = [
+            child.value[child.value.rfind(' '):]
+            for child in self.get_children()
+            if child.value.startswith(name)
+        ]
+        values = [int(value) for value in values if value.strip().isdigit()]
+        count = max(values) + 1 if values else 1
+        return '{} {}'.format(name, count)

-    def get_children(self, with_self=False):
-        pattern = r'^{0}$|^{}:[0-9]+$' if with_self else r'^{}:[0-9]+$'
-        return self.__class__.objects.filter(
-            key__regex=pattern.format(self.key)
-        )
-
-    def get_all_children(self, with_self=False):
-        pattern = r'^{0}$|^{0}:' if with_self else r'^{0}'
-        return self.__class__.objects.filter(
-            key__regex=pattern.format(self.key)
-        )
-
-    def get_sibling(self, with_self=False):
-        key = ':'.join(self.key.split(':')[:-1])
-        pattern = r'^{}:[0-9]+$'.format(key)
-        sibling = self.__class__.objects.filter(
-            key__regex=pattern.format(self.key)
-        )
+    # Parents
+    @classmethod
+    def get_node_ancestor_keys(cls, key, with_self=False):
+        parent_keys = []
+        key_list = key.split(":")
        if not with_self:
-            sibling = sibling.exclude(key=self.key)
-        return sibling
+            key_list.pop()
+        for i in range(len(key_list)):
+            parent_keys.append(":".join(key_list))
+            key_list.pop()
+        return parent_keys

-    def get_family(self):
-        ancestor = self.get_ancestor()
-        children = self.get_all_children()
-        return [*tuple(ancestor), self, *tuple(children)]
+    def get_ancestor_keys(self, with_self=False):
+        return self.get_node_ancestor_keys(
+            self.key, with_self=with_self
+        )

-    def get_assets(self):
-        from .asset import Asset
-        if self.is_default_node():
-            assets = Asset.objects.filter(nodes__isnull=True)
-        else:
-            assets = Asset.objects.filter(nodes__id=self.id)
-        return assets
+    @property
+    def ancestors(self):
+        return self.get_ancestors(with_self=False)

-    def get_valid_assets(self):
-        return self.get_assets().valid()
-
-    def get_all_assets(self):
-        from .asset import Asset
-        pattern = r'^{0}$|^{0}:'.format(self.key)
-        args = []
-        kwargs = {}
-        if self.is_default_node():
-            args.append(Q(nodes__key__regex=pattern) | Q(nodes=None))
-        else:
-            kwargs['nodes__key__regex'] = pattern
-        assets = Asset.objects.filter(*args, **kwargs)
-        return assets
-
-    def get_all_valid_assets(self):
-        return self.get_all_assets().valid()
-
-    def is_default_node(self):
-        return self.is_root() and self.key == '0'
-
-    def is_root(self):
-        if self.key.isdigit():
-            return True
-        else:
-            return False
+    def get_ancestors(self, with_self=False):
+        ancestor_keys = self.get_ancestor_keys(with_self=with_self)
+        return self.__class__.objects.filter(key__in=ancestor_keys)

    @property
    def parent_key(self):
        parent_key = ":".join(self.key.split(":")[:-1])
        return parent_key

+    def is_parent(self, other):
+        return other.is_children(self)
+
    @property
    def parent(self):
-        if self.is_root():
+        if self.is_org_root():
            return self
-        try:
-            parent = self.__class__.objects.get(key=self.parent_key)
-            return parent
-        except Node.DoesNotExist:
-            return self.__class__.root()
+        parent_key = self.parent_key
+        return Node.objects.get(key=parent_key)

    @parent.setter
    def parent(self, parent):
@@ -154,57 +219,276 @@ class Node(OrgModelMixin):
        old_key = self.key
        with transaction.atomic():
            self.key = parent.get_next_child_key()
+            self.save()
            for child in children:
                child.key = child.key.replace(old_key, self.key, 1)
                child.save()
-            self.save()

-    def get_ancestor(self, with_self=False):
-        if self.is_root():
-            root = self.__class__.root()
-            return [root]
-        _key = self.key.split(':')
+    def get_siblings(self, with_self=False):
+        key = ':'.join(self.key.split(':')[:-1])
+        pattern = r'^{}:[0-9]+$'.format(key)
+        sibling = Node.objects.filter(
+            key__regex=pattern.format(self.key)
+        )
        if not with_self:
-            _key.pop()
-        ancestor_keys = []
-        for i in range(len(_key)):
-            ancestor_keys.append(':'.join(_key))
-            _key.pop()
-        ancestor = self.__class__.objects.filter(
-            key__in=ancestor_keys
-        ).order_by('key')
-        return ancestor
+            sibling = sibling.exclude(key=self.key)
+        return sibling
+
+    def get_family(self):
+        ancestors = self.get_ancestors()
+        children = self.get_all_children()
+        return [*tuple(ancestors), self, *tuple(children)]
+
+
+class FullValueMixin:
+    key = ''
+
+    @lazyproperty
+    def full_value(self):
+        if self.is_org_root():
+            return self.value
+        value = self.tree().get_node_full_tag(self.key)
+        return value
+
+
+class NodeAssetsMixin:
+    key = ''
+    id = None
+
+    @lazyproperty
+    def assets_amount(self):
+        amount = self.tree().assets_amount(self.key)
+        return amount
+
+    def get_all_assets(self):
+        from .asset import Asset
+        if self.is_org_root():
+            return Asset.objects.filter(org_id=self.org_id)
+        pattern = '^{0}$|^{0}:'.format(self.key)
+        return Asset.objects.filter(nodes__key__regex=pattern).distinct()
+
+    def get_assets(self):
+        from .asset import Asset
+        if self.is_org_root():
+            assets = Asset.objects.filter(Q(nodes=self) | Q(nodes__isnull=True))
+        else:
+            assets = Asset.objects.filter(nodes=self)
+        return assets.distinct()
+
+    def get_valid_assets(self):
+        return self.get_assets().valid()
+
+    def get_all_valid_assets(self):
+        return self.get_all_assets().valid()

    @classmethod
-    def create_root_node(cls):
+    def _get_nodes_all_assets(cls, nodes_keys):
+        """
+        当节点比较多的时候，这种正则方式性能差极了
+        :param nodes_keys:
+        :return:
+        """
+        from .asset import Asset
+        nodes_keys = cls.clean_children_keys(nodes_keys)
+        nodes_children_pattern = set()
+        for key in nodes_keys:
+            children_pattern = cls.get_node_all_children_key_pattern(key)
+            nodes_children_pattern.add(children_pattern)
+        pattern = '|'.join(nodes_children_pattern)
+        return Asset.objects.filter(nodes__key__regex=pattern).distinct()
+
+    @classmethod
+    def get_nodes_all_assets_ids(cls, nodes_keys):
+        nodes_keys = cls.clean_children_keys(nodes_keys)
+        assets_ids = set()
+        for key in nodes_keys:
+            node_assets_ids = cls.tree().all_assets(key)
+            assets_ids.update(set(node_assets_ids))
+        return assets_ids
+
+    @classmethod
+    def get_nodes_all_assets(cls, nodes_keys, extra_assets_ids=None):
+        from .asset import Asset
+        nodes_keys = cls.clean_children_keys(nodes_keys)
+        assets_ids = cls.get_nodes_all_assets_ids(nodes_keys)
+        if extra_assets_ids:
+            assets_ids.update(set(extra_assets_ids))
+        return Asset.objects.filter(id__in=assets_ids)
+
+
+class SomeNodesMixin:
+    key = ''
+    default_key = '1'
+    default_value = 'Default'
+    ungrouped_key = '-10'
+    ungrouped_value = _('ungrouped')
+    empty_key = '-11'
+    empty_value = _("empty")
+
+    def is_default_node(self):
+        return self.key == self.default_key
+
+    def is_org_root(self):
+        if self.key.isdigit():
+            return True
+        else:
+            return False
+
+    @classmethod
+    def create_org_root_node(cls):
        # 如果使用current_org 在set_current_org时会死循环
-        _current_org = get_current_org()
+        ori_org = get_current_org()
        with transaction.atomic():
-            if _current_org.is_default():
-                key = '0'
-            else:
-                set_current_org(Organization.root())
-                org_nodes_roots = cls.objects.filter(key__regex=r'^[0-9]+$')
-                org_nodes_roots_keys = org_nodes_roots.values_list('key', flat=True)
-                key = max([int(k) for k in org_nodes_roots_keys]) + 1
-                set_current_org(_current_org)
-            root = cls.objects.create(key=key, value=_current_org.name)
+            if not ori_org.is_real():
+                return cls.default_node()
+            set_current_org(Organization.root())
+            org_nodes_roots = cls.objects.filter(key__regex=r'^[0-9]+$')
+            org_nodes_roots_keys = org_nodes_roots.values_list('key', flat=True)
+            if not org_nodes_roots_keys:
+                org_nodes_roots_keys = ['1']
+            key = max([int(k) for k in org_nodes_roots_keys])
+            key = str(key + 1) if key != 0 else '2'
+            set_current_org(ori_org)
+            root = cls.objects.create(key=key, value=ori_org.name)
            return root

    @classmethod
-    def root(cls):
+    def org_root(cls):
        root = cls.objects.filter(key__regex=r'^[0-9]+$')
        if root:
            return root[0]
        else:
-            return cls.create_root_node()
+            return cls.create_org_root_node()
+
+    @classmethod
+    def ungrouped_node(cls):
+        with tmp_to_org(Organization.system()):
+            defaults = {'value': cls.ungrouped_key}
+            obj, created = cls.objects.get_or_create(
+                defaults=defaults, key=cls.ungrouped_key
+            )
+            return obj
+
+    @classmethod
+    def empty_node(cls):
+        with tmp_to_org(Organization.system()):
+            defaults = {'value': cls.empty_value}
+            obj, created = cls.objects.get_or_create(
+                defaults=defaults, key=cls.empty_key
+            )
+            return obj
+
+    @classmethod
+    def default_node(cls):
+        with tmp_to_org(Organization.default()):
+            defaults = {'value': cls.default_value}
+            obj, created = cls.objects.get_or_create(
+                defaults=defaults, key=cls.default_key,
+            )
+            return obj
+
+    @classmethod
+    def initial_some_nodes(cls):
+        cls.default_node()
+        cls.empty_node()
+        cls.ungrouped_node()
+
+
+class Node(OrgModelMixin, SomeNodesMixin, TreeMixin, FamilyMixin, FullValueMixin, NodeAssetsMixin):
+    id = models.UUIDField(default=uuid.uuid4, primary_key=True)
+    key = models.CharField(unique=True, max_length=64, verbose_name=_("Key"))  # '1:1:1:1'
+    value = models.CharField(max_length=128, verbose_name=_("Value"))
+    child_mark = models.IntegerField(default=0)
+    date_create = models.DateTimeField(auto_now_add=True)
+
+    objects = OrgManager.from_queryset(NodeQuerySet)()
+    is_node = True
+    _parents = None
+
+    class Meta:
+        verbose_name = _("Node")
+        ordering = ['key']
+
+    def __str__(self):
+        return self.value
+
+    def __eq__(self, other):
+        if not other:
+            return False
+        return self.id == other.id
+
+    def __gt__(self, other):
+        self_key = [int(k) for k in self.key.split(':')]
+        other_key = [int(k) for k in other.key.split(':')]
+        self_parent_key = self_key[:-1]
+        other_parent_key = other_key[:-1]
+
+        if self_parent_key and self_parent_key == other_parent_key:
+            return self.value > other.value
+        return self_key > other_key
+
+    def __lt__(self, other):
+        return not self.__gt__(other)
+
+    @property
+    def name(self):
+        return self.value
+
+    @property
+    def level(self):
+        return len(self.key.split(':'))
+
+    @classmethod
+    def refresh_nodes(cls):
+        cls.refresh_tree()
+
+    @classmethod
+    def refresh_assets(cls):
+        cls.refresh_node_assets()
+
+    def as_tree_node(self):
+        from common.tree import TreeNode
+        name = '{} ({})'.format(self.value, self.assets_amount)
+        data = {
+            'id': self.key,
+            'name': name,
+            'title': name,
+            'pId': self.parent_key,
+            'isParent': True,
+            'open': self.is_org_root(),
+            'meta': {
+                'node': {
+                    "id": self.id,
+                    "name": self.name,
+                    "value": self.value,
+                    "key": self.key,
+                    "assets_amount": self.assets_amount,
+                },
+                'type': 'node'
+            }
+        }
+        tree_node = TreeNode(**data)
+        return tree_node
+
+    def delete(self, using=None, keep_parents=False):
+        if self.children or self.get_assets():
+            return
+        return super().delete(using=using, keep_parents=keep_parents)

    @classmethod
    def generate_fake(cls, count=100):
        import random
-        for i in range(count):
-            node = random.choice(cls.objects.all())
-            node.create_child('Node {}'.format(i))
-
-
+        org = get_current_org()
+        if not org or not org.is_real():
+            Organization.default().change_to()
+        i = 0
+        while i < count:
+            nodes = list(cls.objects.all())
+            if count > 100:
+                length = 100
+            else:
+                length = count

+            for i in range(length):
+                node = random.choice(nodes)
+                node.create_child('Node {}'.format(i))
--- a/apps/assets/models/user.py
+++ b/apps/assets/models/user.py
@@ -3,18 +3,19 @@
 #

 import logging
-import uuid

-from django.core.cache import cache
+from functools import reduce
 from django.db import models
+from django.db.models import Q
 from django.utils.translation import ugettext_lazy as _
+from django.core.validators import MinValueValidator, MaxValueValidator

 from common.utils import get_signer
-from ..const import SYSTEM_USER_CONN_CACHE_KEY
 from .base import AssetUser
+from .asset import Asset


-__all__ = ['AdminUser', 'SystemUser',]
+__all__ = ['AdminUser', 'SystemUser']
 logger = logging.getLogger(__name__)
 signer = get_signer()

@@ -30,7 +31,9 @@ class AdminUser(AssetUser):
    become = models.BooleanField(default=True)
    become_method = models.CharField(choices=BECOME_METHOD_CHOICES, default='sudo', max_length=4)
    become_user = models.CharField(default='root', max_length=64)
-    _become_pass = models.CharField(default='', max_length=128)
+    _become_pass = models.CharField(default='', blank=True, max_length=128)
+    CONNECTIVITY_CACHE_KEY = '_ADMIN_USER_CONNECTIVE_{}'
+    _prefer = "admin_user"

    def __str__(self):
        return self.name
@@ -59,14 +62,6 @@ class AdminUser(AssetUser):
            info = None
        return info

-    def get_related_assets(self):
-        assets = self.asset_set.all()
-        return assets
-
-    @property
-    def assets_amount(self):
-        return self.get_related_assets().count()
-
    class Meta:
        ordering = ['name']
        unique_together = [('name', 'org_id')]
@@ -94,86 +89,72 @@ class AdminUser(AssetUser):


 class SystemUser(AssetUser):
-    SSH_PROTOCOL = 'ssh'
-    RDP_PROTOCOL = 'rdp'
-    TELNET_PROTOCOL = 'telnet'
+    PROTOCOL_SSH = 'ssh'
+    PROTOCOL_RDP = 'rdp'
+    PROTOCOL_TELNET = 'telnet'
+    PROTOCOL_VNC = 'vnc'
    PROTOCOL_CHOICES = (
-        (SSH_PROTOCOL, 'ssh'),
-        (RDP_PROTOCOL, 'rdp'),
-        (TELNET_PROTOCOL, 'telnet (beta)'),
+        (PROTOCOL_SSH, 'ssh'),
+        (PROTOCOL_RDP, 'rdp'),
+        (PROTOCOL_TELNET, 'telnet'),
+        (PROTOCOL_VNC, 'vnc'),
    )

-    AUTO_LOGIN = 'auto'
-    MANUAL_LOGIN = 'manual'
+    LOGIN_AUTO = 'auto'
+    LOGIN_MANUAL = 'manual'
    LOGIN_MODE_CHOICES = (
-        (AUTO_LOGIN, _('Automatic login')),
-        (MANUAL_LOGIN, _('Manually login'))
+        (LOGIN_AUTO, _('Automatic login')),
+        (LOGIN_MANUAL, _('Manually login'))
    )

    nodes = models.ManyToManyField('assets.Node', blank=True, verbose_name=_("Nodes"))
    assets = models.ManyToManyField('assets.Asset', blank=True, verbose_name=_("Assets"))
-    priority = models.IntegerField(default=10, verbose_name=_("Priority"))
+    priority = models.IntegerField(default=20, verbose_name=_("Priority"), validators=[MinValueValidator(1), MaxValueValidator(100)])
    protocol = models.CharField(max_length=16, choices=PROTOCOL_CHOICES, default='ssh', verbose_name=_('Protocol'))
    auto_push = models.BooleanField(default=True, verbose_name=_('Auto push'))
    sudo = models.TextField(default='/bin/whoami', verbose_name=_('Sudo'))
    shell = models.CharField(max_length=64,  default='/bin/bash', verbose_name=_('Shell'))
-    login_mode = models.CharField(choices=LOGIN_MODE_CHOICES, default=AUTO_LOGIN, max_length=10, verbose_name=_('Login mode'))
-
-    cache_key = "__SYSTEM_USER_CACHED_{}"
+    login_mode = models.CharField(choices=LOGIN_MODE_CHOICES, default=LOGIN_AUTO, max_length=10, verbose_name=_('Login mode'))
+    cmd_filters = models.ManyToManyField('CommandFilter', related_name='system_users', verbose_name=_("Command filter"), blank=True)

    def __str__(self):
        return '{0.name}({0.username})'.format(self)

-    def to_json(self):
-        return {
-            'id': self.id,
-            'name': self.name,
-            'username': self.username,
-            'protocol': self.protocol,
-            'priority': self.priority,
-            'auto_push': self.auto_push,
-        }
-
-    def get_assets(self):
-        assets = set(self.assets.all())
-        return assets
-
    @property
-    def assets_connective(self):
-        _result = cache.get(SYSTEM_USER_CONN_CACHE_KEY.format(self.name), {})
-        return _result
-
-    @property
-    def unreachable_assets(self):
-        return list(self.assets_connective.get('dark', {}).keys())
-
-    @property
-    def reachable_assets(self):
-        return self.assets_connective.get('contacted', [])
+    def login_mode_display(self):
+        return self.get_login_mode_display()

    def is_need_push(self):
-        if self.auto_push and self.protocol == self.__class__.SSH_PROTOCOL:
+        if self.auto_push and self.protocol in [self.PROTOCOL_SSH, self.PROTOCOL_RDP]:
            return True
        else:
            return False

-    def set_cache(self):
-        cache.set(self.cache_key.format(self.id), self, 3600)
+    @property
+    def cmd_filter_rules(self):
+        from .cmd_filter import CommandFilterRule
+        rules = CommandFilterRule.objects.filter(
+            filter__in=self.cmd_filters.all()
+        ).distinct()
+        return rules

-    def expire_cache(self):
-        cache.delete(self.cache_key.format(self.id))
+    def is_command_can_run(self, command):
+        for rule in self.cmd_filter_rules:
+            action, matched_cmd = rule.match(command)
+            if action == rule.ACTION_ALLOW:
+                return True, None
+            elif action == rule.ACTION_DENY:
+                return False, matched_cmd
+        return True, None

-    @classmethod
-    def get_system_user_by_id_or_cached(cls, sid):
-        cached = cache.get(cls.cache_key.format(sid))
-        if cached:
-            return cached
-        try:
-            system_user = cls.objects.get(id=sid)
-            system_user.set_cache()
-            return system_user
-        except cls.DoesNotExist:
-            return None
+    def get_all_assets(self):
+        from assets.models import Node
+        nodes_keys = self.nodes.all().values_list('key', flat=True)
+        assets_ids = set(self.assets.all().values_list('id', flat=True))
+        nodes_assets_ids = Node.get_nodes_all_assets_ids(nodes_keys)
+        assets_ids.update(nodes_assets_ids)
+        assets = Asset.objects.filter(id__in=assets_ids)
+        return assets

    class Meta:
        ordering = ['name']
--- a/apps/assets/models/utils.py
+++ b/apps/assets/models/utils.py
@@ -2,11 +2,17 @@
 # -*- coding: utf-8 -*-
 #

+from django.utils import timezone
+from django.core.cache import cache
 from django.core.exceptions import ValidationError
+from django.utils.translation import ugettext_lazy as _
+
 from common.utils import validate_ssh_private_key


-__all__ = ['init_model', 'generate_fake']
+__all__ = [
+    'init_model', 'generate_fake', 'private_key_validator', 'Connectivity',
+]


 def init_model():
@@ -31,5 +37,72 @@ def private_key_validator(value):
        )


-if __name__ == '__main__':
-    pass
+class Connectivity:
+    UNREACHABLE, REACHABLE, UNKNOWN = range(0, 3)
+    CONNECTIVITY_CHOICES = (
+        (UNREACHABLE, _("Unreachable")),
+        (REACHABLE, _('Reachable')),
+        (UNKNOWN, _("Unknown")),
+    )
+
+    status = UNKNOWN
+    datetime = timezone.now()
+
+    def __init__(self, status, datetime):
+        self.status = status
+        self.datetime = datetime
+
+    def display(self):
+        return dict(self.__class__.CONNECTIVITY_CHOICES).get(self.status)
+
+    def is_reachable(self):
+        return self.status == self.REACHABLE
+
+    def is_unreachable(self):
+        return self.status == self.UNREACHABLE
+
+    def is_unknown(self):
+        return self.status == self.UNKNOWN
+
+    @classmethod
+    def unreachable(cls):
+        return cls(cls.UNREACHABLE, timezone.now())
+
+    @classmethod
+    def reachable(cls):
+        return cls(cls.REACHABLE, timezone.now())
+
+    @classmethod
+    def unknown(cls):
+        return cls(cls.UNKNOWN, timezone.now())
+
+    @classmethod
+    def set(cls, key, value, ttl=0):
+        cache.set(key, value, ttl)
+
+    @classmethod
+    def get(cls, key):
+        value = cache.get(key, cls.unknown())
+        if not isinstance(value, cls):
+            value = cls.unknown()
+        return value
+
+    @classmethod
+    def set_unreachable(cls, key, ttl=0):
+        cls.set(key, cls.unreachable(), ttl)
+
+    @classmethod
+    def set_reachable(cls, key, ttl=0):
+        cls.set(key, cls.reachable(), ttl)
+
+    def __eq__(self, other):
+        return self.status == other.status
+
+    def __gt__(self, other):
+        return self.status > other.status
+
+    def __lt__(self, other):
+        return not self.__gt__(other)
+
+    def __str__(self):
+        return self.display()
--- a/apps/assets/serializers/init.py
+++ b/apps/assets/serializers/init.py
@@ -7,3 +7,6 @@ from .label import *
 from .system_user import *
 from .node import *
 from .domain import *
+from .cmd_filter import *
+from .asset_user import *
+from .gathered_user import *
--- a/Show More
+++ b/Show More