Merge branch 'master' into v2.0

Merge branch 'v2.0' of github.com:jumpserver/jumpserver into v2.0
ci(build&release): 自动化构建发布
2025-12-15 08:32:48 +00:00 · 2020-07-08 16:14:19 +08:00 · 2020-07-08 16:14:06 +08:00 · 2020-07-08 15:58:57 +08:00 · 2020-07-08 15:58:57 +08:00 · 2020-07-08 15:48:05 +08:00
792 changed files with 50227 additions and 96495 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -4,4 +4,6 @@ data/*
 .github
 tmp/*
 django.db
-celerybeat.pid
+celerybeat.pid
+### Vagrant ###
+.vagrant/
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -2,7 +2,7 @@


 ##### 使用版本
-[请提供你使用的Jumpserver版本 1.x.x 注: 0.3.x不再提供支持]
+[请提供你使用的JumpServer版本 如 2.0.1 注: 1.4及以下版本不再提供支持]

 ##### 问题复现步骤
 1. [步骤1]
--- a/.github/release-config.yml
+++ b/.github/release-config.yml
@@ -0,0 +1,44 @@
+name-template: 'v$RESOLVED_VERSION'
+tag-template: 'v$RESOLVED_VERSION'
+categories:
+  - title: '🌱 新功能 Features'
+    labels:
+      - 'feature'
+      - 'enhancement'
+      - 'feat'
+      - '新功能'
+  - title: '🚀 性能优化 Optimization'
+    labels:
+      - 'perf'
+      - 'opt'
+      - 'refactor'
+      - 'Optimization'
+      - '优化'
+  - title: '🐛 Bug修复 Bug Fixes'
+    labels:
+      - 'fix'
+      - 'bugfix'
+      - 'bug'
+  - title: '🧰 其它 Maintenance'
+    labels:
+      - 'chore'
+      - 'docs'
+exclude-labels:
+  - 'no'
+  - '无需处理'
+  - 'wontfix'
+change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
+version-resolver:
+  major:
+    labels:
+      - 'major'
+  minor:
+    labels:
+      - 'minor'
+  patch:
+    labels:
+      - 'patch'
+  default: patch
+template: |
+  ## 版本变化  What’s Changed
+  $CHANGES
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -0,0 +1,46 @@
+on:
+  push:
+    # Sequence of patterns matched against refs/tags
+    tags:
+      - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
+
+name: Create Release And Upload assets
+
+jobs:
+  create-realese:
+    name: Create Release
+    runs-on: ubuntu-latest
+    outputs:
+      upload_url: ${{ steps.create_release.outputs.upload_url }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Get version
+        id: get_version
+        run: |
+          TAG=$(basename ${GITHUB_REF})
+          VERSION=${TAG/v/}
+          echo "::set-output name=TAG::$TAG"
+          echo "::set-output name=VERSION::$VERSION"
+      - name: Create Release
+        id: create_release
+        uses: release-drafter/release-drafter@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          config-name: release-config.yml
+          version: ${{ steps.get_version.outputs.TAG }}
+          tag: ${{ steps.get_version.outputs.TAG }}
+
+  build-and-release:
+    needs: create-realese
+    name: Build and Release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Build it and upload
+        uses: jumpserver/action-build-upload-assets@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.create-realese.outputs.upload_url }}
--- a/.gitignore
+++ b/.gitignore
@@ -34,3 +34,7 @@ data/static
 docs/_build/
 xpack
 logs/*
+### Vagrant ###
+.vagrant/
+release/*
+releashe
--- a/5
+++ b/5
@@ -9,8 +9,8 @@ COPY ./requirements /tmp/requirements
 RUN yum -y install epel-release && \
      echo -e "[mysql]\nname=mysql\nbaseurl=https://mirrors.tuna.tsinghua.edu.cn/mysql/yum/mysql57-community-el6/\ngpgcheck=0\nenabled=1" > /etc/yum.repos.d/mysql.repo
 RUN cd /tmp/requirements && yum -y install $(cat rpm_requirements.txt)
-RUN cd /tmp/requirements && pip install --upgrade pip setuptools && \
-    pip install -i https://mirrors.aliyun.com/pypi/simple/ -r requirements.txt || pip install -r requirements.txt
+RUN cd /tmp/requirements && pip install --upgrade pip setuptools && pip install wheel && \
+    pip install -i https://pypi.tuna.tsinghua.edu.cn/simple -r requirements.txt || pip install -r requirements.txt
 RUN mkdir -p /root/.ssh/ && echo -e "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null" > /root/.ssh/config

 COPY . /opt/jumpserver
@@ -21,5 +21,6 @@ VOLUME /opt/jumpserver/logs
 ENV LANG=zh_CN.UTF-8
 ENV LC_ALL=zh_CN.UTF-8

+EXPOSE 8070
 EXPOSE 8080
 ENTRYPOINT ["./entrypoint.sh"]
--- a/README.md
+++ b/README.md
@@ -1,213 +1,231 @@
-## Jumpserver 多云环境下更好用的堡垒机
+# JumpServer 多云环境下更好用的堡垒机

 [![Python3](https://img.shields.io/badge/python-3.6-green.svg?style=plastic)](https://www.python.org/)
-[![Django](https://img.shields.io/badge/django-2.1-brightgreen.svg?style=plastic)](https://www.djangoproject.com/)
-[![Ansible](https://img.shields.io/badge/ansible-2.4.2.0-blue.svg?style=plastic)](https://www.ansible.com/)
-[![Paramiko](https://img.shields.io/badge/paramiko-2.4.1-green.svg?style=plastic)](http://www.paramiko.org/)
+[![Django](https://img.shields.io/badge/django-2.2-brightgreen.svg?style=plastic)](https://www.djangoproject.com/)
+[![Docker Pulls](https://img.shields.io/docker/pulls/jumpserver/jms_all.svg)](https://hub.docker.com/u/jumpserver)

+JumpServer 是全球首款开源的堡垒机，使用 GNU GPL v2.0 开源协议，是符合 4A 规范的运维安全审计系统。

----
+JumpServer 使用 Python / Django 为主进行开发，遵循 Web 2.0 规范，配备了业界领先的 Web Terminal 方案，交互界面美观、用户体验好。

-Jumpserver 是全球首款完全开源的堡垒机，使用 GNU GPL v2.0 开源协议，是符合 4A 的专业运维审计系统。
-
-Jumpserver 使用 Python / Django 进行开发，遵循 Web 2.0 规范，配备了业界领先的 Web Terminal 解决方案，交互界面美观、用户体验好。
-
-Jumpserver 采纳分布式架构，支持多机房跨区域部署，中心节点提供 API，各机房部署登录节点，可横向扩展、无并发限制。
+JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向扩展，无资产数量及并发限制。

 改变世界，从一点点开始。

- [English Version](https://github.com/jumpserver/jumpserver/blob/master/README_EN.md)
+> 注: [KubeOperator](https://github.com/KubeOperator/KubeOperator) 是 JumpServer 团队在 Kubernetes 领域的的又一全新力作，欢迎关注和使用。

+## 特色优势

-### 功能
----
+- 开源: 零门槛，线上快速获取和安装, 修复版本视情况而定；
+, 修复版本视情况而定- 分布式: 轻松支持大规模并发访问；
+- 无插件: 仅需浏览器，极致的 Web Terminal 使用体验；
+- 多云支持: 一套系统，同时管理不同云上面的资产；
+- 云端存储: 审计录像云端存储，永不丢失；
+- 多租户: 一套系统，多个子公司和部门同时使用。

-<table class="subscription-level-table">
-    <tr class="subscription-level-tr-border">
-        <th  style="background-color: #1ab394;color: #ffffff;" colspan="3">Jumpserver提供的堡垒机必备功能</th>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-first-td-background-style" rowspan="4">身份验证 Authentication</td>
-        <td class="features-second-td-background-style" rowspan="3" >登录认证
-        </td>
-        <td class="features-third-td-background-style">资源统一登录和认证
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-third-td-background-style">LDAP认证
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-third-td-background-style">支持OpenID，实现单点登录
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-second-td-background-style">多因子认证
-        </td>
-        <td class="features-third-td-background-style">MFA（Google Authenticator）
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-first-td-background-style" rowspan="9">账号管理 Account</td>
-        <td class="features-second-td-background-style" rowspan="2">集中账号管理
-        </td>
-        <td class="features-third-td-background-style">管理用户管理
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-third-td-background-style">系统用户管理
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-second-td-background-style" rowspan="4">统一密码管理
-        </td>
-        <td class="features-third-td-background-style">资产密码托管
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-third-td-background-style">自动生成密码
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-third-td-background-style">密码自动推送
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-third-td-background-style">密码过期设置
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-outline-td-background-style" rowspan="2">批量密码变更(X-PACK)
-        </td>
-        <td class="features-outline-td-background-style">定期批量修改密码
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-outline-td-background-style">生成随机密码
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-outline-td-background-style">多云环境的资产纳管(X-PACK)
-        </td>
-        <td class="features-outline-td-background-style">对私有云、公有云资产统一纳管
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-first-td-background-style" rowspan="9">授权控制 Authorization</td>
-        <td class="features-second-td-background-style" rowspan="3">资产授权管理
-        </td>
-        <td class="features-third-td-background-style">资产树
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-third-td-background-style">资产或资产组灵活授权
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-third-td-background-style">节点内资产自动继承授权
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-outline-td-background-style">RemoteApp(X-PACK)
-        </td>
-        <td class="features-outline-td-background-style">实现更细粒度的应用级授权
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-outline-td-background-style">组织管理(X-PACK)
-        </td>
-        <td class="features-outline-td-background-style">实现多租户管理，权限隔离
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-second-td-background-style">多维度授权
-        </td>
-        <td class="features-third-td-background-style">可对用户、用户组或系统角色授权
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-second-td-background-style">指令限制
-        </td>
-        <td class="features-third-td-background-style">限制特权指令使用，支持黑白名单
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-second-td-background-style">统一文件传输
-        </td>
-        <td class="features-third-td-background-style">SFTP 文件上传/下载
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-second-td-background-style">文件管理
-        </td>
-        <td class="features-third-td-background-style">Web SFTP 文件管理
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-first-td-background-style" rowspan="6">安全审计 Audit</td>
-        <td class="features-second-td-background-style" rowspan="2">会话管理
-        </td>
-        <td class="features-third-td-background-style">在线会话管理
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-third-td-background-style">历史会话管理
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-second-td-background-style" rowspan="2">录像管理
-        </td>
-        <td class="features-third-td-background-style">Linux 录像支持
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-third-td-background-style">Windows 录像支持
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-second-td-background-style">指令审计
-        </td>
-        <td class="features-third-td-background-style">指令记录
-        </td>
-    </tr>
-    <tr class="subscription-level-tr-border">
-        <td class="features-second-td-background-style">文件传输审计
-        </td>
-        <td class="features-third-td-background-style">上传/下载记录审计
-        </td>
-    </tr>
+## 版本说明
+
+自 v2.0.0 发布后， JumpServer 版本号命名将变更为：v大版本.功能版本.Bug修复版本。比如：
+
+```
+v2.0.1 是 v2.0.0 之后的Bug修复版本；
+v2.1.0 是 v2.0.0 之后的功能版本。
+```
+
+像其它优秀开源项目一样，JumpServer 每个月会发布一个功能版本，并同时维护 3 个功能版本。比如：
+
+```
+在 v2.4 发布前，我们会同时维护 v2.1、v2.2、v2.3；
+在 v2.4 发布后，我们会同时维护 v2.2、v2.3、v2.4；v2.1 会停止维护。
+```
+
+## 功能列表
+
+<table>
+  <tr>
+    <td rowspan="8">身份认证<br>Authentication</td>
+    <td rowspan="5">登录认证</td>
+    <td>资源统一登录与认证</td>
+  </tr>
+  <tr>
+    <td>LDAP/AD 认证</td>
+  </tr>
+  <tr>
+    <td>RADIUS 认证</td>
+  </tr>
+  <tr>
+    <td>OpenID 认证（实现单点登录）</td>
+  </tr>
+  <tr>
+    <td>CAS 认证 （实现单点登录）</td>
+  </tr>
+  <tr>
+    <td rowspan="2">MFA认证</td>
+    <td>MFA 二次认证（Google Authenticator）</td>
+  </tr>
+  <tr>
+    <td>RADIUS 二次认证</td>
+  </tr>
+  <tr>
+    <td>登录复核（X-PACK）</td>
+    <td>用户登录行为受管理员的监管与控制</td>
+  </tr>
+  <tr>
+    <td rowspan="11">账号管理<br>Account</td>
+    <td rowspan="2">集中账号</td>
+    <td>管理用户管理</td>
+  </tr>
+  <tr>
+    <td>系统用户管理</td>
+  </tr>
+  <tr>
+    <td rowspan="4">统一密码</td>
+    <td>资产密码托管</td>
+  </tr>
+  <tr>
+    <td>自动生成密码</td>
+  </tr>
+  <tr>
+    <td>自动推送密码</td>
+  </tr>
+  <tr>
+    <td>密码过期设置</td>
+  </tr>
+  <tr>
+    <td rowspan="2">批量改密（X-PACK）</td>
+    <td>定期批量改密</td>
+  </tr>
+  <tr>
+    <td>多种密码策略</td>
+  </tr>
+  <tr>
+    <td>多云纳管（X-PACK）</td>
+    <td>对私有云、公有云资产自动统一纳管</td>
+  </tr>
+  <tr>
+    <td>收集用户（X-PACK）</td>
+    <td>自定义任务定期收集主机用户</td>
+  </tr>
+  <tr>
+    <td>密码匣子（X-PACK）</td>
+    <td>统一对资产主机的用户密码进行查看、更新、测试操作</td>
+  </tr>
+  <tr>
+    <td rowspan="15">授权控制<br>Authorization</td>
+    <td>多维授权</td>
+    <td>对用户、用户组、资产、资产节点、应用以及系统用户进行授权</td>
+  </tr>
+  <tr>
+    <td rowspan="4">资产授权</td>
+    <td>资产以树状结构进行展示</td>
+  </tr>
+  <tr>
+    <td>资产和节点均可灵活授权</td>
+  </tr>
+  <tr>
+    <td>节点内资产自动继承授权</td>
+  </tr>
+  <tr>
+    <td>子节点自动继承父节点授权</td>
+  </tr>
+  <tr>
+    <td rowspan="2">应用授权</td>
+    <td>实现更细粒度的应用级授权</td>
+  </tr>
+  <tr>
+    <td>MySQL 数据库应用、RemoteApp 远程应用（X-PACK）</td>
+  </tr>
+  <tr>
+    <td>动作授权</td>
+    <td>实现对授权资产的文件上传、下载以及连接动作的控制</td>
+  </tr>
+  <tr>
+    <td>时间授权</td>
+    <td>实现对授权资源使用时间段的限制</td>
+  </tr>
+  <tr>
+    <td>特权指令</td>
+    <td>实现对特权指令的使用（支持黑白名单）</td>
+  </tr>
+  <tr>
+    <td>命令过滤</td>
+    <td>实现对授权系统用户所执行的命令进行控制</td>
+  </tr>
+  <tr>
+    <td>文件传输</td>
+    <td>SFTP 文件上传/下载</td>
+  </tr>
+  <tr>
+    <td>文件管理</td>
+    <td>实现 Web SFTP 文件管理</td>
+  </tr>
+  <tr>
+    <td>工单管理（X-PACK）</td>
+    <td>支持对用户登录请求行为进行控制</td>
+  </tr>
+  <tr>
+    <td>组织管理（X-PACK）</td>
+    <td>实现多租户管理与权限隔离</td>
+  </tr>
+  <tr>
+    <td rowspan="7">安全审计<br>Audit</td>
+    <td>操作审计</td>
+    <td>用户操作行为审计</td>
+  </tr>
+  <tr>
+    <td rowspan="2">会话审计</td>
+    <td>在线会话内容审计</td>
+  </tr>
+  <tr>
+    <td>历史会话内容审计</td>
+  </tr>
+  <tr>
+    <td rowspan="2">录像审计</td>
+    <td>支持对 Linux、Windows 等资产操作的录像进行回放审计</td>
+  </tr>
+  <tr>
+    <td>支持对 RemoteApp（X-PACK）、MySQL 等应用操作的录像进行回放审计</td>
+  </tr>
+  <tr>
+    <td>指令审计</td>
+    <td>支持对资产和应用等操作的命令进行审计</td>
+  </tr>
+  <tr>
+    <td>文件传输</td>
+    <td>可对文件的上传、下载记录进行审计</td>
+  </tr>
 </table>

+## 快速开始

-### 开始使用
----
+- [极速安装](https://docs.jumpserver.org/zh/master/install/setup_by_fast/)
+- [完整文档](https://docs.jumpserver.org)
+- [演示视频](https://jumpserver.oss-cn-hangzhou.aliyuncs.com/jms-media/%E3%80%90%E6%BC%94%E7%A4%BA%E8%A7%86%E9%A2%91%E3%80%91Jumpserver%20%E5%A0%A1%E5%9E%92%E6%9C%BA%20V1.5.0%20%E6%BC%94%E7%A4%BA%E8%A7%86%E9%A2%91%20-%20final.mp4)

- 快速开始文档  [Docker 安装](http://docs.jumpserver.org/zh/docs/dockerinstall.html)
+## 案例研究

- Step by Step 安装文档 [详细部署](http://docs.jumpserver.org/zh/docs/step_by_step.html)
+- [JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)；
+- [JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)；
+- [携程 JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)；
+- [小红书的JumpServer堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)；
+- [JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)；
+- [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)；
+- [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)；
+- [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)。

- 也可以查看我们完整文档 [文档](http://docs.jumpserver.org)
+## 安全说明

-### Demo、视频 和 截图
----
+JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.jumpserver.org/zh/master/install/install_security/) 部署安装.

-我们提供了 Demo 、演示视频和截图可以让你快速了解 Jumpserver
+如果你发现安全问题，可以直接联系我们：

- [Demo](https://demo.jumpserver.org/auth/login/?next=/)
- [视频](https://fit2cloud2-offline-installer.oss-cn-beijing.aliyuncs.com/tools/Jumpserver%20%E4%BB%8B%E7%BB%8Dv1.4.mp4)
- [截图](http://docs.jumpserver.org/zh/docs/snapshot.html)
+- ibuler@fit2cloud.com 
+- support@fit2cloud.com 
+- 400-052-0755

-### SDK
----
+## License & Copyright

-我们还编写了一些SDK，供你的其它系统快速和 Jumpserver API 交互
-
- [Python](https://github.com/jumpserver/jumpserver-python-sdk) Jumpserver其它组件使用这个SDK完成交互
- [Java](https://github.com/KaiJunYan/jumpserver-java-sdk.git) 恺珺同学提供的Java版本的SDK
-
-
-### License & Copyright
-Copyright (c) 2014-2019 飞致云 FIT2CLOUD, All rights reserved.
+Copyright (c) 2014-2020 飞致云 FIT2CLOUD, All rights reserved.

 Licensed under The GNU General Public License version 2 (GPLv2)  (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

--- a/README_EN.md
+++ b/README_EN.md
@@ -1,5 +1,7 @@
 ## Jumpserver 

+![Total visitor](https://visitor-count-badge.herokuapp.com/total.svg?repo_id=jumpserver)
+![Visitors in today](https://visitor-count-badge.herokuapp.com/today.svg?repo_id=jumpserver)
 [![Python3](https://img.shields.io/badge/python-3.6-green.svg?style=plastic)](https://www.python.org/)
 [![Django](https://img.shields.io/badge/django-2.1-brightgreen.svg?style=plastic)](https://www.djangoproject.com/)
 [![Ansible](https://img.shields.io/badge/ansible-2.4.2.0-blue.svg?style=plastic)](https://www.ansible.com/)
--- a/56
+++ b/56
@@ -0,0 +1,56 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  # The most common configuration options are documented and commented below.
+  # For a complete reference, please see the online documentation at
+  # https://docs.vagrantup.com.
+
+  # Every Vagrant development environment requires a box. You can search for
+  # boxes at https://vagrantcloud.com/search.
+  config.vm.box_check_update = false
+  config.vm.box = "centos/7"
+  config.vm.hostname = "jumpserver"
+  config.vm.network "private_network", ip: "172.17.8.101"
+  config.vm.provider "virtualbox" do |vb|
+    vb.memory = "4096"
+    vb.cpus = 2
+    vb.name = "jumpserver"
+  end
+
+  config.vm.synced_folder ".", "/vagrant", type: "rsync",
+    rsync__verbose: true,
+    rsync__exclude: ['.git*', 'node_modules*','*.log','*.box','Vagrantfile']
+
+  config.vm.provision "shell", inline: <<-SHELL
+## 设置yum的阿里云源
+sudo curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
+sudo sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
+sudo curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
+sudo yum makecache
+
+## 安装依赖包
+sudo yum install -y python36 python36-devel python36-pip \
+		 libtiff-devel libjpeg-devel libzip-devel freetype-devel \
+     lcms2-devel libwebp-devel tcl-devel tk-devel sshpass \
+     openldap-devel mariadb-devel mysql-devel libffi-devel \
+     openssh-clients telnet openldap-clients gcc
+
+## 配置pip阿里云源
+mkdir /home/vagrant/.pip
+cat << EOF | sudo tee -a /home/vagrant/.pip/pip.conf
+[global]
+timeout = 6000
+index-url = https://mirrors.aliyun.com/pypi/simple/
+
+[install]
+use-mirrors = true
+mirrors = https://mirrors.aliyun.com/pypi/simple/
+trusted-host=mirrors.aliyun.com
+EOF
+
+python3.6 -m venv /home/vagrant/venv
+source /home/vagrant/venv/bin/activate
+echo 'source /home/vagrant/venv/bin/activate' >> /home/vagrant/.bash_profile
+  SHELL
+end
--- a/apps/applications/api/init.py
+++ b/apps/applications/api/init.py
@@ -1 +1,2 @@
 from .remote_app import *
+from .database_app import *
--- a/apps/applications/api/database_app.py
+++ b/apps/applications/api/database_app.py
@@ -0,0 +1,20 @@
+# coding: utf-8
+# 
+
+from orgs.mixins.api import OrgBulkModelViewSet
+
+from .. import models
+from .. import serializers
+from ..hands import IsOrgAdminOrAppUser
+
+__all__ = [
+    'DatabaseAppViewSet',
+]
+
+
+class DatabaseAppViewSet(OrgBulkModelViewSet):
+    model = models.DatabaseApp
+    filter_fields = ('name',)
+    search_fields = filter_fields
+    permission_classes = (IsOrgAdminOrAppUser,)
+    serializer_class = serializers.DatabaseAppSerializer
--- a/apps/applications/api/remote_app.py
+++ b/apps/applications/api/remote_app.py
@@ -1,11 +1,8 @@
 # coding: utf-8
 #

-
-from rest_framework import generics
-from rest_framework.pagination import LimitOffsetPagination
-from rest_framework_bulk import BulkModelViewSet
-
+from orgs.mixins.api import OrgBulkModelViewSet
+from orgs.mixins import generics
 from ..hands import IsOrgAdmin, IsAppUser
 from ..models import RemoteApp
 from ..serializers import RemoteAppSerializer, RemoteAppConnectionInfoSerializer
@@ -16,16 +13,15 @@ __all__ = [
 ]


-class RemoteAppViewSet(BulkModelViewSet):
-    filter_fields = ('name',)
+class RemoteAppViewSet(OrgBulkModelViewSet):
+    model = RemoteApp
+    filter_fields = ('name', 'type', 'comment')
    search_fields = filter_fields
    permission_classes = (IsOrgAdmin,)
-    queryset = RemoteApp.objects.all()
    serializer_class = RemoteAppSerializer
-    pagination_class = LimitOffsetPagination


 class RemoteAppConnectionInfoApi(generics.RetrieveAPIView):
-    queryset = RemoteApp.objects.all()
+    model = RemoteApp
    permission_classes = (IsAppUser, )
    serializer_class = RemoteAppConnectionInfoSerializer
--- a/apps/applications/const.py
+++ b/apps/applications/const.py
@@ -5,6 +5,7 @@ from django.utils.translation import ugettext_lazy as _


 # RemoteApp
+
 REMOTE_APP_BOOT_PROGRAM_NAME = '||jmservisor'

 REMOTE_APP_TYPE_CHROME = 'chrome'
@@ -12,29 +13,6 @@ REMOTE_APP_TYPE_MYSQL_WORKBENCH = 'mysql_workbench'
 REMOTE_APP_TYPE_VMWARE_CLIENT = 'vmware_client'
 REMOTE_APP_TYPE_CUSTOM = 'custom'

-REMOTE_APP_TYPE_CHOICES = (
-    (
-        _('Browser'),
-        (
-            (REMOTE_APP_TYPE_CHROME, 'Chrome'),
-        )
-    ),
-    (
-        _('Database tools'),
-        (
-            (REMOTE_APP_TYPE_MYSQL_WORKBENCH, 'MySQL Workbench'),
-        )
-    ),
-    (
-        _('Virtualization tools'),
-        (
-            (REMOTE_APP_TYPE_VMWARE_CLIENT, 'vSphere Client'),
-        )
-    ),
-    (REMOTE_APP_TYPE_CUSTOM, _('Custom')),
-
-)
-
 # Fields attribute write_only default => False

 REMOTE_APP_TYPE_CHROME_FIELDS = [
@@ -60,9 +38,26 @@ REMOTE_APP_TYPE_CUSTOM_FIELDS = [
    {'name': 'custom_password', 'write_only': True}
 ]

-REMOTE_APP_TYPE_MAP_FIELDS = {
+REMOTE_APP_TYPE_FIELDS_MAP = {
    REMOTE_APP_TYPE_CHROME: REMOTE_APP_TYPE_CHROME_FIELDS,
    REMOTE_APP_TYPE_MYSQL_WORKBENCH: REMOTE_APP_TYPE_MYSQL_WORKBENCH_FIELDS,
    REMOTE_APP_TYPE_VMWARE_CLIENT: REMOTE_APP_TYPE_VMWARE_CLIENT_FIELDS,
    REMOTE_APP_TYPE_CUSTOM: REMOTE_APP_TYPE_CUSTOM_FIELDS
 }
+
+REMOTE_APP_TYPE_CHOICES = (
+    (REMOTE_APP_TYPE_CHROME, 'Chrome'),
+    (REMOTE_APP_TYPE_MYSQL_WORKBENCH, 'MySQL Workbench'),
+    (REMOTE_APP_TYPE_VMWARE_CLIENT, 'vSphere Client'),
+    (REMOTE_APP_TYPE_CUSTOM, _('Custom')),
+)
+
+
+# DatabaseApp
+
+
+DATABASE_APP_TYPE_MYSQL = 'mysql'
+
+DATABASE_APP_TYPE_CHOICES = (
+    (DATABASE_APP_TYPE_MYSQL, 'MySQL'),
+)
--- a/apps/applications/forms/init.py
+++ b/apps/applications/forms/init.py
@@ -1 +0,0 @@
-from .remote_app import *
--- a/apps/applications/forms/remote_app.py
+++ b/apps/applications/forms/remote_app.py
@@ -1,132 +0,0 @@
-#  coding: utf-8
-#
-
-from django.utils.translation import ugettext as _
-from django import forms
-
-from orgs.mixins import OrgModelForm
-from assets.models import Asset, SystemUser
-
-from ..models import RemoteApp
-from .. import const
-
-
-__all__ = [
-    'RemoteAppCreateUpdateForm',
-]
-
-
-class RemoteAppTypeChromeForm(forms.ModelForm):
-    chrome_target = forms.CharField(
-        max_length=128, label=_('Target URL'), required=False
-    )
-    chrome_username = forms.CharField(
-        max_length=128, label=_('Login username'), required=False
-    )
-    chrome_password = forms.CharField(
-        widget=forms.PasswordInput, strip=True,
-        max_length=128, label=_('Login password'), required=False
-    )
-
-
-class RemoteAppTypeMySQLWorkbenchForm(forms.ModelForm):
-    mysql_workbench_ip = forms.CharField(
-        max_length=128, label=_('Database IP'), required=False
-    )
-    mysql_workbench_name = forms.CharField(
-        max_length=128, label=_('Database name'), required=False
-    )
-    mysql_workbench_username = forms.CharField(
-        max_length=128, label=_('Database username'), required=False
-    )
-    mysql_workbench_password = forms.CharField(
-        widget=forms.PasswordInput, strip=True,
-        max_length=128, label=_('Database password'), required=False
-    )
-
-
-class RemoteAppTypeVMwareForm(forms.ModelForm):
-    vmware_target = forms.CharField(
-        max_length=128, label=_('Target address'), required=False
-    )
-    vmware_username = forms.CharField(
-        max_length=128, label=_('Login username'), required=False
-    )
-    vmware_password = forms.CharField(
-        widget=forms.PasswordInput, strip=True,
-        max_length=128, label=_('Login password'), required=False
-    )
-
-
-class RemoteAppTypeCustomForm(forms.ModelForm):
-    custom_cmdline = forms.CharField(
-        max_length=128, label=_('Operating parameter'), required=False
-    )
-    custom_target = forms.CharField(
-        max_length=128, label=_('Target address'), required=False
-    )
-    custom_username = forms.CharField(
-        max_length=128, label=_('Login username'), required=False
-    )
-    custom_password = forms.CharField(
-        widget=forms.PasswordInput, strip=True,
-        max_length=128, label=_('Login password'), required=False
-    )
-
-
-class RemoteAppTypeForms(
-    RemoteAppTypeChromeForm,
-    RemoteAppTypeMySQLWorkbenchForm,
-    RemoteAppTypeVMwareForm,
-    RemoteAppTypeCustomForm
-):
-    pass
-
-
-class RemoteAppCreateUpdateForm(RemoteAppTypeForms, OrgModelForm):
-    def __init__(self, *args, **kwargs):
-        # 过滤RDP资产和系统用户
-        super().__init__(*args, **kwargs)
-        field_asset = self.fields['asset']
-        field_asset.queryset = field_asset.queryset.filter(
-            protocol=Asset.PROTOCOL_RDP
-        )
-        field_system_user = self.fields['system_user']
-        field_system_user.queryset = field_system_user.queryset.filter(
-            protocol=SystemUser.PROTOCOL_RDP
-        )
-
-    class Meta:
-        model = RemoteApp
-        fields = [
-            'name', 'asset', 'system_user', 'type', 'path', 'comment'
-        ]
-        widgets = {
-            'asset': forms.Select(attrs={
-                'class': 'select2', 'data-placeholder': _('Asset')
-            }),
-            'system_user': forms.Select(attrs={
-                'class': 'select2', 'data-placeholder': _('System user')
-            })
-        }
-
-    def _clean_params(self):
-        app_type = self.data.get('type')
-        fields = const.REMOTE_APP_TYPE_MAP_FIELDS.get(app_type, [])
-        params = {}
-        for field in fields:
-            name = field['name']
-            value = self.cleaned_data[name]
-            params.update({name: value})
-        return params
-
-    def _save_params(self, instance):
-        params = self._clean_params()
-        instance.params = params
-        instance.save()
-        return instance
-
-    def save(self, commit=True):
-        instance = super().save(commit=commit)
-        instance = self._save_params(instance)
-        return instance
--- a/apps/applications/hands.py
+++ b/apps/applications/hands.py
@@ -6,11 +6,10 @@

    Other module of this app shouldn't connect with other app.

-    :copyright: (c) 2014-2018 by Jumpserver Team.
+    :copyright: (c) 2014-2018 by JumpServer Team.
    :license: GPL v2, see LICENSE for more details.
 """


-from common.permissions import AdminUserRequiredMixin
 from common.permissions import IsAppUser, IsOrgAdmin, IsValidUser, IsOrgAdminOrAppUser
 from users.models import User, UserGroup
--- a/apps/applications/migrations/0002_remove_remoteapp_system_user.py
+++ b/apps/applications/migrations/0002_remove_remoteapp_system_user.py
@@ -0,0 +1,18 @@
+# Generated by Django 2.1.7 on 2019-09-09 09:57
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('applications', '0001_initial'),
+        ('perms', '0009_remoteapppermission_system_users'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='remoteapp',
+            name='system_user',
+        ),
+    ]
--- a/apps/applications/migrations/0003_auto_20191210_1659.py
+++ b/apps/applications/migrations/0003_auto_20191210_1659.py
@@ -0,0 +1,18 @@
+# Generated by Django 2.1.11 on 2019-12-10 08:59
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('applications', '0002_remove_remoteapp_system_user'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='remoteapp',
+            name='type',
+            field=models.CharField(choices=[('chrome', 'Chrome'), ('mysql_workbench', 'MySQL Workbench'), ('vmware_client', 'vSphere Client'), ('custom', 'Custom')], default='chrome', max_length=128, verbose_name='App type'),
+        ),
+    ]
--- a/apps/applications/migrations/0004_auto_20191218_1705.py
+++ b/apps/applications/migrations/0004_auto_20191218_1705.py
@@ -0,0 +1,38 @@
+# Generated by Django 2.1.11 on 2019-12-18 09:05
+
+from django.db import migrations, models
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('applications', '0003_auto_20191210_1659'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='DatabaseApp',
+            fields=[
+                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('created_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Created by')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=128, verbose_name='Name')),
+                ('type', models.CharField(choices=[('mysql', 'MySQL')], default='mysql', max_length=128, verbose_name='Type')),
+                ('host', models.CharField(db_index=True, max_length=128, verbose_name='Host')),
+                ('port', models.IntegerField(default=3306, verbose_name='Port')),
+                ('database', models.CharField(blank=True, db_index=True, max_length=128, null=True, verbose_name='Database')),
+                ('comment', models.TextField(blank=True, default='', max_length=128, verbose_name='Comment')),
+            ],
+            options={
+                'verbose_name': 'DatabaseApp',
+                'ordering': ('name',),
+            },
+        ),
+        migrations.AlterUniqueTogether(
+            name='databaseapp',
+            unique_together={('org_id', 'name')},
+        ),
+    ]
--- a/apps/applications/models/init.py
+++ b/apps/applications/models/init.py
@@ -1 +1,2 @@
 from .remote_app import *
+from .database_app import *
--- a/apps/applications/models/database_app.py
+++ b/apps/applications/models/database_app.py
@@ -0,0 +1,42 @@
+# coding: utf-8
+#
+
+import uuid
+from django.db import models
+from django.utils.translation import ugettext_lazy as _
+
+from orgs.mixins.models import OrgModelMixin
+from common.mixins import CommonModelMixin
+from .. import const
+
+
+__all__ = ['DatabaseApp']
+
+
+class DatabaseApp(CommonModelMixin, OrgModelMixin):
+    id = models.UUIDField(default=uuid.uuid4, primary_key=True)
+    name = models.CharField(max_length=128, verbose_name=_('Name'))
+    type = models.CharField(
+        default=const.DATABASE_APP_TYPE_MYSQL,
+        choices=const.DATABASE_APP_TYPE_CHOICES,
+        max_length=128, verbose_name=_('Type')
+    )
+    host = models.CharField(
+        max_length=128, verbose_name=_('Host'), db_index=True
+    )
+    port = models.IntegerField(default=3306, verbose_name=_('Port'))
+    database = models.CharField(
+        max_length=128, blank=True, null=True, verbose_name=_('Database'),
+        db_index=True
+    )
+    comment = models.TextField(
+        max_length=128, default='', blank=True, verbose_name=_('Comment')
+    )
+
+    def __str__(self):
+        return self.name
+
+    class Meta:
+        unique_together = [('org_id', 'name'), ]
+        verbose_name = _("DatabaseApp")
+        ordering = ('name', )
--- a/apps/applications/models/remote_app.py
+++ b/apps/applications/models/remote_app.py
@@ -5,7 +5,7 @@ import uuid
 from django.db import models
 from django.utils.translation import ugettext_lazy as _

-from orgs.mixins import OrgModelMixin
+from orgs.mixins.models import OrgModelMixin
 from common.fields.model import EncryptJsonDictTextField

 from .. import const
@@ -22,10 +22,6 @@ class RemoteApp(OrgModelMixin):
    asset = models.ForeignKey(
        'assets.Asset', on_delete=models.CASCADE, verbose_name=_('Asset')
    )
-    system_user = models.ForeignKey(
-        'assets.SystemUser', on_delete=models.CASCADE,
-        verbose_name=_('System user')
-    )
    type = models.CharField(
        default=const.REMOTE_APP_TYPE_CHROME,
        choices=const.REMOTE_APP_TYPE_CHOICES,
@@ -66,7 +62,7 @@ class RemoteApp(OrgModelMixin):
        _parameters.append(self.type)
        path = '\"%s\"' % self.path
        _parameters.append(path)
-        for field in const.REMOTE_APP_TYPE_MAP_FIELDS[self.type]:
+        for field in const.REMOTE_APP_TYPE_FIELDS_MAP[self.type]:
            value = self.params.get(field['name'])
            if value is None:
                continue
@@ -80,10 +76,3 @@ class RemoteApp(OrgModelMixin):
            'id': self.asset.id,
            'hostname': self.asset.hostname
        }
-
-    @property
-    def system_user_info(self):
-        return {
-            'id': self.system_user.id,
-            'name': self.system_user.name
-        }
--- a/apps/applications/serializers/init.py
+++ b/apps/applications/serializers/init.py
@@ -1 +1,2 @@
 from .remote_app import *
+from .database_app import *
--- a/apps/applications/serializers/database_app.py
+++ b/apps/applications/serializers/database_app.py
@@ -0,0 +1,26 @@
+# coding: utf-8
+#
+
+from orgs.mixins.serializers import BulkOrgResourceModelSerializer
+from common.serializers import AdaptedBulkListSerializer
+
+from .. import models
+
+__all__ = [
+    'DatabaseAppSerializer',
+]
+
+
+class DatabaseAppSerializer(BulkOrgResourceModelSerializer):
+
+    class Meta:
+        model = models.DatabaseApp
+        list_serializer_class = AdaptedBulkListSerializer
+        fields = [
+            'id', 'name', 'type', 'get_type_display', 'host', 'port',
+            'database', 'comment', 'created_by', 'date_created', 'date_updated',
+        ]
+        read_only_fields = [
+            'created_by', 'date_created', 'date_updated'
+            'get_type_display',
+        ]
--- a/apps/applications/serializers/remote_app.py
+++ b/apps/applications/serializers/remote_app.py
@@ -1,11 +1,12 @@
 # coding: utf-8
 #

-
+import copy
 from rest_framework import serializers

-from common.mixins import BulkSerializerMixin
 from common.serializers import AdaptedBulkListSerializer
+from common.fields.serializer import CustomMetaDictField
+from orgs.mixins.serializers import BulkOrgResourceModelSerializer

 from .. import const
 from ..models import RemoteApp
@@ -16,72 +17,54 @@ __all__ = [
 ]


-class RemoteAppParamsDictField(serializers.DictField):
-    """
-    RemoteApp field => params
-    """
-    @staticmethod
-    def filter_attribute(attribute, instance):
-        """
-        过滤掉params字段值中write_only特性的key-value值
-        For example, the chrome_password field is not returned when serializing
-        {
-            'chrome_target': 'http://www.jumpserver.org/',
-            'chrome_username': 'admin',
-            'chrome_password': 'admin',
-        }
-        """
-        for field in const.REMOTE_APP_TYPE_MAP_FIELDS[instance.type]:
-            if field.get('write_only', False):
-                attribute.pop(field['name'], None)
-        return attribute
-
-    def get_attribute(self, instance):
-        """
-        序列化时调用
-        """
-        attribute = super().get_attribute(instance)
-        attribute = self.filter_attribute(attribute, instance)
-        return attribute
-
-    @staticmethod
-    def filter_value(dictionary, value):
-        """
-        过滤掉不属于当前app_type所包含的key-value值
-        """
-        app_type = dictionary.get('type', const.REMOTE_APP_TYPE_CHROME)
-        fields = const.REMOTE_APP_TYPE_MAP_FIELDS[app_type]
-        fields_names = [field['name'] for field in fields]
-        no_need_keys = [k for k in value.keys() if k not in fields_names]
-        for k in no_need_keys:
-            value.pop(k)
-        return value
-
-    def get_value(self, dictionary):
-        """
-        反序列化时调用
-        """
-        value = super().get_value(dictionary)
-        value = self.filter_value(dictionary, value)
-        return value
+class RemoteAppParamsDictField(CustomMetaDictField):
+    type_fields_map = const.REMOTE_APP_TYPE_FIELDS_MAP
+    default_type = const.REMOTE_APP_TYPE_CHROME
+    convert_key_remove_type_prefix = False
+    convert_key_to_upper = False


-class RemoteAppSerializer(BulkSerializerMixin, serializers.ModelSerializer):
+class RemoteAppSerializer(BulkOrgResourceModelSerializer):
    params = RemoteAppParamsDictField()
+    type_fields_map = const.REMOTE_APP_TYPE_FIELDS_MAP

    class Meta:
        model = RemoteApp
        list_serializer_class = AdaptedBulkListSerializer
        fields = [
-            'id', 'name', 'asset', 'system_user', 'type', 'path', 'params',
-            'comment', 'created_by', 'date_created', 'asset_info',
-            'system_user_info', 'get_type_display',
+            'id', 'name', 'asset', 'asset_info', 'type', 'get_type_display',
+            'path', 'params', 'date_created', 'created_by', 'comment',
        ]
        read_only_fields = [
            'created_by', 'date_created', 'asset_info',
-            'system_user_info', 'get_type_display'
+            'get_type_display'
        ]

+    def process_params(self, instance, validated_data):
+        new_params = copy.deepcopy(validated_data.get('params', {}))
+        tp = validated_data.get('type', '')
+
+        if tp != instance.type:
+            return new_params
+
+        old_params = instance.params
+        fields = self.type_fields_map.get(instance.type, [])
+        for field in fields:
+            if not field.get('write_only', False):
+                continue
+            field_name = field['name']
+            new_value = new_params.get(field_name, '')
+            old_value = old_params.get(field_name, '')
+            field_value = new_value if new_value else old_value
+            new_params[field_name] = field_value
+
+        return new_params
+
+    def update(self, instance, validated_data):
+        params = self.process_params(instance, validated_data)
+        validated_data['params'] = params
+        return super().update(instance, validated_data)
+

 class RemoteAppConnectionInfoSerializer(serializers.ModelSerializer):
    parameter_remote_app = serializers.SerializerMethodField()
@@ -89,7 +72,7 @@ class RemoteAppConnectionInfoSerializer(serializers.ModelSerializer):
    class Meta:
        model = RemoteApp
        fields = [
-            'id', 'name', 'asset', 'system_user', 'parameter_remote_app',
+            'id', 'name', 'asset', 'parameter_remote_app',
        ]
        read_only_fields = ['parameter_remote_app']

--- a/apps/applications/templates/applications/remote_app_create_update.html
+++ b/apps/applications/templates/applications/remote_app_create_update.html
@@ -1,123 +0,0 @@
-{% extends '_base_create_update.html' %}
-{% load static %}
-{% load bootstrap3 %}
-{% load i18n %}
-
-{% block form %}
-    <form id="appForm" method="post" class="form-horizontal">
-        {% if form.non_field_errors %}
-            <div class="alert alert-danger">
-                {{ form.non_field_errors }}
-            </div>
-        {% endif %}
-        {% csrf_token %}
-        {% bootstrap_field form.name layout="horizontal" %}
-        {% bootstrap_field form.asset layout="horizontal" %}
-        {% bootstrap_field form.system_user layout="horizontal" %}
-        {% bootstrap_field form.type layout="horizontal" %}
-        {% bootstrap_field form.path layout="horizontal" %}
-
-        <div class="hr-line-dashed"></div>
-
-        {# chrome #}
-        <div class="chrome-fields">
-        {% bootstrap_field form.chrome_target layout="horizontal" %}
-        {% bootstrap_field form.chrome_username layout="horizontal" %}
-        {% bootstrap_field form.chrome_password layout="horizontal" %}
-        </div>
-
-        {# mysql workbench #}
-        <div class="mysql_workbench-fields">
-            {% bootstrap_field form.mysql_workbench_ip layout="horizontal" %}
-            {% bootstrap_field form.mysql_workbench_name layout="horizontal" %}
-            {% bootstrap_field form.mysql_workbench_username layout="horizontal" %}
-            {% bootstrap_field form.mysql_workbench_password layout="horizontal" %}
-        </div>
-
-        {# vmware #}
-        <div class="vmware_client-fields">
-        {% bootstrap_field form.vmware_target layout="horizontal" %}
-        {% bootstrap_field form.vmware_username layout="horizontal" %}
-        {% bootstrap_field form.vmware_password layout="horizontal" %}
-        </div>
-
-        {# custom #}
-        <div class="custom-fields">
-        {% bootstrap_field form.custom_cmdline layout="horizontal" %}
-        {% bootstrap_field form.custom_target layout="horizontal" %}
-        {% bootstrap_field form.custom_username layout="horizontal" %}
-        {% bootstrap_field form.custom_password layout="horizontal" %}
-        </div>
-
-        {% bootstrap_field form.comment layout="horizontal" %}
-        <div class="hr-line-dashed"></div>
-        <div class="form-group">
-            <div class="col-sm-4 col-sm-offset-2">
-                <button class="btn btn-default" type="reset"> {% trans 'Reset' %}</button>
-
-                <button id="submit_button" class="btn btn-primary" type="submit">{% trans 'Submit' %}</button>
-            </div>
-        </div>
-
-    </form>
-{% endblock %}
-
-{% block custom_foot_js %}
-<script type="text/javascript">
-var app_type_id = '#' + '{{ form.type.id_for_label }}';
-var app_path_id = '#' + '{{ form.path.id_for_label }}';
-var all_type_fields = [
-    '.chrome-fields',
-    '.mysql_workbench-fields',
-    '.vmware_client-fields',
-    '.custom-fields'
-];
-var app_type_map_default_fields_value = {
-    'chrome': {
-        'app_path': 'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe'
-    },
-    'mysql_workbench': {
-        'app_path': 'C:\\Program Files\\MySQL\\MySQL Workbench 8.0 CE\\MySQLWorkbench.exe'
-    },
-    'vmware_client': {
-        'app_path': 'C:\\Program Files (x86)\\VMware\\Infrastructure\\Virtual Infrastructure Client\\Launcher\\VpxClient.exe'
-    },
-    'custom': {'app_path': ''}
-};
-function getAppType(){
-    return $(app_type_id+ " option:selected").val();
-}
-function initialDefaultValue(){
-    var app_type = getAppType();
-    var app_path = $(app_path_id).val();
-    if(app_path){
-        app_type_map_default_fields_value[app_type]['app_path'] = app_path
-    }
-}
-function setDefaultValue(){
-    // 设置类型相关字段的默认值
-    var app_type = getAppType();
-    var app_path = app_type_map_default_fields_value[app_type]['app_path'];
-    $(app_path_id).val(app_path)
-}
-function hiddenFields(){
-    var app_type = getAppType();
-    $.each(all_type_fields, function(index, value){
-        $(value).addClass('hidden')
-    });
-    $('.' + app_type + '-fields').removeClass('hidden');
-}
-$(document).ready(function () {
-    $('.select2').select2({
-        closeOnSelect: true
-    });
-    initialDefaultValue();
-    hiddenFields();
-    setDefaultValue();
-})
-.on('change', app_type_id, function(){
-    hiddenFields();
-    setDefaultValue();
-});
-</script>
-{% endblock %}
--- a/apps/applications/templates/applications/remote_app_detail.html
+++ b/apps/applications/templates/applications/remote_app_detail.html
@@ -1,109 +0,0 @@
-{% extends 'base.html' %}
-{% load static %}
-{% load i18n %}
-
-{% block custom_head_css_js %}
-    <link href="{% static 'css/plugins/select2/select2.min.css' %}" rel="stylesheet">
-    <script src="{% static 'js/plugins/select2/select2.full.min.js' %}"></script>
-{% endblock %}
-
-{% block content %}
-    <div class="wrapper wrapper-content animated fadeInRight">
-        <div class="row">
-            <div class="col-sm-12">
-                <div class="ibox float-e-margins">
-                    <div class="panel-options">
-                        <ul class="nav nav-tabs">
-                            <li class="active">
-                                <a href="{% url 'applications:remote-app-detail' pk=remote_app.id %}" class="text-center"><i class="fa fa-laptop"></i> {% trans 'Detail' %} </a>
-                            </li>
-                            <li class="pull-right">
-                                <a class="btn btn-outline btn-default" href="{% url 'applications:remote-app-update' pk=remote_app.id %}"><i class="fa fa-edit"></i>{% trans 'Update' %}</a>
-                            </li>
-                            <li class="pull-right">
-                                <a class="btn btn-outline btn-danger btn-delete-application">
-                                    <i class="fa fa-trash-o"></i>{% trans 'Delete' %}
-                                </a>
-                            </li>
-                        </ul>
-                    </div>
-                    <div class="tab-content">
-                        <div class="col-sm-8" style="padding-left: 0;">
-                            <div class="ibox float-e-margins">
-                                <div class="ibox-title">
-                                    <span class="label"><b>{{ remote_app.name }}</b></span>
-                                    <div class="ibox-tools">
-                                        <a class="collapse-link">
-                                            <i class="fa fa-chevron-up"></i>
-                                        </a>
-                                        <a class="dropdown-toggle" data-toggle="dropdown" href="#">
-                                            <i class="fa fa-wrench"></i>
-                                        </a>
-                                        <ul class="dropdown-menu dropdown-user">
-                                        </ul>
-                                        <a class="close-link">
-                                            <i class="fa fa-times"></i>
-                                        </a>
-                                    </div>
-                                </div>
-                                <div class="ibox-content">
-                                    <table class="table">
-                                        <tbody>
-                                        <tr class="no-borders-tr">
-                                            <td>{% trans 'Name' %}:</td>
-                                            <td><b>{{ remote_app.name }}</b></td>
-                                        </tr>
-                                        <tr>
-                                            <td>{% trans 'Asset' %}:</td>
-                                            <td><b><a href="{% url 'assets:asset-detail' pk=remote_app.asset.id %}">{{ remote_app.asset.hostname }}</a></b></td>
-                                        </tr>
-                                        <tr>
-                                            <td>{% trans 'System user' %}:</td>
-                                            <td><b><a href="{% url 'assets:system-user-detail' pk=remote_app.system_user.id %}">{{ remote_app.system_user.name }}</a></b></td>
-                                        </tr>
-                                        <tr>
-                                            <td>{% trans 'App type' %}:</td>
-                                            <td><b>{{ remote_app.get_type_display }}</b></td>
-                                        </tr>
-                                        <tr>
-                                            <td>{% trans 'App path' %}:</td>
-                                            <td><b>{{ remote_app.path }}</b></td>
-                                        </tr>
-                                        <tr>
-                                            <td>{% trans 'Date created' %}:</td>
-                                            <td><b>{{ remote_app.date_created }}</b></td>
-                                        </tr>
-                                        <tr>
-                                            <td>{% trans 'Created by' %}:</td>
-                                            <td><b>{{ remote_app.created_by  }}</b></td>
-                                        </tr>
-                                        <tr>
-                                            <td>{% trans 'Comment' %}:</td>
-                                            <td><b>{{ remote_app.comment }}</b></td>
-                                        </tr>
-                                        </tbody>
-                                    </table>
-                                </div>
-                            </div>
-                        </div>
-                    </div>
-                </div>
-            </div>
-        </div>
-    </div>
-{% endblock %}
-{% block custom_foot_js %}
-<script>
-jumpserver.nodes_selected = {};
-$(document).ready(function () {
-})
-.on('click', '.btn-delete-application', function () {
-    var $this = $(this);
-    var name = "{{ remote_app.name }}";
-    var rid = "{{ remote_app.id }}";
-    var the_url = '{% url "api-applications:remote-app-detail" pk=DEFAULT_PK %}'.replace('{{ DEFAULT_PK }}', rid);
-    var redirect_url = "{% url 'applications:remote-app-list' %}";
-    objectDelete($this, name, the_url, redirect_url);
-})
-</script>
-{% endblock %}
--- a/apps/applications/templates/applications/remote_app_list.html
+++ b/apps/applications/templates/applications/remote_app_list.html
@@ -1,90 +0,0 @@
-{% extends '_base_list.html' %}
-{% load i18n static %}
-{% block help_message %}
-<div class="alert alert-info help-message">
-    {% trans 'Before using this feature, make sure that the application loader has been uploaded to the application server and successfully published as a RemoteApp application' %}
-    <b><a href="https://github.com/jumpserver/Jmservisor/releases" target="view_window" >{% trans 'Download application loader' %}</a></b>
-</div>
-{% endblock %}
-{% block table_search %}{% endblock %}
-{% block table_container %}
-    <div class="uc pull-left  m-r-5">
-        <a href="{% url 'applications:remote-app-create' %}" class="btn btn-sm btn-primary"> {% trans "Create RemoteApp" %} </a>
-    </div>
-    <table class="table table-striped table-bordered table-hover " id="remote_app_list_table" >
-        <thead>
-        <tr>
-            <th class="text-center">
-                <input type="checkbox" id="check_all" class="ipt_check_all" >
-            </th>
-            <th class="text-center">{% trans 'Name' %}</th>
-            <th class="text-center">{% trans 'App type' %}</th>
-            <th class="text-center">{% trans 'Asset' %}</th>
-            <th class="text-center">{% trans 'System user' %}</th>
-            <th class="text-center">{% trans 'Comment' %}</th>
-            <th class="text-center">{% trans 'Action' %}</th>
-        </tr>
-        </thead>
-        <tbody>
-        </tbody>
-    </table>
-{% endblock %}
-{% block content_bottom_left %}{% endblock %}
-{% block custom_foot_js %}
-<script>
-function initTable() {
-    var options = {
-        ele: $('#remote_app_list_table'),
-        columnDefs: [
-            {targets: 1, createdCell: function (td, cellData, rowData) {
-                    cellData = htmlEscape(cellData);
-                    {% url 'applications:remote-app-detail' pk=DEFAULT_PK as the_url  %}
-                    var detail_btn = '<a href="{{ the_url }}">' + cellData + '</a>';
-                    $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', rowData.id));
-                }},
-            {targets: 3, createdCell: function (td, cellData, rowData) {
-                    var hostname = htmlEscape(cellData.hostname);
-                    var detail_btn = '<a href="{% url 'assets:asset-detail' pk=DEFAULT_PK %}">' + hostname + '</a>';
-                    $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', cellData.id));
-                }},
-            {targets: 4, createdCell: function (td, cellData, rowData) {
-                    var name = htmlEscape(cellData.name);
-                    var detail_btn = '<a href="{% url 'assets:system-user-detail' pk=DEFAULT_PK %}">' + name + '</a>';
-                    $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', cellData.id));
-                }},
-            {targets: 6, createdCell: function (td, cellData, rowData) {
-                    var update_btn = '<a href="{% url "applications:remote-app-update" pk=DEFAULT_PK %}" class="btn btn-xs btn-info">{% trans "Update" %}</a>'.replace("{{ DEFAULT_PK }}", cellData);
-                    var del_btn = '<a class="btn btn-xs btn-danger m-l-xs btn-delete" data-rid="{{ DEFAULT_PK }}">{% trans "Delete" %}</a>'.replace('{{ DEFAULT_PK }}', cellData);
-                    $(td).html(update_btn + del_btn)
-                }}
-        ],
-        ajax_url: '{% url "api-applications:remote-app-list" %}',
-        columns: [
-            {data: "id"},
-            {data: "name" },
-            {data: "get_type_display", orderable: false},
-            {data: "asset_info", orderable: false},
-            {data: "system_user_info", orderable: false},
-            {data: "comment"},
-            {data: "id", orderable: false}
-        ],
-        op_html: $('#actions').html()
-    };
-    jumpserver.initServerSideDataTable(options);
-}
-$(document).ready(function(){
-    initTable();
-})
-.on('click', '.btn-delete', function () {
-    var $this = $(this);
-    var $data_table = $('#remote_app_list_table').DataTable();
-    var name = $(this).closest("tr").find(":nth-child(2)").children('a').html();
-    var rid = $this.data('rid');
-    var the_url = '{% url "api-applications:remote-app-detail" pk=DEFAULT_PK %}'.replace('{{ DEFAULT_PK }}', rid);
-    objectDelete($this, name, the_url);
-    setTimeout( function () {
-        $data_table.ajax.reload();
-    }, 3000);
-});
-</script>
-{% endblock %}
--- a/apps/applications/templates/applications/user_remote_app_list.html
+++ b/apps/applications/templates/applications/user_remote_app_list.html
@@ -1,79 +0,0 @@
-{% extends 'base.html' %}
-{% load i18n static %}
-
-{% block custom_head_css_js %}
-    <script src="{% static 'js/jquery.form.min.js' %}"></script>
-{% endblock %}
-
-{% block content %}
-<div class="mail-box-header">
-    <table class="table table-striped table-bordered table-hover " id="remote_app_list_table" >
-        <thead>
-        <tr>
-            <th class="text-center">
-                <input type="checkbox" id="check_all" class="ipt_check_all" >
-            </th>
-            <th class="text-center">{% trans 'Name' %}</th>
-            <th class="text-center">{% trans 'App type' %}</th>
-            <th class="text-center">{% trans 'Asset' %}</th>
-            <th class="text-center">{% trans 'System user' %}</th>
-            <th class="text-center">{% trans 'Comment' %}</th>
-            <th class="text-center">{% trans 'Action' %}</th>
-        </tr>
-        </thead>
-        <tbody>
-        </tbody>
-    </table>
-</div>
-{% endblock %}
-{% block custom_foot_js %}
-<script>
-var inited = false;
-var remote_app_table, url;
-
-function initTable() {
-    if (inited){
-        return
-    } else {
-        inited = true;
-    }
-    url = '{% url "api-perms:my-remote-apps" %}';
-    var options = {
-        ele: $('#remote_app_list_table'),
-        columnDefs: [
-            {targets: 1, createdCell: function (td, cellData, rowData) {
-                    var name = htmlEscape(cellData);
-                    $(td).html(name)
-                }},
-            {targets: 3, createdCell: function (td, cellData, rowData) {
-                    var hostname = htmlEscape(cellData.hostname);
-                    $(td).html(hostname);
-                }},
-            {targets: 4, createdCell: function (td, cellData, rowData) {
-                    var name = htmlEscape(cellData.name);
-                    $(td).html(name);
-                }},
-            {targets: 6, createdCell: function (td, cellData, rowData) {
-                    var conn_btn = '<a href="{% url "luna-view" %}?login_to=' +  cellData +'" class="btn btn-xs btn-primary">{% trans "Connect" %}</a>'.replace("{{ DEFAULT_PK }}", cellData);
-                    $(td).html(conn_btn)
-                }}
-        ],
-        ajax_url: url,
-        columns: [
-            {data: "id"},
-            {data: "name"},
-            {data: "get_type_display", orderable: false},
-            {data: "asset_info", orderable: false},
-            {data: "system_user_info", orderable: false},
-            {data: "comment", orderable: false},
-            {data: "id", orderable: false}
-        ]
-    };
-    remote_app_table = jumpserver.initServerSideDataTable(options);
-    return remote_app_table
-}
-$(document).ready(function(){
-    initTable();
-})
-</script>
-{% endblock %}
--- a/apps/applications/urls/api_urls.py
+++ b/apps/applications/urls/api_urls.py
@@ -1,20 +1,24 @@
 # coding:utf-8
 #

-from django.urls import path
+from django.urls import path, re_path
 from rest_framework_bulk.routes import BulkRouter

+from common import api as capi
 from .. import api

 app_name = 'applications'

 router = BulkRouter()
-router.register(r'remote-app', api.RemoteAppViewSet, 'remote-app')
+router.register(r'remote-apps', api.RemoteAppViewSet, 'remote-app')
+router.register(r'database-apps', api.DatabaseAppViewSet, 'database-app')

 urlpatterns = [
-    path('remote-apps/<uuid:pk>/connection-info/',
-         api.RemoteAppConnectionInfoApi.as_view(),
-         name='remote-app-connection-info')
+    path('remote-apps/<uuid:pk>/connection-info/', api.RemoteAppConnectionInfoApi.as_view(), name='remote-app-connection-info'),
 ]

-urlpatterns += router.urls
+old_version_urlpatterns = [
+    re_path('(?P<resource>remote-app)/.*', capi.redirect_plural_name_api)
+]
+
+urlpatterns += router.urls + old_version_urlpatterns
--- a/apps/applications/urls/views_urls.py
+++ b/apps/applications/urls/views_urls.py
@@ -1,16 +1,7 @@
 # coding:utf-8
 from django.urls import path
-from .. import views

 app_name = 'applications'

 urlpatterns = [
-    # RemoteApp
-    path('remote-app/', views.RemoteAppListView.as_view(), name='remote-app-list'),
-    path('remote-app/create/', views.RemoteAppCreateView.as_view(), name='remote-app-create'),
-    path('remote-app/<uuid:pk>/update/', views.RemoteAppUpdateView.as_view(), name='remote-app-update'),
-    path('remote-app/<uuid:pk>/', views.RemoteAppDetailView.as_view(), name='remote-app-detail'),
-    # User RemoteApp view
-    path('user-remote-app/', views.UserRemoteAppListView.as_view(), name='user-remote-app-list')
-
 ]
--- a/apps/applications/views/init.py
+++ b/apps/applications/views/init.py
@@ -1 +0,0 @@
-from .remote_app import *
--- a/apps/applications/views/remote_app.py
+++ b/apps/applications/views/remote_app.py
@@ -1,99 +0,0 @@
-#  coding: utf-8
-#
-
-from django.utils.translation import ugettext as _
-from django.views.generic import TemplateView
-from django.views.generic.edit import CreateView, UpdateView
-from django.views.generic.detail import DetailView
-from django.contrib.messages.views import SuccessMessageMixin
-from django.contrib.auth.mixins import LoginRequiredMixin
-from django.urls import reverse_lazy
-
-
-from common.permissions import AdminUserRequiredMixin
-from common.const import create_success_msg, update_success_msg
-
-from ..models import RemoteApp
-from .. import forms
-
-
-__all__ = [
-    'RemoteAppListView', 'RemoteAppCreateView', 'RemoteAppUpdateView',
-    'RemoteAppDetailView', 'UserRemoteAppListView',
-]
-
-
-class RemoteAppListView(AdminUserRequiredMixin, TemplateView):
-    template_name = 'applications/remote_app_list.html'
-
-    def get_context_data(self, **kwargs):
-        context = {
-            'app': _('Assets'),
-            'action': _('RemoteApp list'),
-        }
-        kwargs.update(context)
-        return super().get_context_data(**kwargs)
-
-
-class RemoteAppCreateView(AdminUserRequiredMixin, SuccessMessageMixin, CreateView):
-    template_name = 'applications/remote_app_create_update.html'
-    model = RemoteApp
-    form_class = forms.RemoteAppCreateUpdateForm
-    success_url = reverse_lazy('applications:remote-app-list')
-
-    def get_context_data(self, **kwargs):
-        context = {
-            'app': _('Assets'),
-            'action': _('Create RemoteApp'),
-        }
-        kwargs.update(context)
-        return super().get_context_data(**kwargs)
-
-    def get_success_message(self, cleaned_data):
-        return create_success_msg % ({'name': cleaned_data['name']})
-
-
-class RemoteAppUpdateView(AdminUserRequiredMixin, SuccessMessageMixin, UpdateView):
-    template_name = 'applications/remote_app_create_update.html'
-    model = RemoteApp
-    form_class = forms.RemoteAppCreateUpdateForm
-    success_url = reverse_lazy('applications:remote-app-list')
-
-    def get_initial(self):
-        return {k: v for k, v in self.object.params.items()}
-
-    def get_context_data(self, **kwargs):
-        context = {
-            'app': _('Assets'),
-            'action': _('Update RemoteApp'),
-        }
-        kwargs.update(context)
-        return super().get_context_data(**kwargs)
-
-    def get_success_message(self, cleaned_data):
-        return update_success_msg % ({'name': cleaned_data['name']})
-
-
-class RemoteAppDetailView(AdminUserRequiredMixin, DetailView):
-    template_name = 'applications/remote_app_detail.html'
-    model = RemoteApp
-    context_object_name = 'remote_app'
-
-    def get_context_data(self, **kwargs):
-        context = {
-            'app': _('Assets'),
-            'action': _('RemoteApp detail'),
-        }
-        kwargs.update(context)
-        return super().get_context_data(**kwargs)
-
-
-class UserRemoteAppListView(LoginRequiredMixin, TemplateView):
-    template_name = 'applications/user_remote_app_list.html'
-
-    def get_context_data(self, **kwargs):
-        context = {
-            'action': _('My RemoteApp'),
-        }
-        kwargs.update(context)
-        return super().get_context_data(**kwargs)
--- a/apps/assets/api/init.py
+++ b/apps/assets/api/init.py
@@ -2,7 +2,10 @@ from .admin_user import *
 from .asset import *
 from .label import *
 from .system_user import *
+from .system_user_relation import *
 from .node import *
 from .domain import *
 from .cmd_filter import *
 from .asset_user import *
+from .gathered_user import *
+from .favorite_asset import *
--- a/apps/assets/api/admin_user.py
+++ b/apps/assets/api/admin_user.py
@@ -1,26 +1,14 @@
-# ~*~ coding: utf-8 ~*~
-# Copyright (C) 2014-2018 Beijing DuiZhan Technology Co.,Ltd. All Rights Reserved.
-#
-# Licensed under the GNU General Public License v2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.gnu.org/licenses/gpl-2.0.html
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+

 from django.db import transaction
+from django.db.models import Count
 from django.shortcuts import get_object_or_404
-from rest_framework import generics
+from django.utils.translation import ugettext as _
+from rest_framework import status
 from rest_framework.response import Response
-from rest_framework_bulk import BulkModelViewSet
-from rest_framework.pagination import LimitOffsetPagination
+from orgs.mixins.api import OrgBulkModelViewSet
+from orgs.mixins import generics

-from common.mixins import IDInCacheFilterMixin
 from common.utils import get_logger
 from ..hands import IsOrgAdmin
 from ..models import AdminUser, Asset
@@ -36,31 +24,38 @@ __all__ = [
 ]


-class AdminUserViewSet(IDInCacheFilterMixin, BulkModelViewSet):
+class AdminUserViewSet(OrgBulkModelViewSet):
    """
    Admin user api set, for add,delete,update,list,retrieve resource
    """
-
+    model = AdminUser
    filter_fields = ("name", "username")
    search_fields = filter_fields
-    queryset = AdminUser.objects.all()
    serializer_class = serializers.AdminUserSerializer
    permission_classes = (IsOrgAdmin,)
-    pagination_class = LimitOffsetPagination

    def get_queryset(self):
-        queryset = super().get_queryset().all()
+        queryset = super().get_queryset()
+        queryset = queryset.annotate(assets_amount=Count('assets'))
        return queryset

+    def destroy(self, request, *args, **kwargs):
+        instance = self.get_object()
+        has_related_asset = instance.assets.exists()
+        if has_related_asset:
+            data = {'msg': _('Deleted failed, There are related assets')}
+            return Response(data=data, status=status.HTTP_400_BAD_REQUEST)
+        return super().destroy(request, *args, **kwargs)
+

 class AdminUserAuthApi(generics.UpdateAPIView):
-    queryset = AdminUser.objects.all()
+    model = AdminUser
    serializer_class = serializers.AdminUserAuthSerializer
    permission_classes = (IsOrgAdmin,)


 class ReplaceNodesAdminUserApi(generics.UpdateAPIView):
-    queryset = AdminUser.objects.all()
+    model = AdminUser
    serializer_class = serializers.ReplaceNodeAdminUserSerializer
    permission_classes = (IsOrgAdmin,)

@@ -85,7 +80,7 @@ class AdminUserTestConnectiveApi(generics.RetrieveAPIView):
    """
    Test asset admin user assets_connectivity
    """
-    queryset = AdminUser.objects.all()
+    model = AdminUser
    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.TaskIDSerializer

@@ -98,7 +93,6 @@ class AdminUserTestConnectiveApi(generics.RetrieveAPIView):
 class AdminUserAssetsListView(generics.ListAPIView):
    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.AssetSimpleSerializer
-    pagination_class = LimitOffsetPagination
    filter_fields = ("hostname", "ip")
    http_method_names = ['get']
    search_fields = filter_fields
--- a/apps/assets/api/asset.py
+++ b/apps/assets/api/asset.py
@@ -1,175 +1,126 @@
 # -*- coding: utf-8 -*-
 #

-import uuid
-import random
-
-from rest_framework import generics
-from rest_framework.views import APIView
-from rest_framework.response import Response
-from rest_framework_bulk import BulkModelViewSet
-from rest_framework_bulk import ListBulkCreateUpdateDestroyAPIView
-from rest_framework.pagination import LimitOffsetPagination
-from django.utils.translation import ugettext_lazy as _
+from rest_framework.viewsets import ModelViewSet
+from rest_framework.generics import RetrieveAPIView
 from django.shortcuts import get_object_or_404
-from django.urls import reverse_lazy
-from django.core.cache import cache
-from django.db.models import Q
-
-from common.mixins import IDInCacheFilterMixin

 from common.utils import get_logger, get_object_or_none
-from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser
-from ..const import CACHE_KEY_ASSET_BULK_UPDATE_ID_PREFIX
-from ..models import Asset, AdminUser, Node
+from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser, IsSuperUser
+from orgs.mixins.api import OrgBulkModelViewSet
+from orgs.mixins import generics
+from ..models import Asset, Node, Platform
 from .. import serializers
-from ..tasks import update_asset_hardware_info_manual, \
-    test_asset_connectivity_manual
-from ..utils import LabelFilter
+from ..tasks import (
+    update_asset_hardware_info_manual, test_asset_connectivity_manual
+)
+from ..filters import AssetByNodeFilterBackend, LabelFilterBackend


 logger = get_logger(__file__)
 __all__ = [
-    'AssetViewSet', 'AssetListUpdateApi',
-    'AssetRefreshHardwareApi', 'AssetAdminUserTestApi',
-    'AssetGatewayApi', 'AssetBulkUpdateSelectAPI'
+    'AssetViewSet', 'AssetPlatformRetrieveApi',
+    'AssetGatewayListApi', 'AssetPlatformViewSet',
+    'AssetTaskCreateApi',
 ]


-class AssetViewSet(IDInCacheFilterMixin, LabelFilter, BulkModelViewSet):
+class AssetViewSet(OrgBulkModelViewSet):
    """
    API endpoint that allows Asset to be viewed or edited.
    """
-    filter_fields = ("hostname", "ip")
-    search_fields = filter_fields
+    model = Asset
+    filter_fields = (
+        "hostname", "ip", "systemuser__id", "admin_user__id", "platform__base",
+        "is_active"
+    )
+    search_fields = ("hostname", "ip")
    ordering_fields = ("hostname", "ip", "port", "cpu_cores")
-    queryset = Asset.objects.all()
-    serializer_class = serializers.AssetSerializer
-    pagination_class = LimitOffsetPagination
+    serializer_classes = {
+        'default': serializers.AssetSerializer,
+        'display': serializers.AssetDisplaySerializer,
+    }
    permission_classes = (IsOrgAdminOrAppUser,)
+    extra_filter_backends = [AssetByNodeFilterBackend, LabelFilterBackend]

    def set_assets_node(self, assets):
        if not isinstance(assets, list):
            assets = [assets]
-        node = Node.root()
        node_id = self.request.query_params.get('node_id')
-        if node_id:
-            node = get_object_or_none(Node, pk=node_id)
+        if not node_id:
+            return
+        node = get_object_or_none(Node, pk=node_id)
+        if not node:
+            return
        node.assets.add(*assets)

    def perform_create(self, serializer):
        assets = serializer.save()
        self.set_assets_node(assets)

-    def filter_node(self, queryset):
-        node_id = self.request.query_params.get("node_id")
-        if not node_id:
-            return queryset

-        node = get_object_or_404(Node, id=node_id)
-        show_current_asset = self.request.query_params.get("show_current_asset") in ('1', 'true')
+class AssetPlatformRetrieveApi(RetrieveAPIView):
+    queryset = Platform.objects.all()
+    permission_classes = (IsOrgAdminOrAppUser,)
+    serializer_class = serializers.PlatformSerializer

-        if node.is_root() and show_current_asset:
-            queryset = queryset.filter(
-                Q(nodes=node_id) | Q(nodes__isnull=True)
+    def get_object(self):
+        asset_pk = self.kwargs.get('pk')
+        asset = get_object_or_404(Asset, pk=asset_pk)
+        return asset.platform
+
+
+class AssetPlatformViewSet(ModelViewSet):
+    queryset = Platform.objects.all()
+    permission_classes = (IsSuperUser,)
+    serializer_class = serializers.PlatformSerializer
+    filter_fields = ['name', 'base']
+    search_fields = ['name']
+
+    def get_permissions(self):
+        if self.request.method.lower() in ['get', 'options']:
+            self.permission_classes = (IsOrgAdmin,)
+        return super().get_permissions()
+
+    def check_object_permissions(self, request, obj):
+        if request.method.lower() in ['delete', 'put', 'patch'] and obj.internal:
+            self.permission_denied(
+                request, message={"detail": "Internal platform"}
            )
-        elif node.is_root() and not show_current_asset:
-            pass
-        elif not node.is_root() and show_current_asset:
-            queryset = queryset.filter(nodes=node)
+        return super().check_object_permissions(request, obj)
+
+
+class AssetTaskCreateApi(generics.CreateAPIView):
+    model = Asset
+    serializer_class = serializers.AssetTaskSerializer
+    permission_classes = (IsOrgAdmin,)
+
+    def get_object(self):
+        pk = self.kwargs.get("pk")
+        instance = get_object_or_404(Asset, pk=pk)
+        return instance
+
+    def perform_create(self, serializer):
+        asset = self.get_object()
+        action = serializer.validated_data["action"]
+        if action == "refresh":
+            task = update_asset_hardware_info_manual.delay(asset)
        else:
-            queryset = queryset.filter(
-                nodes__key__regex='^{}(:[0-9]+)*$'.format(node.key),
-            )
-        return queryset
-
-    def filter_admin_user_id(self, queryset):
-        admin_user_id = self.request.query_params.get('admin_user_id')
-        if not admin_user_id:
-            return queryset
-        admin_user = get_object_or_404(AdminUser, id=admin_user_id)
-        queryset = queryset.filter(admin_user=admin_user)
-        return queryset
-
-    def filter_queryset(self, queryset):
-        queryset = super().filter_queryset(queryset)
-        queryset = self.filter_node(queryset)
-        queryset = self.filter_admin_user_id(queryset)
-        return queryset
-
-    def get_queryset(self):
-        queryset = super().get_queryset().distinct()
-        queryset = self.get_serializer_class().setup_eager_loading(queryset)
-        return queryset
+            task = test_asset_connectivity_manual.delay(asset)
+        data = getattr(serializer, '_data', {})
+        data["task"] = task.id
+        setattr(serializer, '_data', data)


-class AssetListUpdateApi(IDInCacheFilterMixin, ListBulkCreateUpdateDestroyAPIView):
-    """
-    Asset bulk update api
-    """
-    queryset = Asset.objects.all()
-    serializer_class = serializers.AssetSerializer
-    permission_classes = (IsOrgAdmin,)
-
-
-class AssetBulkUpdateSelectAPI(APIView):
-    permission_classes = (IsOrgAdmin,)
-
-    def post(self, request, *args, **kwargs):
-        assets_id = request.data.get('assets_id', '')
-        if assets_id:
-            spm = uuid.uuid4().hex
-            key = CACHE_KEY_ASSET_BULK_UPDATE_ID_PREFIX.format(spm)
-            cache.set(key, assets_id, 300)
-            url = reverse_lazy('assets:asset-bulk-update') + '?spm=%s' % spm
-            return Response({'url': url})
-        error = _('Please select assets that need to be updated')
-        return Response({'error': error}, status=400)
-
-
-class AssetRefreshHardwareApi(generics.RetrieveAPIView):
-    """
-    Refresh asset hardware info
-    """
-    queryset = Asset.objects.all()
-    serializer_class = serializers.AssetSerializer
-    permission_classes = (IsOrgAdmin,)
-
-    def retrieve(self, request, *args, **kwargs):
-        asset_id = kwargs.get('pk')
-        asset = get_object_or_404(Asset, pk=asset_id)
-        task = update_asset_hardware_info_manual.delay(asset)
-        return Response({"task": task.id})
-
-
-class AssetAdminUserTestApi(generics.RetrieveAPIView):
-    """
-    Test asset admin user assets_connectivity
-    """
-    queryset = Asset.objects.all()
-    permission_classes = (IsOrgAdmin,)
-    serializer_class = serializers.TaskIDSerializer
-
-    def retrieve(self, request, *args, **kwargs):
-        asset_id = kwargs.get('pk')
-        asset = get_object_or_404(Asset, pk=asset_id)
-        task = test_asset_connectivity_manual.delay(asset)
-        return Response({"task": task.id})
-
-
-class AssetGatewayApi(generics.RetrieveAPIView):
-    queryset = Asset.objects.all()
+class AssetGatewayListApi(generics.ListAPIView):
    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = serializers.GatewayWithAuthSerializer
+    model = Asset

-    def retrieve(self, request, *args, **kwargs):
-        asset_id = kwargs.get('pk')
+    def get_queryset(self):
+        asset_id = self.kwargs.get('pk')
        asset = get_object_or_404(Asset, pk=asset_id)
-
-        if asset.domain and \
-                asset.domain.gateways.filter(protocol=asset.protocol).exists():
-            gateway = random.choice(asset.domain.gateways.filter(protocol=asset.protocol))
-            serializer = serializers.GatewayWithAuthSerializer(instance=gateway)
-            return Response(serializer.data)
-        else:
-            return Response({"msg": "Not have gateway"}, status=404)
+        if not asset.domain:
+            return []
+        queryset = asset.domain.gateways.filter(protocol='ssh')
+        return queryset
--- a/apps/assets/api/asset_user.py
+++ b/apps/assets/api/asset_user.py
@@ -1,101 +1,157 @@
 # -*- coding: utf-8 -*-
 #
-
-
+import coreapi
+from django.conf import settings
 from rest_framework.response import Response
-from rest_framework import viewsets, status, generics
-from rest_framework.pagination import LimitOffsetPagination
+from rest_framework import generics, filters
+from rest_framework_bulk import BulkModelViewSet

-from common.permissions import IsOrgAdminOrAppUser
+from common.permissions import IsOrgAdminOrAppUser, NeedMFAVerify
 from common.utils import get_object_or_none, get_logger
-
-from ..backends.multi import AssetUserManager
-from ..models import Asset
+from common.mixins import CommonApiMixin
+from ..backends import AssetUserManager
+from ..models import Asset, Node, SystemUser
 from .. import serializers
-from ..tasks import test_asset_users_connectivity_manual
+from ..tasks import (
+    test_asset_users_connectivity_manual, push_system_user_a_asset_manual
+)


 __all__ = [
-    'AssetUserViewSet', 'AssetUserAuthInfoApi', 'AssetUserTestConnectiveApi',
+    'AssetUserViewSet', 'AssetUserAuthInfoViewSet', 'AssetUserTaskCreateAPI',
 ]


 logger = get_logger(__name__)


-class AssetUserViewSet(viewsets.GenericViewSet):
-    pagination_class = LimitOffsetPagination
-    serializer_class = serializers.AssetUserSerializer
-    permission_classes = (IsOrgAdminOrAppUser, )
-    http_method_names = ['get', 'post']
-
-    def create(self, request, *args, **kwargs):
-        serializer = self.get_serializer(data=request.data)
-        serializer.is_valid(raise_exception=True)
-        serializer.save()
-        return Response(serializer.data, status=status.HTTP_201_CREATED)
-
-    def list(self, request, *args, **kwargs):
-        queryset = self.filter_queryset(self.get_queryset())
-        serializer = self.get_serializer(queryset, many=True)
-        return Response(serializer.data)
-
-    def get_queryset(self):
-        username = self.request.GET.get('username')
-        asset_id = self.request.GET.get('asset_id')
-        asset = get_object_or_none(Asset, pk=asset_id)
-        queryset = AssetUserManager.filter(username=username, asset=asset)
-        return queryset
-
-    def filter_queryset(self, queryset):
-        queryset = sorted(
-            queryset,
-            key=lambda q: (q.asset.hostname, q.connectivity, q.username)
-        )
+class AssetUserFilterBackend(filters.BaseFilterBackend):
+    def filter_queryset(self, request, queryset, view):
+        kwargs = {}
+        for field in view.filter_fields:
+            value = request.GET.get(field)
+            if not value:
+                continue
+            if field == "node_id":
+                value = get_object_or_none(Node, pk=value)
+                kwargs["node"] = value
+                continue
+            elif field == "asset_id":
+                field = "asset"
+            kwargs[field] = value
+        if kwargs:
+            queryset = queryset.filter(**kwargs)
+        logger.debug("Filter {}".format(kwargs))
        return queryset


-class AssetUserAuthInfoApi(generics.RetrieveAPIView):
-    serializer_class = serializers.AssetUserAuthInfoSerializer
-    permission_classes = (IsOrgAdminOrAppUser,)
+class AssetUserSearchBackend(filters.BaseFilterBackend):
+    def filter_queryset(self, request, queryset, view):
+        value = request.GET.get('search')
+        if not value:
+            return queryset
+        queryset = queryset.search(value)
+        return queryset

-    def retrieve(self, request, *args, **kwargs):
-        instance = self.get_object()
-        serializer = self.get_serializer(instance)
-        status_code = status.HTTP_200_OK
-        if not instance:
-            status_code = status.HTTP_400_BAD_REQUEST
-        return Response(serializer.data, status=status_code)
+
+class AssetUserLatestFilterBackend(filters.BaseFilterBackend):
+    def get_schema_fields(self, view):
+        return [
+            coreapi.Field(
+                name='latest', location='query', required=False,
+                type='string', example='1',
+                description='Only the latest version'
+            )
+        ]
+
+    def filter_queryset(self, request, queryset, view):
+        latest = request.GET.get('latest') == '1'
+        if latest:
+            queryset = queryset.distinct()
+        return queryset
+
+
+class AssetUserViewSet(CommonApiMixin, BulkModelViewSet):
+    serializer_classes = {
+        'default': serializers.AssetUserWriteSerializer,
+        'display': serializers.AssetUserReadSerializer,
+        'retrieve': serializers.AssetUserReadSerializer,
+    }
+    permission_classes = [IsOrgAdminOrAppUser]
+    filter_fields = [
+        "id", "ip", "hostname", "username",
+        "asset_id", "node_id",
+        "prefer", "prefer_id",
+    ]
+    search_fields = ["ip", "hostname", "username"]
+    filter_backends = [
+        AssetUserFilterBackend, AssetUserSearchBackend,
+        AssetUserLatestFilterBackend,
+    ]
+
+    def allow_bulk_destroy(self, qs, filtered):
+        return False

    def get_object(self):
-        username = self.request.GET.get('username')
-        asset_id = self.request.GET.get('asset_id')
-        asset = get_object_or_none(Asset, pk=asset_id)
-        try:
-            instance = AssetUserManager.get(username, asset)
-        except Exception as e:
+        pk = self.kwargs.get("pk")
+        if pk is None:
+            return
+        queryset = self.get_queryset()
+        obj = queryset.get(id=pk)
+        return obj
+
+    def get_exception_handler(self):
+        def handler(e, context):
            logger.error(e, exc_info=True)
-            return None
-        else:
-            return instance
+            return Response({"error": str(e)}, status=400)
+        return handler
+
+    def perform_destroy(self, instance):
+        manager = AssetUserManager()
+        manager.delete(instance)
+
+    def get_queryset(self):
+        manager = AssetUserManager()
+        queryset = manager.all()
+        return queryset


-class AssetUserTestConnectiveApi(generics.RetrieveAPIView):
-    """
-    Test asset users connective
-    """
+class AssetUserAuthInfoViewSet(AssetUserViewSet):
+    serializer_classes = {"default": serializers.AssetUserAuthInfoSerializer}
+    http_method_names = ['get', 'post']
+    permission_classes = [IsOrgAdminOrAppUser]
+
+    def get_permissions(self):
+        if settings.SECURITY_VIEW_AUTH_NEED_MFA:
+            self.permission_classes = [IsOrgAdminOrAppUser, NeedMFAVerify]
+        return super().get_permissions()
+
+
+class AssetUserTaskCreateAPI(generics.CreateAPIView):
+    permission_classes = (IsOrgAdminOrAppUser,)
+    serializer_class = serializers.AssetUserTaskSerializer
+    filter_backends = AssetUserViewSet.filter_backends
+    filter_fields = AssetUserViewSet.filter_fields

    def get_asset_users(self):
-        username = self.request.GET.get('username')
-        asset_id = self.request.GET.get('asset_id')
-        asset = get_object_or_none(Asset, pk=asset_id)
-        asset_users = AssetUserManager.filter(username=username, asset=asset)
-        return asset_users
+        manager = AssetUserManager()
+        queryset = manager.all()
+        for cls in self.filter_backends:
+            queryset = cls().filter_queryset(self.request, queryset, self)
+        return list(queryset)

-    def retrieve(self, request, *args, **kwargs):
+    def perform_create(self, serializer):
        asset_users = self.get_asset_users()
+        # action = serializer.validated_data["action"]
+        # only this
+        # if action == "test":
        task = test_asset_users_connectivity_manual.delay(asset_users)
-        return Response({"task": task.id})
-
-
+        data = getattr(serializer, '_data', {})
+        data["task"] = task.id
+        setattr(serializer, '_data', data)
+        return task

+    def get_exception_handler(self):
+        def handler(e, context):
+            return Response({"error": str(e)}, status=400)
+        return handler
--- a/apps/assets/api/cmd_filter.py
+++ b/apps/assets/api/cmd_filter.py
@@ -1,10 +1,9 @@
 # -*- coding: utf-8 -*-
 #

-from rest_framework_bulk import BulkModelViewSet
-from rest_framework.pagination import LimitOffsetPagination
 from django.shortcuts import get_object_or_404

+from orgs.mixins.api import OrgBulkModelViewSet
 from ..hands import IsOrgAdmin
 from ..models import CommandFilter, CommandFilterRule
 from .. import serializers
@@ -13,21 +12,20 @@ from .. import serializers
 __all__ = ['CommandFilterViewSet', 'CommandFilterRuleViewSet']


-class CommandFilterViewSet(BulkModelViewSet):
+class CommandFilterViewSet(OrgBulkModelViewSet):
+    model = CommandFilter
    filter_fields = ("name",)
    search_fields = filter_fields
    permission_classes = (IsOrgAdmin,)
-    queryset = CommandFilter.objects.all()
    serializer_class = serializers.CommandFilterSerializer
-    pagination_class = LimitOffsetPagination


-class CommandFilterRuleViewSet(BulkModelViewSet):
+class CommandFilterRuleViewSet(OrgBulkModelViewSet):
+    model = CommandFilterRule
    filter_fields = ("content",)
    search_fields = filter_fields
    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.CommandFilterRuleSerializer
-    pagination_class = LimitOffsetPagination

    def get_queryset(self):
        fpk = self.kwargs.get('filter_pk')
--- a/apps/assets/api/domain.py
+++ b/apps/assets/api/domain.py
@@ -1,13 +1,11 @@
 # ~*~ coding: utf-8 ~*~

-from rest_framework_bulk import BulkModelViewSet
 from rest_framework.views import APIView, Response
-from rest_framework.pagination import LimitOffsetPagination
-
 from django.views.generic.detail import SingleObjectMixin

 from common.utils import get_logger
-from common.permissions import IsOrgAdmin, IsAppUser, IsOrgAdminOrAppUser
+from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser
+from orgs.mixins.api import OrgBulkModelViewSet
 from ..models import Domain, Gateway
 from .. import serializers

@@ -16,39 +14,29 @@ logger = get_logger(__file__)
 __all__ = ['DomainViewSet', 'GatewayViewSet', "GatewayTestConnectionApi"]


-class DomainViewSet(BulkModelViewSet):
-    queryset = Domain.objects.all()
-    permission_classes = (IsOrgAdmin,)
+class DomainViewSet(OrgBulkModelViewSet):
+    model = Domain
+    filter_fields = ("name", )
+    search_fields = filter_fields
+    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = serializers.DomainSerializer
-    pagination_class = LimitOffsetPagination
-
-    def get_queryset(self):
-        queryset = super().get_queryset().all()
-        return queryset

    def get_serializer_class(self):
        if self.request.query_params.get('gateway'):
            return serializers.DomainWithGatewaySerializer
        return super().get_serializer_class()

-    def get_permissions(self):
-        if self.request.query_params.get('gateway'):
-            self.permission_classes = (IsOrgAdminOrAppUser,)
-        return super().get_permissions()

-
-class GatewayViewSet(BulkModelViewSet):
+class GatewayViewSet(OrgBulkModelViewSet):
+    model = Gateway
    filter_fields = ("domain__name", "name", "username", "ip", "domain")
-    search_fields = filter_fields
-    queryset = Gateway.objects.all()
+    search_fields = ("domain__name", "name", "username", "ip")
    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.GatewaySerializer
-    pagination_class = LimitOffsetPagination


 class GatewayTestConnectionApi(SingleObjectMixin, APIView):
    permission_classes = (IsOrgAdmin,)
-    model = Gateway
    object = None

    def post(self, request, *args, **kwargs):
@@ -58,4 +46,4 @@ class GatewayTestConnectionApi(SingleObjectMixin, APIView):
        if ok:
            return Response("ok")
        else:
-            return Response({"failed": e}, status=404)
+            return Response({"error": e}, status=400)
--- a/apps/assets/api/favorite_asset.py
+++ b/apps/assets/api/favorite_asset.py
@@ -0,0 +1,27 @@
+# -*- coding: utf-8 -*-
+#
+from rest_framework_bulk import BulkModelViewSet
+
+from common.permissions import IsValidUser
+from orgs.utils import tmp_to_root_org
+from ..models import FavoriteAsset
+from ..serializers import FavoriteAssetSerializer
+
+__all__ = ['FavoriteAssetViewSet']
+
+
+class FavoriteAssetViewSet(BulkModelViewSet):
+    serializer_class = FavoriteAssetSerializer
+    permission_classes = (IsValidUser,)
+    filter_fields = ['asset']
+
+    def dispatch(self, request, *args, **kwargs):
+        with tmp_to_root_org():
+            return super().dispatch(request, *args, **kwargs)
+
+    def get_queryset(self):
+        queryset = FavoriteAsset.objects.filter(user=self.request.user)
+        return queryset
+
+    def allow_bulk_destroy(self, qs, filtered):
+        return filtered.count() == 1
--- a/apps/assets/api/gathered_user.py
+++ b/apps/assets/api/gathered_user.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+#
+
+from orgs.mixins.api import OrgModelViewSet
+from assets.models import GatheredUser
+from common.permissions import IsOrgAdmin
+
+from ..serializers import GatheredUserSerializer
+from ..filters import AssetRelatedByNodeFilterBackend
+
+
+__all__ = ['GatheredUserViewSet']
+
+
+class GatheredUserViewSet(OrgModelViewSet):
+    model = GatheredUser
+    serializer_class = GatheredUserSerializer
+    permission_classes = [IsOrgAdmin]
+    extra_filter_backends = [AssetRelatedByNodeFilterBackend]
+
+    filter_fields = ['asset', 'username', 'present', 'asset__ip', 'asset__hostname', 'asset_id']
+    search_fields = ['username', 'asset__ip', 'asset__hostname']
--- a/apps/assets/api/label.py
+++ b/apps/assets/api/label.py
@@ -13,11 +13,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-from rest_framework_bulk import BulkModelViewSet
-from rest_framework.pagination import LimitOffsetPagination
 from django.db.models import Count

 from common.utils import get_logger
+from orgs.mixins.api import OrgBulkModelViewSet
 from ..hands import IsOrgAdmin
 from ..models import Label
 from .. import serializers
@@ -27,12 +26,12 @@ logger = get_logger(__file__)
 __all__ = ['LabelViewSet']


-class LabelViewSet(BulkModelViewSet):
+class LabelViewSet(OrgBulkModelViewSet):
+    model = Label
    filter_fields = ("name", "value")
    search_fields = filter_fields
    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.LabelSerializer
-    pagination_class = LimitOffsetPagination

    def list(self, request, *args, **kwargs):
        if request.query_params.get("distinct"):
--- a/apps/assets/api/node.py
+++ b/apps/assets/api/node.py
@@ -1,30 +1,22 @@
 # ~*~ coding: utf-8 ~*~
-# Copyright (C) 2014-2018 Beijing DuiZhan Technology Co.,Ltd. All Rights Reserved.
-#
-# Licensed under the GNU General Public License v2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.gnu.org/licenses/gpl-2.0.html
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.

-from rest_framework import generics, mixins, viewsets
+from collections import namedtuple
+from rest_framework import status
 from rest_framework.serializers import ValidationError
-from rest_framework.views import APIView
 from rest_framework.response import Response
 from django.utils.translation import ugettext_lazy as _
-from django.shortcuts import get_object_or_404
+from django.shortcuts import get_object_or_404, Http404

 from common.utils import get_logger, get_object_or_none
 from common.tree import TreeNodeSerializer
+from orgs.mixins.api import OrgModelViewSet
+from orgs.mixins import generics
 from ..hands import IsOrgAdmin
 from ..models import Node
-from ..tasks import update_assets_hardware_info_util, test_asset_connectivity_util
+from ..tasks import (
+    update_node_assets_hardware_info_manual,
+    test_node_assets_connectivity_manual,
+)
 from .. import serializers


@@ -32,35 +24,38 @@ logger = get_logger(__file__)
 __all__ = [
    'NodeViewSet', 'NodeChildrenApi', 'NodeAssetsApi',
    'NodeAddAssetsApi', 'NodeRemoveAssetsApi', 'NodeReplaceAssetsApi',
-    'NodeAddChildrenApi', 'RefreshNodeHardwareInfoApi',
-    'TestNodeConnectiveApi', 'NodeListAsTreeApi',
-    'NodeChildrenAsTreeApi', 'RefreshAssetsAmount',
+    'NodeAddChildrenApi', 'NodeListAsTreeApi',
+    'NodeChildrenAsTreeApi',
+    'NodeTaskCreateApi',
 ]


-class NodeViewSet(viewsets.ModelViewSet):
-    filter_fields = ('value', 'key', )
-    search_fields = filter_fields
-    queryset = Node.objects.all()
+class NodeViewSet(OrgModelViewSet):
+    model = Node
+    filter_fields = ('value', 'key', 'id')
+    search_fields = ('value', )
    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.NodeSerializer

+    # 仅支持根节点指直接创建，子节点下的节点需要通过children接口创建
    def perform_create(self, serializer):
-        child_key = Node.root().get_next_child_key()
+        child_key = Node.org_root().get_next_child_key()
        serializer.validated_data["key"] = child_key
        serializer.save()

-    def update(self, request, *args, **kwargs):
+    def perform_update(self, serializer):
        node = self.get_object()
-        if node.is_root():
-            node_value = node.value
-            post_value = request.data.get('value')
-            if node_value != post_value:
-                return Response(
-                    {"msg": _("You can't update the root node name")},
-                    status=400
-                )
-        return super().update(request, *args, **kwargs)
+        if node.is_org_root() and node.value != serializer.validated_data['value']:
+            msg = _("You can't update the root node name")
+            raise ValidationError({"error": msg})
+        return super().perform_update(serializer)
+
+    def destroy(self, request, *args, **kwargs):
+        node = self.get_object()
+        if node.has_children_or_has_assets():
+            error = _("Deletion failed and the node contains children or assets")
+            return Response(data={'error': error}, status=status.HTTP_403_FORBIDDEN)
+        return super().destroy(request, *args, **kwargs)


 class NodeListAsTreeApi(generics.ListAPIView):
@@ -75,26 +70,73 @@ class NodeListAsTreeApi(generics.ListAPIView):
      }
    ]
    """
+    model = Node
    permission_classes = (IsOrgAdmin,)
    serializer_class = TreeNodeSerializer

-    def get_queryset(self):
-        queryset = [node.as_tree_node() for node in Node.objects.all()]
+    @staticmethod
+    def to_tree_queryset(queryset):
+        queryset = [node.as_tree_node() for node in queryset]
        return queryset

    def filter_queryset(self, queryset):
-        if self.request.query_params.get('refresh', '0') == '1':
-            queryset = self.refresh_nodes(queryset)
-        return queryset
-
-    @staticmethod
-    def refresh_nodes(queryset):
-        Node.expire_nodes_assets_amount()
-        Node.expire_nodes_full_value()
+        queryset = super().filter_queryset(queryset)
+        queryset = self.to_tree_queryset(queryset)
        return queryset


-class NodeChildrenAsTreeApi(generics.ListAPIView):
+class NodeChildrenApi(generics.ListCreateAPIView):
+    permission_classes = (IsOrgAdmin,)
+    serializer_class = serializers.NodeSerializer
+    instance = None
+    is_initial = False
+
+    def initial(self, request, *args, **kwargs):
+        self.instance = self.get_object()
+        return super().initial(request, *args, **kwargs)
+
+    def perform_create(self, serializer):
+        data = serializer.validated_data
+        _id = data.get("id")
+        value = data.get("value")
+        if not value:
+            value = self.instance.get_next_child_preset_name()
+        node = self.instance.create_child(value=value, _id=_id)
+        # 避免查询 full value
+        node._full_value = node.value
+        serializer.instance = node
+
+    def get_object(self):
+        pk = self.kwargs.get('pk') or self.request.query_params.get('id')
+        key = self.request.query_params.get("key")
+        if not pk and not key:
+            node = Node.org_root()
+            self.is_initial = True
+            return node
+        if pk:
+            node = get_object_or_404(Node, pk=pk)
+        else:
+            node = get_object_or_404(Node, key=key)
+        return node
+
+    def get_queryset(self):
+        query_all = self.request.query_params.get("all", "0") == "all"
+        if not self.instance:
+            return Node.objects.none()
+
+        if self.is_initial:
+            with_self = True
+        else:
+            with_self = False
+
+        if query_all:
+            queryset = self.instance.get_all_children(with_self=with_self)
+        else:
+            queryset = self.instance.get_children(with_self=with_self)
+        return queryset
+
+
+class NodeChildrenAsTreeApi(NodeChildrenApi):
    """
    节点子节点作为树返回，
    [
@@ -107,98 +149,32 @@ class NodeChildrenAsTreeApi(generics.ListAPIView):
    ]

    """
-    permission_classes = (IsOrgAdmin,)
+    model = Node
    serializer_class = TreeNodeSerializer
-    node = None
-    is_root = False
+    http_method_names = ['get']

    def get_queryset(self):
-        node_key = self.request.query_params.get('key')
-        if node_key:
-            self.node = Node.objects.get(key=node_key)
-            queryset = self.node.get_children(with_self=False)
-        else:
-            self.is_root = True
-            self.node = Node.root()
-            queryset = list(self.node.get_children(with_self=True))
-            nodes_invalid = Node.objects.exclude(key__startswith=self.node.key)
-            queryset.extend(list(nodes_invalid))
+        queryset = super().get_queryset()
        queryset = [node.as_tree_node() for node in queryset]
+        queryset = self.add_assets_if_need(queryset)
        queryset = sorted(queryset)
        return queryset

-    def filter_assets(self, queryset):
+    def add_assets_if_need(self, queryset):
        include_assets = self.request.query_params.get('assets', '0') == '1'
        if not include_assets:
            return queryset
-        assets = self.node.get_assets()
+        assets = self.instance.get_assets().only(
+            "id", "hostname", "ip", "os",
+            "org_id", "protocols",
+        )
        for asset in assets:
-            queryset.append(asset.as_tree_node(self.node))
+            queryset.append(asset.as_tree_node(self.instance))
        return queryset

-    def filter_queryset(self, queryset):
-        queryset = self.filter_assets(queryset)
-        queryset = self.filter_refresh_nodes(queryset)
-        return queryset
-
-    def filter_refresh_nodes(self, queryset):
+    def check_need_refresh_nodes(self):
        if self.request.query_params.get('refresh', '0') == '1':
-            Node.expire_nodes_assets_amount()
-            Node.expire_nodes_full_value()
-        return queryset
-
-
-class NodeChildrenApi(mixins.ListModelMixin, generics.CreateAPIView):
-    queryset = Node.objects.all()
-    permission_classes = (IsOrgAdmin,)
-    serializer_class = serializers.NodeSerializer
-    instance = None
-
-    def get(self, request, *args, **kwargs):
-        return self.list(request, *args, **kwargs)
-
-    def post(self, request, *args, **kwargs):
-        instance = self.get_object()
-        if not request.data.get("value"):
-            request.data["value"] = instance.get_next_child_preset_name()
-        return super().post(request, *args, **kwargs)
-
-    def create(self, request, *args, **kwargs):
-        instance = self.get_object()
-        value = request.data.get("value")
-        _id = request.data.get('id') or None
-        values = [child.value for child in instance.get_children()]
-        if value in values:
-            raise ValidationError(
-                'The same level node name cannot be the same'
-            )
-        node = instance.create_child(value=value, _id=_id)
-        return Response(self.serializer_class(instance=node).data, status=201)
-
-    def get_object(self):
-        pk = self.kwargs.get('pk') or self.request.query_params.get('id')
-        if not pk:
-            node = Node.root()
-        else:
-            node = get_object_or_404(Node, pk=pk)
-        return node
-
-    def get_queryset(self):
-        queryset = []
-        query_all = self.request.query_params.get("all")
-        node = self.get_object()
-
-        if node is None:
-            node = Node.root()
-            node.assets__count = node.get_all_assets().count()
-            queryset.append(node)
-
-        if query_all:
-            children = node.get_all_children()
-        else:
-            children = node.get_children()
-        queryset.extend(list(children))
-        return queryset
+            Node.refresh_nodes()


 class NodeAssetsApi(generics.ListAPIView):
@@ -216,7 +192,7 @@ class NodeAssetsApi(generics.ListAPIView):


 class NodeAddChildrenApi(generics.UpdateAPIView):
-    queryset = Node.objects.all()
+    model = Node
    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.NodeAddChildrenSerializer
    instance = None
@@ -233,8 +209,8 @@ class NodeAddChildrenApi(generics.UpdateAPIView):


 class NodeAddAssetsApi(generics.UpdateAPIView):
+    model = Node
    serializer_class = serializers.NodeAssetsSerializer
-    queryset = Node.objects.all()
    permission_classes = (IsOrgAdmin,)
    instance = None

@@ -245,15 +221,15 @@ class NodeAddAssetsApi(generics.UpdateAPIView):


 class NodeRemoveAssetsApi(generics.UpdateAPIView):
+    model = Node
    serializer_class = serializers.NodeAssetsSerializer
-    queryset = Node.objects.all()
    permission_classes = (IsOrgAdmin,)
    instance = None

    def perform_update(self, serializer):
        assets = serializer.validated_data.get('assets')
        instance = self.get_object()
-        if instance != Node.root():
+        if instance != Node.org_root():
            instance.assets.remove(*tuple(assets))
        else:
            assets = [asset for asset in assets if asset.nodes.count() > 1]
@@ -261,8 +237,8 @@ class NodeRemoveAssetsApi(generics.UpdateAPIView):


 class NodeReplaceAssetsApi(generics.UpdateAPIView):
+    model = Node
    serializer_class = serializers.NodeAssetsSerializer
-    queryset = Node.objects.all()
    permission_classes = (IsOrgAdmin,)
    instance = None

@@ -273,38 +249,41 @@ class NodeReplaceAssetsApi(generics.UpdateAPIView):
            asset.nodes.set([instance])


-class RefreshNodeHardwareInfoApi(APIView):
-    permission_classes = (IsOrgAdmin,)
+class NodeTaskCreateApi(generics.CreateAPIView):
    model = Node
-
-    def get(self, request, *args, **kwargs):
-        node_id = kwargs.get('pk')
-        node = get_object_or_404(self.model, id=node_id)
-        assets = node.get_all_assets()
-        # task_name = _("更新节点资产硬件信息: {}".format(node.name))
-        task_name = _("Update node asset hardware information: {}").format(node.name)
-        task = update_assets_hardware_info_util.delay(assets, task_name=task_name)
-        return Response({"task": task.id})
-
-
-class TestNodeConnectiveApi(APIView):
+    serializer_class = serializers.NodeTaskSerializer
    permission_classes = (IsOrgAdmin,)
-    model = Node

-    def get(self, request, *args, **kwargs):
-        node_id = kwargs.get('pk')
-        node = get_object_or_404(self.model, id=node_id)
-        assets = node.get_all_assets()
-        # task_name = _("测试节点下资产是否可连接: {}".format(node.name))
-        task_name = _("Test if the assets under the node are connectable: {}".format(node.name))
-        task = test_asset_connectivity_util.delay(assets, task_name=task_name)
-        return Response({"task": task.id})
+    def get_object(self):
+        node_id = self.kwargs.get('pk')
+        node = get_object_or_none(self.model, id=node_id)
+        return node

+    @staticmethod
+    def set_serializer_data(s, task):
+        data = getattr(s, '_data', {})
+        data["task"] = task.id
+        setattr(s, '_data', data)

-class RefreshAssetsAmount(APIView):
-    permission_classes = (IsOrgAdmin,)
-    model = Node
+    @staticmethod
+    def refresh_nodes_cache():
+        Node.refresh_nodes()
+        Task = namedtuple('Task', ['id'])
+        task = Task(id="0")
+        return task
+
+    def perform_create(self, serializer):
+        action = serializer.validated_data["action"]
+        node = self.get_object()
+        if action == "refresh_cache" and node is None:
+            task = self.refresh_nodes_cache()
+            self.set_serializer_data(serializer, task)
+            return
+        if node is None:
+            raise Http404()
+        if action == "refresh":
+            task = update_node_assets_hardware_info_manual.delay(node)
+        else:
+            task = test_node_assets_connectivity_manual.delay(node)
+        self.set_serializer_data(serializer, task)

-    def get(self, request, *args, **kwargs):
-        self.model.expire_nodes_assets_amount()
-        return Response("Ok")
--- a/apps/assets/api/system_user.py
+++ b/apps/assets/api/system_user.py
@@ -1,67 +1,50 @@
 # ~*~ coding: utf-8 ~*~
-# Copyright (C) 2014-2018 Beijing DuiZhan Technology Co.,Ltd. All Rights Reserved.
-#
-# Licensed under the GNU General Public License v2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.gnu.org/licenses/gpl-2.0.html
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
 from django.shortcuts import get_object_or_404
-from rest_framework import generics
 from rest_framework.response import Response
-from rest_framework_bulk import BulkModelViewSet
-from rest_framework.pagination import LimitOffsetPagination

 from common.utils import get_logger
-from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser
-from common.mixins import IDInCacheFilterMixin
+from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser, IsAppUser
+from orgs.mixins.api import OrgBulkModelViewSet
+from orgs.mixins import generics
+from orgs.utils import tmp_to_org
 from ..models import SystemUser, Asset
 from .. import serializers
-from ..tasks import push_system_user_to_assets_manual, \
-    test_system_user_connectivity_manual, push_system_user_a_asset_manual, \
-    test_system_user_connectivity_a_asset
+from ..serializers import SystemUserWithAuthInfoSerializer
+from ..tasks import (
+    push_system_user_to_assets_manual, test_system_user_connectivity_manual,
+    push_system_user_a_asset_manual,
+)


 logger = get_logger(__file__)
 __all__ = [
    'SystemUserViewSet', 'SystemUserAuthInfoApi', 'SystemUserAssetAuthInfoApi',
-    'SystemUserPushApi', 'SystemUserTestConnectiveApi',
-    'SystemUserAssetsListView', 'SystemUserPushToAssetApi',
-    'SystemUserTestAssetConnectivityApi', 'SystemUserCommandFilterRuleListApi',
-
+    'SystemUserCommandFilterRuleListApi', 'SystemUserTaskApi',
 ]


-class SystemUserViewSet(IDInCacheFilterMixin, BulkModelViewSet):
+class SystemUserViewSet(OrgBulkModelViewSet):
    """
    System user api set, for add,delete,update,list,retrieve resource
    """
-    filter_fields = ("name", "username")
+    model = SystemUser
+    filter_fields = ("name", "username", "protocol")
    search_fields = filter_fields
-    queryset = SystemUser.objects.all()
    serializer_class = serializers.SystemUserSerializer
+    serializer_classes = {
+        'default': serializers.SystemUserSerializer,
+        'list': serializers.SystemUserListSerializer,
+    }
    permission_classes = (IsOrgAdminOrAppUser,)
-    pagination_class = LimitOffsetPagination
-
-    def get_queryset(self):
-        queryset = super().get_queryset().all()
-        return queryset


 class SystemUserAuthInfoApi(generics.RetrieveUpdateDestroyAPIView):
    """
    Get system user auth info
    """
-    queryset = SystemUser.objects.all()
+    model = SystemUser
    permission_classes = (IsOrgAdminOrAppUser,)
-    serializer_class = serializers.SystemUserAuthSerializer
+    serializer_class = SystemUserWithAuthInfoSerializer

    def destroy(self, request, *args, **kwargs):
        instance = self.get_object()
@@ -73,88 +56,62 @@ class SystemUserAssetAuthInfoApi(generics.RetrieveAPIView):
    """
    Get system user with asset auth info
    """
-    queryset = SystemUser.objects.all()
+    model = SystemUser
    permission_classes = (IsOrgAdminOrAppUser,)
-    serializer_class = serializers.SystemUserAuthSerializer
+    serializer_class = SystemUserWithAuthInfoSerializer
+
+    def get_exception_handler(self):
+        def handler(e, context):
+            return Response({"error": str(e)}, status=400)
+        return handler

    def get_object(self):
        instance = super().get_object()
-        aid = self.kwargs.get('aid')
-        asset = get_object_or_404(Asset, pk=aid)
-        instance.load_specific_asset_auth(asset)
-        return instance
+        username = instance.username
+        if instance.username_same_with_user:
+            username = self.request.query_params.get("username")
+        asset_id = self.kwargs.get('aid')
+        asset = get_object_or_404(Asset, pk=asset_id)
+
+        with tmp_to_org(asset.org_id):
+            instance.load_asset_special_auth(asset=asset, username=username)
+            return instance


-class SystemUserPushApi(generics.RetrieveAPIView):
-    """
-    Push system user to cluster assets api
-    """
-    queryset = SystemUser.objects.all()
+class SystemUserTaskApi(generics.CreateAPIView):
    permission_classes = (IsOrgAdmin,)
+    serializer_class = serializers.SystemUserTaskSerializer

-    def retrieve(self, request, *args, **kwargs):
-        system_user = self.get_object()
-        nodes = system_user.nodes.all()
-        for node in nodes:
-            system_user.assets.add(*tuple(node.get_all_assets()))
-        task = push_system_user_to_assets_manual.delay(system_user)
-        return Response({"task": task.id})
+    def do_push(self, system_user, asset=None):
+        if asset is None:
+            task = push_system_user_to_assets_manual.delay(system_user)
+        else:
+            username = self.request.query_params.get('username')
+            task = push_system_user_a_asset_manual.delay(
+                system_user, asset, username=username
+            )
+        return task

-
-class SystemUserTestConnectiveApi(generics.RetrieveAPIView):
-    """
-    Push system user to cluster assets api
-    """
-    queryset = SystemUser.objects.all()
-    permission_classes = (IsOrgAdmin,)
-
-    def retrieve(self, request, *args, **kwargs):
-        system_user = self.get_object()
+    @staticmethod
+    def do_test(system_user, asset=None):
        task = test_system_user_connectivity_manual.delay(system_user)
-        return Response({"task": task.id})
-
-
-class SystemUserAssetsListView(generics.ListAPIView):
-    permission_classes = (IsOrgAdmin,)
-    serializer_class = serializers.AssetSimpleSerializer
-    pagination_class = LimitOffsetPagination
-    filter_fields = ("hostname", "ip")
-    http_method_names = ['get']
-    search_fields = filter_fields
+        return task

    def get_object(self):
        pk = self.kwargs.get('pk')
        return get_object_or_404(SystemUser, pk=pk)

-    def get_queryset(self):
+    def perform_create(self, serializer):
+        action = serializer.validated_data["action"]
+        asset = serializer.validated_data.get('asset')
        system_user = self.get_object()
-        return system_user.assets.all()
-
-
-class SystemUserPushToAssetApi(generics.RetrieveAPIView):
-    queryset = SystemUser.objects.all()
-    permission_classes = (IsOrgAdmin,)
-    serializer_class = serializers.TaskIDSerializer
-
-    def retrieve(self, request, *args, **kwargs):
-        system_user = self.get_object()
-        asset_id = self.kwargs.get('aid')
-        asset = get_object_or_404(Asset, id=asset_id)
-        task = push_system_user_a_asset_manual.delay(system_user, asset)
-        return Response({"task": task.id})
-
-
-class SystemUserTestAssetConnectivityApi(generics.RetrieveAPIView):
-    queryset = SystemUser.objects.all()
-    permission_classes = (IsOrgAdmin,)
-    serializer_class = serializers.TaskIDSerializer
-
-    def retrieve(self, request, *args, **kwargs):
-        system_user = self.get_object()
-        asset_id = self.kwargs.get('aid')
-        asset = get_object_or_404(Asset, id=asset_id)
-        task = test_system_user_connectivity_a_asset.delay(system_user, asset)
-        return Response({"task": task.id})
+        if action == 'push':
+            task = self.do_push(system_user, asset)
+        else:
+            task = self.do_test(system_user, asset)
+        data = getattr(serializer, '_data', {})
+        data["task"] = task.id
+        setattr(serializer, '_data', data)


 class SystemUserCommandFilterRuleListApi(generics.ListAPIView):
--- a/apps/assets/api/system_user_relation.py
+++ b/apps/assets/api/system_user_relation.py
@@ -0,0 +1,136 @@
+# -*- coding: utf-8 -*-
+#
+from collections import defaultdict
+from django.db.models import F, Value
+from django.db.models.signals import m2m_changed
+from django.db.models.functions import Concat
+
+from common.permissions import IsOrgAdmin
+from orgs.mixins.api import OrgBulkModelViewSet
+from orgs.utils import current_org
+from .. import models, serializers
+
+__all__ = [
+    'SystemUserAssetRelationViewSet', 'SystemUserNodeRelationViewSet',
+    'SystemUserUserRelationViewSet',
+]
+
+
+class RelationMixin:
+    def get_queryset(self):
+        queryset = self.model.objects.all()
+        org_id = current_org.org_id()
+        if org_id is not None:
+            queryset = queryset.filter(systemuser__org_id=org_id)
+        queryset = queryset.annotate(systemuser_display=Concat(
+            F('systemuser__name'), Value('('), F('systemuser__username'),
+            Value(')')
+        ))
+        return queryset
+
+    def send_post_add_signal(self, instance):
+        if not isinstance(instance, list):
+            instance = [instance]
+
+        system_users_objects_map = defaultdict(list)
+        model, object_field = self.get_objects_attr()
+
+        for i in instance:
+            _id = getattr(i, object_field).id
+            system_users_objects_map[i.systemuser].append(_id)
+
+        sender = self.get_sender()
+        for system_user, objects in system_users_objects_map.items():
+            m2m_changed.send(
+                sender=sender, instance=system_user, action='post_add',
+                reverse=False, model=model, pk_set=objects
+            )
+
+    def get_sender(self):
+        return self.model
+
+    def get_objects_attr(self):
+        return models.Asset, 'asset'
+
+    def perform_create(self, serializer):
+        instance = serializer.save()
+        self.send_post_add_signal(instance)
+
+
+class BaseRelationViewSet(RelationMixin, OrgBulkModelViewSet):
+    pass
+
+
+class SystemUserAssetRelationViewSet(BaseRelationViewSet):
+    serializer_class = serializers.SystemUserAssetRelationSerializer
+    model = models.SystemUser.assets.through
+    permission_classes = (IsOrgAdmin,)
+    filter_fields = [
+        'id', 'asset', 'systemuser',
+    ]
+    search_fields = [
+        "id", "asset__hostname", "asset__ip",
+        "systemuser__name", "systemuser__username"
+    ]
+
+    def get_objects_attr(self):
+        return models.Asset, 'asset'
+
+    def get_queryset(self):
+        queryset = super().get_queryset()
+        queryset = queryset.annotate(
+            asset_display=Concat(
+                F('asset__hostname'), Value('('),
+                F('asset__ip'), Value(')')
+            )
+        )
+        return queryset
+
+
+class SystemUserNodeRelationViewSet(BaseRelationViewSet):
+    serializer_class = serializers.SystemUserNodeRelationSerializer
+    model = models.SystemUser.nodes.through
+    permission_classes = (IsOrgAdmin,)
+    filter_fields = [
+        'id', 'node', 'systemuser',
+    ]
+    search_fields = [
+        "node__value", "systemuser__name", "systemuser_username"
+    ]
+
+    def get_objects_attr(self):
+        return models.Node, 'node'
+
+    def get_queryset(self):
+        queryset = super().get_queryset()
+        queryset = queryset \
+            .annotate(node_key=F('node__key'))
+        return queryset
+
+
+class SystemUserUserRelationViewSet(BaseRelationViewSet):
+    serializer_class = serializers.SystemUserUserRelationSerializer
+    model = models.SystemUser.users.through
+    permission_classes = (IsOrgAdmin,)
+    filter_fields = [
+        'id', 'user', 'systemuser',
+    ]
+    search_fields = [
+        "user__username", "user__name",
+        "systemuser__name", "systemuser__username",
+    ]
+
+    def get_objects_attr(self):
+        from users.models import User
+        return User, 'user'
+
+    def get_queryset(self):
+        queryset = super().get_queryset()
+        queryset = queryset.annotate(
+            user_display=Concat(
+                F('user__name'), Value('('),
+                F('user__username'), Value(')')
+            )
+        )
+        return queryset
+
--- a/apps/assets/apps.py
+++ b/apps/assets/apps.py
@@ -1,11 +1,25 @@
 from __future__ import unicode_literals

 from django.apps import AppConfig
+from django.db.models.signals import post_migrate
+
+
+def initial_some_nodes():
+    from .models import Node
+    Node.initial_some_nodes()
+
+
+def initial_some_nodes_callback(sender, **kwargs):
+    initial_some_nodes()


 class AssetsConfig(AppConfig):
    name = 'assets'

    def ready(self):
-        from . import signals_handler
        super().ready()
+        from . import signals_handler
+        try:
+            initial_some_nodes()
+        except Exception:
+            post_migrate.connect(initial_some_nodes_callback, sender=self)
--- a/apps/assets/backends/init.py
+++ b/apps/assets/backends/init.py
@@ -0,0 +1 @@
+from .manager import AssetUserManager
--- a/apps/assets/backends/base.py
+++ b/apps/assets/backends/base.py
@@ -1,60 +1,48 @@
 # -*- coding: utf-8 -*-
 #
-
-from django.core.exceptions import MultipleObjectsReturned, ObjectDoesNotExist
 from abc import abstractmethod

-
-class NotSupportError(Exception):
-    pass
+from ..models import Asset


 class BaseBackend:
-    ObjectDoesNotExist = ObjectDoesNotExist
-    MultipleObjectsReturned = MultipleObjectsReturned
-    NotSupportError = NotSupportError
-    MSG_NOT_EXIST = '{} Object matching query does not exist'
-    MSG_MULTIPLE = '{} get() returned more than one object ' \
-                   '-- it returned {}!'
-
-    @classmethod
-    def get(cls, username, asset):
-        instances = cls.filter(username, asset)
-        if len(instances) == 1:
-            return instances[0]
-        elif len(instances) == 0:
-            cls.raise_does_not_exist(cls.__name__)
-        else:
-            cls.raise_multiple_return(cls.__name__, len(instances))
-
-    @classmethod
    @abstractmethod
-    def filter(cls, username=None, asset=None, latest=True):
-        """
-        :param username: 用户名
-        :param asset: <Asset>对象
-        :param latest: 是否是最新记录
-        :return: 元素为<AuthBook>的可迭代对象(<list> or <QuerySet>)
-        """
+    def all(self):
        pass

-    @classmethod
    @abstractmethod
-    def create(cls, **kwargs):
-        """
-        :param kwargs:
-        {
-            name, username, asset, comment, password, public_key, private_key,
-            (org_id)
-        }
-        :return: <AuthBook>对象
-        """
+    def filter(self, username=None, hostname=None, ip=None, assets=None,
+               node=None, prefer_id=None, **kwargs):
        pass

-    @classmethod
-    def raise_does_not_exist(cls, name):
-        raise cls.ObjectDoesNotExist(cls.MSG_NOT_EXIST.format(name))
+    @abstractmethod
+    def search(self, item):
+        pass

-    @classmethod
-    def raise_multiple_return(cls, name, length):
-        raise cls.MultipleObjectsReturned(cls.MSG_MULTIPLE.format(name, length))
+    @abstractmethod
+    def get_queryset(self):
+        pass
+
+    @abstractmethod
+    def delete(self, union_id):
+        pass
+
+    @staticmethod
+    def qs_to_values(qs):
+        values = qs.values(
+            'hostname', 'ip', "asset_id",
+            'username', 'password', 'private_key', 'public_key',
+            'score', 'version',
+            "asset_username", "union_id",
+            'date_created', 'date_updated',
+            'org_id', 'backend',
+        )
+        return values
+
+    @staticmethod
+    def make_assets_as_id(assets):
+        if not assets:
+            return []
+        if isinstance(assets[0], Asset):
+            assets = [a.id for a in assets]
+        return assets
--- a/apps/assets/backends/db.py
+++ b/apps/assets/backends/db.py
@@ -0,0 +1,318 @@
+# -*- coding: utf-8 -*-
+#
+from django.utils.translation import ugettext as _
+from functools import reduce
+from django.db.models import F, CharField, Value, IntegerField, Q, Count
+from django.db.models.functions import Concat
+
+from common.utils import get_object_or_none
+from orgs.utils import current_org
+from ..models import AuthBook, SystemUser, Asset, AdminUser
+from .base import BaseBackend
+
+
+class DBBackend(BaseBackend):
+    union_id_length = 2
+
+    def __init__(self, queryset=None):
+        if queryset is None:
+            queryset = self.all()
+        self.queryset = queryset
+
+    def _clone(self):
+        return self.__class__(self.queryset)
+
+    def all(self):
+        return AuthBook.objects.none()
+
+    def count(self):
+        return self.queryset.count()
+
+    def get_queryset(self):
+        return self.queryset
+
+    def delete(self, union_id):
+        cleaned_union_id = union_id.split('_')
+        # 如果union_id通不过本检查，代表可能不是本backend, 应该返回空
+        if not self._check_union_id(union_id, cleaned_union_id):
+            return
+        return self._perform_delete_by_union_id(cleaned_union_id)
+
+    def _perform_delete_by_union_id(self, union_id_cleaned):
+        pass
+
+    def filter(self, assets=None, node=None, prefer=None, prefer_id=None,
+               union_id=None, id__in=None, **kwargs):
+        clone = self._clone()
+        clone._filter_union_id(union_id)
+        clone._filter_prefer(prefer, prefer_id)
+        clone._filter_node(node)
+        clone._filter_assets(assets)
+        clone._filter_other(kwargs)
+        clone._filter_id_in(id__in)
+        return clone
+
+    def _filter_union_id(self, union_id):
+        if not union_id:
+            return
+        cleaned_union_id = union_id.split('_')
+        # 如果union_id通不过本检查，代表可能不是本backend, 应该返回空
+        if not self._check_union_id(union_id, cleaned_union_id):
+            self.queryset = self.queryset.none()
+            return
+        return self._perform_filter_union_id(union_id, cleaned_union_id)
+
+    def _check_union_id(self, union_id, cleaned_union_id):
+        return union_id and len(cleaned_union_id) == self.union_id_length
+
+    def _perform_filter_union_id(self, union_id, union_id_cleaned):
+        self.queryset = self.queryset.filter(union_id=union_id)
+
+    def _filter_assets(self, assets):
+        assets_id = self.make_assets_as_id(assets)
+        if assets_id:
+            self.queryset = self.queryset.filter(asset_id__in=assets_id)
+
+    def _filter_node(self, node):
+        pass
+
+    def _filter_id_in(self, ids):
+        if ids and isinstance(ids, list):
+            self.queryset = self.queryset.filter(union_id__in=ids)
+
+    @staticmethod
+    def clean_kwargs(kwargs):
+        return {k: v for k, v in kwargs.items() if v}
+
+    def _filter_other(self, kwargs):
+        kwargs = self.clean_kwargs(kwargs)
+        if kwargs:
+            self.queryset = self.queryset.filter(**kwargs)
+
+    def _filter_prefer(self, prefer, prefer_id):
+        pass
+
+    def search(self, item):
+        qs = []
+        for i in ['hostname', 'ip', 'username']:
+            kwargs = {i + '__startswith': item}
+            qs.append(Q(**kwargs))
+        q = reduce(lambda x, y: x | y, qs)
+        clone = self._clone()
+        clone.queryset = clone.queryset.filter(q).distinct()
+        return clone
+
+
+class SystemUserBackend(DBBackend):
+    model = SystemUser.assets.through
+    backend = 'system_user'
+    prefer = backend
+    base_score = 0
+    union_id_length = 2
+
+    def _filter_prefer(self, prefer, prefer_id):
+        if prefer and prefer != self.prefer:
+            self.queryset = self.queryset.none()
+
+        if prefer_id:
+            self.queryset = self.queryset.filter(systemuser__id=prefer_id)
+
+    def _perform_filter_union_id(self, union_id, union_id_cleaned):
+        system_user_id, asset_id = union_id_cleaned
+        self.queryset = self.queryset.filter(
+            asset_id=asset_id, systemuser__id=system_user_id,
+        )
+
+    def _perform_delete_by_union_id(self, union_id_cleaned):
+        system_user_id, asset_id = union_id_cleaned
+        system_user = get_object_or_none(SystemUser, pk=system_user_id)
+        asset = get_object_or_none(Asset, pk=asset_id)
+        if all((system_user, asset)):
+            system_user.assets.remove(asset)
+
+    def _filter_node(self, node):
+        if node:
+            self.queryset = self.queryset.filter(asset__nodes__id=node.id)
+
+    def get_annotate(self):
+        kwargs = dict(
+            hostname=F("asset__hostname"),
+            ip=F("asset__ip"),
+            username=F("systemuser__username"),
+            password=F("systemuser__password"),
+            private_key=F("systemuser__private_key"),
+            public_key=F("systemuser__public_key"),
+            score=F("systemuser__priority") + self.base_score,
+            version=Value(0, IntegerField()),
+            date_created=F("systemuser__date_created"),
+            date_updated=F("systemuser__date_updated"),
+            asset_username=Concat(F("asset__id"), Value("_"),
+                                  F("systemuser__username"),
+                                  output_field=CharField()),
+            union_id=Concat(F("systemuser_id"), Value("_"), F("asset_id"),
+                            output_field=CharField()),
+            org_id=F("asset__org_id"),
+            backend=Value(self.backend, CharField())
+        )
+        return kwargs
+
+    def get_filter(self):
+        return dict(
+            systemuser__username_same_with_user=False,
+        )
+
+    def all(self):
+        kwargs = self.get_annotate()
+        filters = self.get_filter()
+        qs = self.model.objects.all().annotate(**kwargs)
+        if current_org.org_id() is not None:
+            filters['org_id'] = current_org.org_id()
+        qs = qs.filter(**filters)
+        qs = self.qs_to_values(qs)
+        return qs
+
+
+class DynamicSystemUserBackend(SystemUserBackend):
+    backend = 'system_user_dynamic'
+    prefer = 'system_user'
+    union_id_length = 3
+
+    def get_annotate(self):
+        kwargs = super().get_annotate()
+        kwargs.update(dict(
+            username=F("systemuser__users__username"),
+            asset_username=Concat(
+                F("asset__id"), Value("_"),
+                F("systemuser__users__username"),
+                output_field=CharField()
+            ),
+            union_id=Concat(
+                F("systemuser_id"), Value("_"), F("asset_id"),
+                Value("_"), F("systemuser__users__id"),
+                output_field=CharField()
+            ),
+            users_count=Count('systemuser__users'),
+        ))
+        return kwargs
+
+    def _perform_filter_union_id(self, union_id, union_id_cleaned):
+        system_user_id, asset_id, user_id = union_id_cleaned
+        self.queryset = self.queryset.filter(
+            asset_id=asset_id, systemuser_id=system_user_id,
+            union_id=union_id,
+        )
+
+    def _perform_delete_by_union_id(self, union_id_cleaned):
+        system_user_id, asset_id, user_id = union_id_cleaned
+        system_user = get_object_or_none(SystemUser, pk=system_user_id)
+        if not system_user:
+            return
+        system_user.users.remove(user_id)
+        if system_user.users.count() == 0:
+            system_user.assets.remove(asset_id)
+
+    def get_filter(self):
+        return dict(
+            users_count__gt=0,
+            systemuser__username_same_with_user=True
+        )
+
+
+class AdminUserBackend(DBBackend):
+    model = Asset
+    backend = 'admin_user'
+    prefer = backend
+    base_score = 200
+
+    def _filter_prefer(self, prefer, prefer_id):
+        if prefer and prefer != self.backend:
+            self.queryset = self.queryset.none()
+        if prefer_id:
+            self.queryset = self.queryset.filter(admin_user__id=prefer_id)
+
+    def _filter_node(self, node):
+        if node:
+            self.queryset = self.queryset.filter(nodes__id=node.id)
+
+    def _perform_filter_union_id(self, union_id, union_id_cleaned):
+        admin_user_id, asset_id = union_id_cleaned
+        self.queryset = self.queryset.filter(
+            id=asset_id, admin_user_id=admin_user_id,
+        )
+
+    def _perform_delete_by_union_id(self, union_id_cleaned):
+        raise PermissionError(_("Could not remove asset admin user"))
+
+    def all(self):
+        qs = self.model.objects.all().annotate(
+            asset_id=F("id"),
+            username=F("admin_user__username"),
+            password=F("admin_user__password"),
+            private_key=F("admin_user__private_key"),
+            public_key=F("admin_user__public_key"),
+            score=Value(self.base_score, IntegerField()),
+            version=Value(0, IntegerField()),
+            date_updated=F("admin_user__date_updated"),
+            asset_username=Concat(F("id"), Value("_"), F("admin_user__username"), output_field=CharField()),
+            union_id=Concat(F("admin_user_id"), Value("_"), F("id"), output_field=CharField()),
+            backend=Value(self.backend, CharField()),
+        )
+        qs = self.qs_to_values(qs)
+        return qs
+
+
+class AuthbookBackend(DBBackend):
+    model = AuthBook
+    backend = 'db'
+    prefer = backend
+    base_score = 400
+
+    def _filter_node(self, node):
+        if node:
+            self.queryset = self.queryset.filter(asset__nodes__id=node.id)
+
+    def _filter_prefer(self, prefer, prefer_id):
+        if not prefer or not prefer_id:
+            return
+        if prefer.lower() == "admin_user":
+            model = AdminUser
+        elif prefer.lower() == "system_user":
+            model = SystemUser
+        else:
+            self.queryset = self.queryset.none()
+            return
+        obj = get_object_or_none(model, pk=prefer_id)
+        if obj is None:
+            self.queryset = self.queryset.none()
+            return
+        username = obj.get_username()
+        if isinstance(username, str):
+            self.queryset = self.queryset.filter(username=username)
+        # dynamic system user return more username
+        else:
+            self.queryset = self.queryset.filter(username__in=username)
+
+    def _perform_filter_union_id(self, union_id, union_id_cleaned):
+        authbook_id, asset_id = union_id_cleaned
+        self.queryset = self.queryset.filter(
+            id=authbook_id, asset_id=asset_id,
+        )
+
+    def _perform_delete_by_union_id(self, union_id_cleaned):
+        authbook_id, asset_id = union_id_cleaned
+        authbook = get_object_or_none(AuthBook, pk=authbook_id)
+        if authbook.is_latest:
+            raise PermissionError(_("Latest version could not be delete"))
+        AuthBook.objects.filter(id=authbook_id).delete()
+
+    def all(self):
+        qs = self.model.objects.all().annotate(
+            hostname=F("asset__hostname"),
+            ip=F("asset__ip"),
+            score=F('version') + self.base_score,
+            asset_username=Concat(F("asset__id"), Value("_"), F("username"), output_field=CharField()),
+            union_id=Concat(F("id"), Value("_"), F("asset_id"), output_field=CharField()),
+            backend=Value(self.backend, CharField()),
+        )
+        qs = self.qs_to_values(qs)
+        return qs
--- a/apps/assets/backends/external/db.py
+++ b/apps/assets/backends/external/db.py
@@ -1,31 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-
-from assets.models import AuthBook
-
-from ..base import BaseBackend
-
-
-class AuthBookBackend(BaseBackend):
-
-    @classmethod
-    def filter(cls, username=None, asset=None, latest=True):
-        queryset = AuthBook.objects.all()
-        if username is not None:
-            queryset = queryset.filter(username=username)
-        if asset:
-            queryset = queryset.filter(asset=asset)
-        if latest:
-            queryset = queryset.latest_version()
-        return queryset
-
-    @classmethod
-    def create(cls, **kwargs):
-        auth_info = {
-            'password': kwargs.pop('password', ''),
-            'public_key': kwargs.pop('public_key', ''),
-            'private_key': kwargs.pop('private_key', '')
-        }
-        obj = AuthBook.objects.create(**kwargs)
-        obj.set_auth(**auth_info)
-        return obj
--- a/apps/assets/backends/external/utils.py
+++ b/apps/assets/backends/external/utils.py
@@ -1,16 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-
-# from django.conf import settings
-
-from .db import AuthBookBackend
-# from .vault import VaultBackend
-
-
-def get_backend():
-    default_backend = AuthBookBackend
-
-    # if settings.BACKEND_ASSET_USER_AUTH_VAULT:
-    #     return VaultBackend
-
-    return default_backend
--- a/apps/assets/backends/external/vault.py
+++ b/apps/assets/backends/external/vault.py
@@ -1,19 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-
-from ..base import BaseBackend
-
-
-class VaultBackend(BaseBackend):
-
-    @classmethod
-    def get(cls, username, asset):
-        pass
-
-    @classmethod
-    def filter(cls, username=None, asset=None, latest=True):
-        pass
-
-    @classmethod
-    def create(cls, **kwargs):
-        pass
--- a/apps/assets/backends/internal/admin_user.py
+++ b/apps/assets/backends/internal/admin_user.py
@@ -1,38 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-
-from assets.models import Asset
-
-from ..base import BaseBackend
-from .utils import construct_authbook_object
-
-
-class AdminUserBackend(BaseBackend):
-
-    @classmethod
-    def filter(cls, username=None, asset=None, **kwargs):
-        instances = cls.construct_authbook_objects(username, asset)
-        return instances
-
-    @classmethod
-    def _get_assets(cls, asset):
-        if not asset:
-            assets = Asset.objects.all().prefetch_related('admin_user')
-        else:
-            assets = [asset]
-        return assets
-
-    @classmethod
-    def construct_authbook_objects(cls, username, asset):
-        instances = []
-        assets = cls._get_assets(asset)
-        for asset in assets:
-            if username is not None and asset.admin_user.username != username:
-                continue
-            instance = construct_authbook_object(asset.admin_user, asset)
-            instances.append(instance)
-        return instances
-
-    @classmethod
-    def create(cls, **kwargs):
-        raise cls.NotSupportError("Not support create")
--- a/apps/assets/backends/internal/asset_user.py
+++ b/apps/assets/backends/internal/asset_user.py
@@ -1,32 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-
-from ..base import BaseBackend
-from .admin_user import AdminUserBackend
-from .system_user import SystemUserBackend
-
-
-class AssetUserBackend(BaseBackend):
-    @classmethod
-    def filter(cls, username=None, asset=None, **kwargs):
-        admin_user_instances = AdminUserBackend.filter(username, asset)
-        system_user_instances = SystemUserBackend.filter(username, asset)
-        instances = cls._merge_instances(admin_user_instances, system_user_instances)
-        return instances
-
-    @classmethod
-    def _merge_instances(cls, admin_user_instances, system_user_instances):
-        admin_user_instances_keyword_list = [
-            {'username': instance.username, 'asset': instance.asset}
-            for instance in admin_user_instances
-        ]
-        instances = [
-            instance for instance in system_user_instances
-            if instance.keyword not in admin_user_instances_keyword_list
-        ]
-        admin_user_instances.extend(instances)
-        return admin_user_instances
-
-    @classmethod
-    def create(cls, **kwargs):
-        raise cls.NotSupportError("Not support create")
--- a/apps/assets/backends/internal/system_user.py
+++ b/apps/assets/backends/internal/system_user.py
@@ -1,75 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-
-import itertools
-
-from assets.models import Asset
-
-from ..base import BaseBackend
-from .utils import construct_authbook_object
-
-
-class SystemUserBackend(BaseBackend):
-
-    @classmethod
-    def filter(cls, username=None, asset=None, **kwargs):
-        instances = cls.construct_authbook_objects(username, asset)
-        return instances
-
-    @classmethod
-    def _distinct_system_users_by_username(cls, system_users):
-        system_users = sorted(
-            system_users,
-            key=lambda su: (su.username, su.priority, su.date_updated),
-            reverse=True,
-        )
-        results = itertools.groupby(system_users, key=lambda su: su.username)
-        system_users = [next(result[1]) for result in results]
-        return system_users
-
-    @classmethod
-    def _filter_system_users_by_username(cls, system_users, username):
-        _system_users = cls._distinct_system_users_by_username(system_users)
-        if username is not None:
-            _system_users = [su for su in _system_users if username == su.username]
-        return _system_users
-
-    @classmethod
-    def _construct_authbook_objects(cls, system_users, asset):
-        instances = []
-        for system_user in system_users:
-            instance = construct_authbook_object(system_user, asset)
-            instances.append(instance)
-        return instances
-
-    @classmethod
-    def _get_assets_with_system_users(cls, asset=None):
-        """
-        { 'asset': set(<SystemUser>, <SystemUser>, ...) }
-        """
-        if not asset:
-            _assets = Asset.objects.all().prefetch_related('systemuser_set')
-        else:
-            _assets = [asset]
-
-        assets = {asset: set(asset.systemuser_set.all()) for asset in _assets}
-        return assets
-
-    @classmethod
-    def construct_authbook_objects(cls, username, asset):
-        """
-        :return: [<AuthBook>, <AuthBook>, ...]
-        """
-        instances = []
-        assets = cls._get_assets_with_system_users(asset)
-        for _asset, _system_users in assets.items():
-            _system_users = cls._filter_system_users_by_username(_system_users, username)
-            _instances = cls._construct_authbook_objects(_system_users, _asset)
-            instances.extend(_instances)
-        return instances
-
-    @classmethod
-    def create(cls, **kwargs):
-        raise Exception("Not support create")
-
-
--- a/apps/assets/backends/internal/utils.py
+++ b/apps/assets/backends/internal/utils.py
@@ -1,26 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-
-from assets.models import AuthBook
-
-
-def construct_authbook_object(asset_user, asset):
-    """
-    作用: 将<AssetUser>对象构造成为<AuthBook>对象并返回
-
-    :param asset_user: <AdminUser>或<SystemUser>对象
-    :param asset: <Asset>对象
-    :return: <AuthBook>对象
-    """
-    fields = [
-        'id', 'name', 'username', 'comment', 'org_id',
-        '_password', '_private_key', '_public_key',
-        'date_created', 'date_updated', 'created_by'
-    ]
-
-    obj = AuthBook(asset=asset, version=0, is_latest=True)
-    for field in fields:
-        value = getattr(asset_user, field)
-        setattr(obj, field, value)
-    return obj
-
--- a/apps/assets/backends/manager.py
+++ b/apps/assets/backends/manager.py
@@ -0,0 +1,162 @@
+# -*- coding: utf-8 -*-
+#
+from itertools import chain, groupby
+from django.core.exceptions import MultipleObjectsReturned, ObjectDoesNotExist
+
+from orgs.utils import current_org
+from common.utils import get_logger, lazyproperty
+from common.struct import QuerySetChain
+
+from ..models import AssetUser, AuthBook
+from .db import (
+    AuthbookBackend, SystemUserBackend, AdminUserBackend,
+    DynamicSystemUserBackend
+)
+
+logger = get_logger(__name__)
+
+
+class NotSupportError(Exception):
+    pass
+
+
+class AssetUserQueryset:
+    ObjectDoesNotExist = ObjectDoesNotExist
+    MultipleObjectsReturned = MultipleObjectsReturned
+
+    def __init__(self, backends=()):
+        self.backends = backends
+        self._distinct_queryset = None
+
+    def backends_queryset(self):
+        return [b.get_queryset() for b in self.backends]
+
+    @lazyproperty
+    def backends_counts(self):
+        return [b.count() for b in self.backends]
+
+    def filter(self, hostname=None, ip=None, username=None,
+               assets=None, asset=None, node=None,
+               id=None, prefer_id=None, prefer=None, id__in=None):
+        if not assets and asset:
+            assets = [asset]
+
+        kwargs = dict(
+            hostname=hostname, ip=ip, username=username,
+            assets=assets, node=node, prefer=prefer, prefer_id=prefer_id,
+            id__in=id__in, union_id=id,
+        )
+        logger.debug("Filter: {}".format(kwargs))
+        backends = []
+        for backend in self.backends:
+            clone = backend.filter(**kwargs)
+            backends.append(clone)
+        return self._clone(backends)
+
+    def _clone(self, backends=None):
+        if backends is None:
+            backends = self.backends
+        return self.__class__(backends)
+
+    def search(self, item):
+        backends = []
+        for backend in self.backends:
+            new = backend.search(item)
+            backends.append(new)
+        return self._clone(backends)
+
+    def distinct(self):
+        logger.debug("Distinct asset user queryset")
+        queryset_chain = chain(*(backend.get_queryset() for backend in self.backends))
+        queryset_sorted = sorted(
+            queryset_chain,
+            key=lambda item: (item["asset_username"], item["score"]),
+            reverse=True,
+        )
+        results = groupby(queryset_sorted, key=lambda item: item["asset_username"])
+        final = [next(result[1]) for result in results]
+        self._distinct_queryset = final
+        return self
+
+    def get(self, latest=False, **kwargs):
+        queryset = self.filter(**kwargs)
+        if latest:
+            queryset = queryset.distinct()
+        queryset = list(queryset)
+        count = len(queryset)
+        if count == 1:
+            data = queryset[0]
+            return data
+        elif count > 1:
+            msg = 'Should return 1 record, but get {}'.format(count)
+            raise MultipleObjectsReturned(msg)
+        else:
+            msg = 'No record found(org is {})'.format(current_org.name)
+            raise ObjectDoesNotExist(msg)
+
+    def get_latest(self, **kwargs):
+        return self.get(latest=True, **kwargs)
+
+    @staticmethod
+    def to_asset_user(data):
+        obj = AssetUser()
+        for k, v in data.items():
+            setattr(obj, k, v)
+        return obj
+
+    @property
+    def queryset(self):
+        if self._distinct_queryset is not None:
+            return self._distinct_queryset
+        return QuerySetChain(self.backends_queryset())
+
+    def count(self):
+        if self._distinct_queryset is not None:
+            return len(self._distinct_queryset)
+        else:
+            return sum(self.backends_counts)
+
+    def __getitem__(self, ndx):
+        return self.queryset.__getitem__(ndx)
+
+    def __iter__(self):
+        self._data = iter(self.queryset)
+        return self
+
+    def __next__(self):
+        return self.to_asset_user(next(self._data))
+
+
+class AssetUserManager:
+    support_backends = (
+        ('db', AuthbookBackend),
+        ('system_user', SystemUserBackend),
+        ('admin_user', AdminUserBackend),
+        ('system_user_dynamic', DynamicSystemUserBackend),
+    )
+
+    def __init__(self):
+        self.backends = [backend() for name, backend in self.support_backends]
+        self._queryset = AssetUserQueryset(self.backends)
+
+    def all(self):
+        return self._queryset
+
+    def delete(self, obj):
+        name_backends_map = dict(self.support_backends)
+        backend_name = obj.backend
+        backend_cls = name_backends_map.get(backend_name)
+        union_id = obj.union_id
+        if backend_cls:
+            backend_cls().delete(union_id)
+        else:
+            raise ObjectDoesNotExist("Not backend found")
+
+    @staticmethod
+    def create(**kwargs):
+        # 使用create方法创建AuthBook对象，解决并发创建问题（添加锁机制）
+        authbook = AuthBook.create(**kwargs)
+        return authbook
+
+    def __getattr__(self, item):
+        return getattr(self._queryset, item)
--- a/apps/assets/backends/multi.py
+++ b/apps/assets/backends/multi.py
@@ -1,40 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-
-from .base import BaseBackend
-
-from .external.utils import get_backend
-from .internal.asset_user import AssetUserBackend
-
-
-class AssetUserManager(BaseBackend):
-    """
-    资产用户管理器
-    """
-    external_backend = get_backend()
-    internal_backend = AssetUserBackend
-
-    @classmethod
-    def filter(cls, username=None, asset=None, **kwargs):
-        external_instance = list(cls.external_backend.filter(username, asset))
-        internal_instance = list(cls.internal_backend.filter(username, asset))
-        instances = cls._merge_instances(external_instance, internal_instance)
-        return instances
-
-    @classmethod
-    def create(cls, **kwargs):
-        instance = cls.external_backend.create(**kwargs)
-        return instance
-
-    @classmethod
-    def _merge_instances(cls, external_instances, internal_instances):
-        external_instances_keyword_list = [
-            {'username': instance.username, 'asset': instance.asset}
-            for instance in external_instances
-        ]
-        instances = [
-            instance for instance in internal_instances
-            if instance.keyword not in external_instances_keyword_list
-        ]
-        external_instances.extend(instances)
-        return external_instances
--- a/apps/assets/backends/utils.py
+++ b/apps/assets/backends/utils.py
@@ -0,0 +1,7 @@
+# -*- coding: utf-8 -*-
+#
+
+# from django.conf import settings
+
+# from .vault import VaultBackend
+
--- a/apps/assets/backends/internal/init.py
+++ b/apps/assets/backends/internal/init.py
--- a/apps/assets/const.py
+++ b/apps/assets/const.py
@@ -1,57 +1,2 @@
 # -*- coding: utf-8 -*-
 #
-
-from django.utils.translation import ugettext_lazy as _
-
-
-UPDATE_ASSETS_HARDWARE_TASKS = [
-   {
-       'name': "setup",
-       'action': {
-           'module': 'setup'
-       }
-   }
-]
-
-ADMIN_USER_CONN_CACHE_KEY = "ADMIN_USER_CONN_{}"
-TEST_ADMIN_USER_CONN_TASKS = [
-    {
-        "name": "ping",
-        "action": {
-            "module": "ping",
-        }
-    }
-]
-
-ASSET_ADMIN_CONN_CACHE_KEY = "ASSET_ADMIN_USER_CONN_{}"
-
-SYSTEM_USER_CONN_CACHE_KEY = "SYSTEM_USER_CONN_{}"
-TEST_SYSTEM_USER_CONN_TASKS = [
-   {
-       "name": "ping",
-       "action": {
-           "module": "ping",
-       }
-   }
-]
-
-
-ASSET_USER_CONN_CACHE_KEY = 'ASSET_USER_CONN_{}_{}'
-TEST_ASSET_USER_CONN_TASKS = [
-    {
-        "name": "ping",
-        "action": {
-            "module": "ping",
-        }
-    }
-]
-
-
-TASK_OPTIONS = {
-    'timeout': 10,
-    'forks': 10,
-}
-
-CACHE_KEY_ASSET_BULK_UPDATE_ID_PREFIX = '_KEY_ASSET_BULK_UPDATE_ID_{}'
-
-
--- a/apps/assets/filters.py
+++ b/apps/assets/filters.py
@@ -0,0 +1,119 @@
+# -*- coding: utf-8 -*-
+#
+
+import coreapi
+from rest_framework import filters
+from django.db.models import Q
+
+from common.utils import dict_get_any, is_uuid, get_object_or_none
+from .models import Node, Label
+
+
+class AssetByNodeFilterBackend(filters.BaseFilterBackend):
+    fields = ['node', 'all']
+
+    def get_schema_fields(self, view):
+        return [
+            coreapi.Field(
+                name=field, location='query', required=False,
+                type='string', example='', description='', schema=None,
+            )
+            for field in self.fields
+        ]
+
+    @staticmethod
+    def is_query_all(request):
+        query_all_arg = request.query_params.get('all')
+        show_current_asset_arg = request.query_params.get('show_current_asset')
+
+        query_all = query_all_arg == '1'
+        if show_current_asset_arg is not None:
+            query_all = show_current_asset_arg != '1'
+        return query_all
+
+    @staticmethod
+    def get_query_node(request):
+        node_id = dict_get_any(request.query_params, ['node', 'node_id'])
+        if not node_id:
+            return None, False
+
+        if is_uuid(node_id):
+            node = get_object_or_none(Node, id=node_id)
+        else:
+            node = get_object_or_none(Node, key=node_id)
+        return node, True
+
+    @staticmethod
+    def perform_query(pattern, queryset):
+        return queryset.filter(nodes__key__regex=pattern).distinct()
+
+    def filter_queryset(self, request, queryset, view):
+        node, has_query_arg = self.get_query_node(request)
+        if not has_query_arg:
+            return queryset
+
+        if node is None:
+            return queryset
+        query_all = self.is_query_all(request)
+        if query_all:
+            pattern = node.get_all_children_pattern(with_self=True)
+        else:
+            # pattern = node.get_children_key_pattern(with_self=True)
+            # 只显示当前节点下资产
+            pattern = r"^{}$".format(node.key)
+        return self.perform_query(pattern, queryset)
+
+
+class LabelFilterBackend(filters.BaseFilterBackend):
+    sep = ':'
+    query_arg = 'label'
+
+    def get_schema_fields(self, view):
+        example = self.sep.join(['os', 'linux'])
+        return [
+            coreapi.Field(
+                name=self.query_arg, location='query', required=False,
+                type='string', example=example, description=''
+            )
+        ]
+
+    def get_query_labels(self, request):
+        labels_query = request.query_params.getlist(self.query_arg)
+        if not labels_query:
+            return None
+
+        q = None
+        for kv in labels_query:
+            if '#' in kv:
+                self.sep = '#'
+            if self.sep not in kv:
+                continue
+            key, value = kv.strip().split(self.sep)[:2]
+            if not all([key, value]):
+                continue
+            if q:
+                q |= Q(name=key, value=value)
+            else:
+                q = Q(name=key, value=value)
+        if not q:
+            return []
+        labels = Label.objects.filter(q, is_active=True)\
+            .values_list('id', flat=True)
+        return labels
+
+    def filter_queryset(self, request, queryset, view):
+        labels = self.get_query_labels(request)
+        if labels is None:
+            return queryset
+        if len(labels) == 0:
+            return queryset.none()
+        for label in labels:
+            queryset = queryset.filter(labels=label)
+        return queryset
+
+
+class AssetRelatedByNodeFilterBackend(AssetByNodeFilterBackend):
+    @staticmethod
+    def perform_query(pattern, queryset):
+        return queryset.filter(asset__nodes__key__regex=pattern).distinct()
+
--- a/apps/assets/forms/init.py
+++ b/apps/assets/forms/init.py
@@ -1,7 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from .asset import *
-from .label import *
-from .user import *
-from .domain import *
-from .cmd_filter import *
--- a/apps/assets/forms/asset.py
+++ b/apps/assets/forms/asset.py
@@ -1,143 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from django import forms
-from django.utils.translation import gettext_lazy as _
-
-from common.utils import get_logger
-from orgs.mixins import OrgModelForm
-
-from ..models import Asset, AdminUser
-
-
-logger = get_logger(__file__)
-__all__ = ['AssetCreateForm', 'AssetUpdateForm', 'AssetBulkUpdateForm']
-
-
-class AssetCreateForm(OrgModelForm):
-    class Meta:
-        model = Asset
-        fields = [
-            'hostname', 'ip', 'public_ip', 'port',  'comment',
-            'nodes', 'is_active', 'admin_user', 'labels', 'platform',
-            'domain', 'protocol',
-
-        ]
-        widgets = {
-            'nodes': forms.SelectMultiple(attrs={
-                'class': 'select2', 'data-placeholder': _('Nodes')
-            }),
-            'admin_user': forms.Select(attrs={
-                'class': 'select2', 'data-placeholder': _('Admin user')
-            }),
-            'labels': forms.SelectMultiple(attrs={
-                'class': 'select2', 'data-placeholder': _('Label')
-            }),
-            'port': forms.TextInput(),
-            'domain': forms.Select(attrs={
-                'class': 'select2', 'data-placeholder': _('Domain')
-            }),
-        }
-        labels = {
-            'nodes': _("Node"),
-        }
-        help_texts = {
-            'admin_user': _(
-                'root or other NOPASSWD sudo privilege user existed in asset,'
-                'If asset is windows or other set any one, more see admin user left menu'
-            ),
-            'platform': _("Windows 2016 RDP protocol is different, If is window 2016, set it"),
-            'domain': _("If your have some network not connect with each other, you can set domain")
-        }
-
-
-class AssetUpdateForm(OrgModelForm):
-    class Meta:
-        model = Asset
-        fields = [
-            'hostname', 'ip', 'port', 'nodes',  'is_active', 'platform',
-            'public_ip', 'number', 'comment', 'admin_user', 'labels',
-            'domain', 'protocol',
-        ]
-        widgets = {
-            'nodes': forms.SelectMultiple(attrs={
-                'class': 'select2', 'data-placeholder': _('Node')
-            }),
-            'admin_user': forms.Select(attrs={
-                'class': 'select2', 'data-placeholder': _('Admin user')
-            }),
-            'labels': forms.SelectMultiple(attrs={
-                'class': 'select2', 'data-placeholder': _('Label')
-            }),
-            'port': forms.TextInput(),
-            'domain': forms.Select(attrs={
-                'class': 'select2', 'data-placeholder': _('Domain')
-            }),
-        }
-        labels = {
-            'nodes': _("Node"),
-        }
-        help_texts = {
-            'admin_user': _(
-                'root or other NOPASSWD sudo privilege user existed in asset,'
-                'If asset is windows or other set any one, more see admin user left menu'
-            ),
-            'platform': _("Windows 2016 RDP protocol is different, If is window 2016, set it"),
-            'domain': _("If your have some network not connect with each other, you can set domain")
-        }
-
-
-class AssetBulkUpdateForm(OrgModelForm):
-    assets = forms.ModelMultipleChoiceField(
-        required=True,
-        label=_('Select assets'), queryset=Asset.objects.all(),
-        widget=forms.SelectMultiple(
-            attrs={
-                'class': 'select2',
-                'data-placeholder': _('Select assets')
-            }
-        )
-    )
-
-    class Meta:
-        model = Asset
-        fields = [
-            'assets', 'port',  'admin_user', 'labels', 'platform',
-            'protocol', 'domain',
-        ]
-        widgets = {
-            'labels': forms.SelectMultiple(
-                attrs={'class': 'select2', 'data-placeholder': _('Label')}
-            ),
-            'nodes': forms.SelectMultiple(
-                attrs={'class': 'select2', 'data-placeholder': _('Node')}
-            ),
-        }
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        # 重写其他字段为不再required
-        for name, field in self.fields.items():
-            if name != 'assets':
-                field.required = False
-
-    def save(self, commit=True):
-        changed_fields = []
-        for field in self._meta.fields:
-            if self.data.get(field) not in [None, '']:
-                changed_fields.append(field)
-
-        cleaned_data = {k: v for k, v in self.cleaned_data.items()
-                        if k in changed_fields}
-        assets = cleaned_data.pop('assets')
-        labels = cleaned_data.pop('labels', [])
-        nodes = cleaned_data.pop('nodes', None)
-        assets = Asset.objects.filter(id__in=[asset.id for asset in assets])
-        assets.update(**cleaned_data)
-
-        if labels:
-            for asset in assets:
-                asset.labels.set(labels)
-        if nodes:
-            for asset in assets:
-                asset.nodes.set(nodes)
-        return assets
--- a/apps/assets/forms/cmd_filter.py
+++ b/apps/assets/forms/cmd_filter.py
@@ -1,27 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from django import forms
-
-from orgs.mixins import OrgModelForm
-from ..models import CommandFilter, CommandFilterRule
-
-__all__ = ['CommandFilterForm', 'CommandFilterRuleForm']
-
-
-class CommandFilterForm(OrgModelForm):
-    class Meta:
-        model = CommandFilter
-        fields = ['name', 'comment']
-
-
-class CommandFilterRuleForm(OrgModelForm):
-    class Meta:
-        model = CommandFilterRule
-        fields = [
-            'filter', 'type', 'content', 'priority', 'action', 'comment'
-        ]
-        widgets = {
-            'content':  forms.Textarea(attrs={
-                'placeholder': 'eg:\r\nreboot\r\nrm -rf'
-            }),
-        }
--- a/apps/assets/forms/domain.py
+++ b/apps/assets/forms/domain.py
@@ -1,75 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from django import forms
-from django.utils.translation import gettext_lazy as _
-
-from orgs.mixins import OrgModelForm
-from ..models import Domain, Asset, Gateway
-from .user import PasswordAndKeyAuthForm
-
-__all__ = ['DomainForm', 'GatewayForm']
-
-
-class DomainForm(forms.ModelForm):
-    assets = forms.ModelMultipleChoiceField(
-        queryset=Asset.objects.all(), label=_('Asset'), required=False,
-        widget=forms.SelectMultiple(
-            attrs={'class': 'select2', 'data-placeholder': _('Select assets')}
-        )
-    )
-
-    class Meta:
-        model = Domain
-        fields = ['name', 'comment', 'assets']
-
-    def __init__(self, *args, **kwargs):
-        if kwargs.get('instance', None):
-            initial = kwargs.get('initial', {})
-            initial['assets'] = kwargs['instance'].assets.all()
-        super().__init__(*args, **kwargs)
-
-        # 前端渲染优化, 防止过多资产
-        assets_field = self.fields.get('assets')
-        if not self.data:
-            instance = kwargs.get('instance')
-            if instance:
-                assets_field.queryset = instance.assets.all()
-            else:
-                assets_field.queryset = Asset.objects.none()
-
-    def save(self, commit=True):
-        instance = super().save(commit=commit)
-        assets = self.cleaned_data['assets']
-        instance.assets.set(assets)
-        return instance
-
-
-class GatewayForm(PasswordAndKeyAuthForm, OrgModelForm):
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        password_field = self.fields.get('password')
-        password_field.help_text = _('Password should not contain special characters')
-        protocol_field = self.fields.get('protocol')
-        protocol_field.choices = [Gateway.PROTOCOL_CHOICES[0]]
-
-    def save(self, commit=True):
-        # Because we define custom field, so we need rewrite :method: `save`
-        instance = super().save()
-        password = self.cleaned_data.get('password')
-        private_key, public_key = super().gen_keys()
-        instance.set_auth(password=password, private_key=private_key)
-        return instance
-
-    class Meta:
-        model = Gateway
-        fields = [
-            'name', 'ip', 'port', 'username', 'protocol', 'domain', 'password',
-            'private_key_file',  'is_active', 'comment',
-        ]
-        help_texts = {
-            'protocol': _("SSH gateway support proxy SSH,RDP,VNC")
-        }
-        widgets = {
-            'name': forms.TextInput(attrs={'placeholder': _('Name')}),
-            'username': forms.TextInput(attrs={'placeholder': _('Username')}),
-        }
--- a/apps/assets/forms/label.py
+++ b/apps/assets/forms/label.py
@@ -1,42 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from django import forms
-from django.utils.translation import gettext_lazy as _
-
-from ..models import Label, Asset
-
-__all__ = ['LabelForm']
-
-
-class LabelForm(forms.ModelForm):
-    assets = forms.ModelMultipleChoiceField(
-        queryset=Asset.objects.all(), label=_('Asset'), required=False,
-        widget=forms.SelectMultiple(
-            attrs={'class': 'select2', 'data-placeholder': _('Select assets')}
-        )
-    )
-
-    class Meta:
-        model = Label
-        fields = ['name', 'value', 'assets']
-
-    def __init__(self, *args, **kwargs):
-        if kwargs.get('instance', None):
-            initial = kwargs.get('initial', {})
-            initial['assets'] = kwargs['instance'].assets.all()
-        super().__init__(*args, **kwargs)
-
-        # 前端渲染优化, 防止过多资产
-        assets_field = self.fields.get('assets')
-        if not self.data:
-            instance = kwargs.get('instance')
-            if instance:
-                assets_field.queryset = instance.assets.all()
-            else:
-                assets_field.queryset = Asset.objects.none()
-
-    def save(self, commit=True):
-        label = super().save(commit=commit)
-        assets = self.cleaned_data['assets']
-        label.assets.set(assets)
-        return label
--- a/apps/assets/forms/user.py
+++ b/apps/assets/forms/user.py
@@ -1,159 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from django import forms
-from django.utils.translation import gettext_lazy as _
-
-from common.utils import validate_ssh_private_key, ssh_pubkey_gen, get_logger
-from orgs.mixins import OrgModelForm
-from ..models import AdminUser, SystemUser
-
-logger = get_logger(__file__)
-__all__ = [
-    'FileForm', 'SystemUserForm', 'AdminUserForm', 'PasswordAndKeyAuthForm',
-]
-
-
-class FileForm(forms.Form):
-    file = forms.FileField()
-
-
-class PasswordAndKeyAuthForm(forms.ModelForm):
-    # Form field name can not start with `_`, so redefine it,
-    password = forms.CharField(
-        widget=forms.PasswordInput, max_length=128,
-        strip=True, required=False,
-        help_text=_('Password or private key passphrase'),
-        label=_("Password"),
-    )
-    # Need use upload private key file except paste private key content
-    private_key_file = forms.FileField(required=False, label=_("Private key"))
-
-    def clean_private_key_file(self):
-        private_key_file = self.cleaned_data['private_key_file']
-        password = self.cleaned_data['password']
-
-        if private_key_file:
-            key_string = private_key_file.read()
-            private_key_file.seek(0)
-            key_string = key_string.decode()
-
-            if not validate_ssh_private_key(key_string, password):
-                msg = _('Invalid private key, Only support '
-                        'RSA/DSA format key')
-                raise forms.ValidationError(msg)
-        return private_key_file
-
-    def validate_password_key(self):
-        password = self.cleaned_data['password']
-        private_key_file = self.cleaned_data.get('private_key_file', '')
-
-        if not password and not private_key_file:
-            raise forms.ValidationError(_(
-                'Password and private key file must be input one'
-            ))
-
-    def gen_keys(self):
-        password = self.cleaned_data.get('password', '') or None
-        private_key_file = self.cleaned_data['private_key_file']
-        public_key = private_key = None
-
-        if private_key_file:
-            private_key = private_key_file.read().strip().decode('utf-8')
-            public_key = ssh_pubkey_gen(private_key=private_key, password=password)
-        return private_key, public_key
-
-
-class AdminUserForm(PasswordAndKeyAuthForm):
-    def save(self, commit=True):
-        # Because we define custom field, so we need rewrite :method: `save`
-        admin_user = super().save(commit=commit)
-        password = self.cleaned_data.get('password', '') or None
-        private_key, public_key = super().gen_keys()
-        admin_user.set_auth(password=password, public_key=public_key, private_key=private_key)
-        return admin_user
-
-    def clean(self):
-        super().clean()
-        if not self.instance:
-            super().validate_password_key()
-
-    class Meta:
-        model = AdminUser
-        fields = ['name', 'username', 'password', 'private_key_file', 'comment']
-        widgets = {
-            'name': forms.TextInput(attrs={'placeholder': _('Name')}),
-            'username': forms.TextInput(attrs={'placeholder': _('Username')}),
-        }
-
-
-class SystemUserForm(OrgModelForm, PasswordAndKeyAuthForm):
-    # Admin user assets define, let user select, save it in form not in view
-    auto_generate_key = forms.BooleanField(initial=True, required=False)
-
-    def save(self, commit=True):
-        # Because we define custom field, so we need rewrite :method: `save`
-        system_user = super().save()
-        password = self.cleaned_data.get('password', '') or None
-        login_mode = self.cleaned_data.get('login_mode', '') or None
-        protocol = self.cleaned_data.get('protocol') or None
-        auto_generate_key = self.cleaned_data.get('auto_generate_key', False)
-        private_key, public_key = super().gen_keys()
-
-        if login_mode == SystemUser.LOGIN_MANUAL or \
-                protocol in [SystemUser.PROTOCOL_RDP,
-                             SystemUser.PROTOCOL_TELNET,
-                             SystemUser.PROTOCOL_VNC]:
-            system_user.auto_push = 0
-            auto_generate_key = False
-            system_user.save()
-
-        if auto_generate_key:
-            logger.info('Auto generate key and set system user auth')
-            system_user.auto_gen_auth()
-        else:
-            system_user.set_auth(password=password, private_key=private_key,
-                                 public_key=public_key)
-
-        return system_user
-
-    def clean(self):
-        super().clean()
-        auto_generate = self.cleaned_data.get('auto_generate_key')
-        if not self.instance and not auto_generate:
-            super().validate_password_key()
-
-    def clean_username(self):
-        username = self.data.get('username')
-        login_mode = self.data.get('login_mode')
-        protocol = self.data.get('protocol')
-
-        if username:
-            return username
-        if login_mode == SystemUser.LOGIN_AUTO and \
-                protocol != SystemUser.PROTOCOL_VNC:
-            msg = _('* Automatic login mode must fill in the username.')
-            raise forms.ValidationError(msg)
-        return username
-
-    class Meta:
-        model = SystemUser
-        fields = [
-            'name', 'username', 'protocol', 'auto_generate_key',
-            'password', 'private_key_file', 'auto_push', 'sudo',
-            'comment', 'shell', 'priority', 'login_mode', 'cmd_filters',
-        ]
-        widgets = {
-            'name': forms.TextInput(attrs={'placeholder': _('Name')}),
-            'username': forms.TextInput(attrs={'placeholder': _('Username')}),
-            'cmd_filters': forms.SelectMultiple(attrs={
-                'class': 'select2', 'data-placeholder': _('Command filter')
-            }),
-        }
-        help_texts = {
-            'auto_push': _('Auto push system user to asset'),
-            'priority': _('1-100, High level will be using login asset as default, '
-                          'if user was granted more than 2 system user'),
-            'login_mode': _('If you choose manual login mode, you do not '
-                            'need to fill in the username and password.'),
-            'sudo': _("Use comma split multi command, ex: /bin/whoami,/bin/ifconfig")
-        }
--- a/apps/assets/hands.py
+++ b/apps/assets/hands.py
@@ -6,11 +6,10 @@

    Other module of this app shouldn't connect with other app.

-    :copyright: (c) 2014-2018 by Jumpserver Team.
+    :copyright: (c) 2014-2018 by JumpServer Team.
    :license: GPL v2, see LICENSE for more details.
 """


-from common.permissions import AdminUserRequiredMixin
 from common.permissions import IsAppUser, IsOrgAdmin, IsValidUser, IsOrgAdminOrAppUser
 from users.models import User, UserGroup
--- a/apps/assets/migrations/0002_auto_20180105_1807.py
+++ b/apps/assets/migrations/0002_auto_20180105_1807.py
@@ -1,35 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by Django 1.11 on 2018-01-05 10:07
-from __future__ import unicode_literals
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0001_initial'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='adminuser',
-            options={'ordering': ['name'], 'verbose_name': 'Admin user'},
-        ),
-        migrations.AlterModelOptions(
-            name='asset',
-            options={'verbose_name': 'Asset'},
-        ),
-        migrations.AlterModelOptions(
-            name='assetgroup',
-            options={'ordering': ['name'], 'verbose_name': 'Asset group'},
-        ),
-        migrations.AlterModelOptions(
-            name='cluster',
-            options={'ordering': ['name'], 'verbose_name': 'Cluster'},
-        ),
-        migrations.AlterModelOptions(
-            name='systemuser',
-            options={'ordering': ['name'], 'verbose_name': 'System user'},
-        ),
-    ]
--- a/apps/assets/migrations/0003_auto_20180109_2331.py
+++ b/apps/assets/migrations/0003_auto_20180109_2331.py
@@ -1,22 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by Django 1.11 on 2018-01-09 15:31
-from __future__ import unicode_literals
-
-import assets.models.asset
-from django.db import migrations, models
-import django.db.models.deletion
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0002_auto_20180105_1807'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='asset',
-            name='cluster',
-            field=models.ForeignKey(default=assets.models.asset.default_cluster, on_delete=django.db.models.deletion.SET_DEFAULT, related_name='assets', to='assets.Cluster', verbose_name='Cluster'),
-        ),
-    ]
--- a/apps/assets/migrations/0004_auto_20180125_1218.py
+++ b/apps/assets/migrations/0004_auto_20180125_1218.py
@@ -1,20 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by Django 1.11 on 2018-01-25 04:18
-from __future__ import unicode_literals
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0003_auto_20180109_2331'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='assetgroup',
-            name='created_by',
-            field=models.CharField(blank=True, max_length=32, null=True, verbose_name='Created by'),
-        ),
-    ]
--- a/apps/assets/migrations/0005_auto_20180126_1637.py
+++ b/apps/assets/migrations/0005_auto_20180126_1637.py
@@ -1,40 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by Django 1.11 on 2018-01-26 08:37
-from __future__ import unicode_literals
-
-from django.db import migrations, models
-import uuid
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0004_auto_20180125_1218'),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name='Label',
-            fields=[
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('name', models.CharField(max_length=128, verbose_name='Name')),
-                ('value', models.CharField(max_length=128, verbose_name='Value')),
-                ('category', models.CharField(choices=[('S', 'System'), ('U', 'User')], default='U', max_length=128, verbose_name='Category')),
-                ('is_active', models.BooleanField(default=True, verbose_name='Is active')),
-                ('comment', models.TextField(blank=True, null=True, verbose_name='Comment')),
-                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
-            ],
-            options={
-                'db_table': 'assets_label',
-            },
-        ),
-        migrations.AlterUniqueTogether(
-            name='label',
-            unique_together=set([('name', 'value')]),
-        ),
-        migrations.AddField(
-            model_name='asset',
-            name='labels',
-            field=models.ManyToManyField(blank=True, related_name='assets', to='assets.Label', verbose_name='Labels'),
-        ),
-    ]
--- a/apps/assets/migrations/0006_auto_20180130_1502.py
+++ b/apps/assets/migrations/0006_auto_20180130_1502.py
@@ -1,39 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by Django 1.11 on 2018-01-30 07:02
-from __future__ import unicode_literals
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0005_auto_20180126_1637'),
-    ]
-
-    operations = [
-        migrations.RemoveField(
-            model_name='asset',
-            name='cabinet_no',
-        ),
-        migrations.RemoveField(
-            model_name='asset',
-            name='cabinet_pos',
-        ),
-        migrations.RemoveField(
-            model_name='asset',
-            name='env',
-        ),
-        migrations.RemoveField(
-            model_name='asset',
-            name='remote_card_ip',
-        ),
-        migrations.RemoveField(
-            model_name='asset',
-            name='status',
-        ),
-        migrations.RemoveField(
-            model_name='asset',
-            name='type',
-        ),
-    ]
--- a/apps/assets/migrations/0007_auto_20180225_1815.py
+++ b/apps/assets/migrations/0007_auto_20180225_1815.py
@@ -1,60 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by Django 1.11 on 2018-02-25 10:15
-from __future__ import unicode_literals
-
-import assets.models.asset
-from django.db import migrations, models
-import django.db.models.deletion
-import uuid
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0006_auto_20180130_1502'),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name='Node',
-            fields=[
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('key', models.CharField(max_length=64, unique=True, verbose_name='Key')),
-                ('value', models.CharField(max_length=128, unique=True, verbose_name='Value')),
-                ('child_mark', models.IntegerField(default=0)),
-                ('date_create', models.DateTimeField(auto_now_add=True)),
-            ],
-        ),
-        migrations.RemoveField(
-            model_name='asset',
-            name='cluster',
-        ),
-        migrations.RemoveField(
-            model_name='asset',
-            name='groups',
-        ),
-        migrations.RemoveField(
-            model_name='systemuser',
-            name='cluster',
-        ),
-        migrations.AlterField(
-            model_name='asset',
-            name='admin_user',
-            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.PROTECT, to='assets.AdminUser', verbose_name='Admin user'),
-        ),
-        migrations.AlterField(
-            model_name='systemuser',
-            name='protocol',
-            field=models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp')], default='ssh', max_length=16, verbose_name='Protocol'),
-        ),
-        migrations.AddField(
-            model_name='asset',
-            name='nodes',
-            field=models.ManyToManyField(default=assets.models.asset.default_node, related_name='assets', to='assets.Node', verbose_name='Nodes'),
-        ),
-        migrations.AddField(
-            model_name='systemuser',
-            name='nodes',
-            field=models.ManyToManyField(blank=True, to='assets.Node', verbose_name='Nodes'),
-        ),
-    ]
--- a/apps/assets/migrations/0008_auto_20180306_1804.py
+++ b/apps/assets/migrations/0008_auto_20180306_1804.py
@@ -1,40 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by Django 1.11 on 2018-03-06 10:04
-from __future__ import unicode_literals
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0007_auto_20180225_1815'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='adminuser',
-            name='created_by',
-            field=models.CharField(max_length=128, null=True, verbose_name='Created by'),
-        ),
-        migrations.AlterField(
-            model_name='adminuser',
-            name='username',
-            field=models.CharField(max_length=128, verbose_name='Username'),
-        ),
-        migrations.AlterField(
-            model_name='asset',
-            name='platform',
-            field=models.CharField(choices=[('Linux', 'Linux'), ('Unix', 'Unix'), ('MacOS', 'MacOS'), ('BSD', 'BSD'), ('Windows', 'Windows'), ('Other', 'Other')], default='Linux', max_length=128, verbose_name='Platform'),
-        ),
-        migrations.AlterField(
-            model_name='systemuser',
-            name='created_by',
-            field=models.CharField(max_length=128, null=True, verbose_name='Created by'),
-        ),
-        migrations.AlterField(
-            model_name='systemuser',
-            name='username',
-            field=models.CharField(max_length=128, verbose_name='Username'),
-        ),
-    ]
--- a/apps/assets/migrations/0009_auto_20180307_1212.py
+++ b/apps/assets/migrations/0009_auto_20180307_1212.py
@@ -1,20 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by Django 1.11 on 2018-03-07 04:12
-from __future__ import unicode_literals
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0008_auto_20180306_1804'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='node',
-            name='value',
-            field=models.CharField(max_length=128, verbose_name='Value'),
-        ),
-    ]
--- a/apps/assets/migrations/0010_auto_20180307_1749.py
+++ b/apps/assets/migrations/0010_auto_20180307_1749.py
@@ -1,20 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by Django 1.11 on 2018-03-07 09:49
-from __future__ import unicode_literals
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0009_auto_20180307_1212'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='node',
-            name='value',
-            field=models.CharField(max_length=128, unique=True, verbose_name='Value'),
-        ),
-    ]
--- a/apps/assets/migrations/0011_auto_20180326_0957.py
+++ b/apps/assets/migrations/0011_auto_20180326_0957.py
@@ -1,55 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by Django 1.11 on 2018-03-26 01:57
-from __future__ import unicode_literals
-
-import assets.models.utils
-from django.db import migrations, models
-import django.db.models.deletion
-import uuid
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0010_auto_20180307_1749'),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name='Domain',
-            fields=[
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('name', models.CharField(max_length=128, unique=True, verbose_name='Name')),
-                ('comment', models.TextField(blank=True, verbose_name='Comment')),
-                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
-            ],
-        ),
-        migrations.CreateModel(
-            name='Gateway',
-            fields=[
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('name', models.CharField(max_length=128, unique=True, verbose_name='Name')),
-                ('username', models.CharField(max_length=128, verbose_name='Username')),
-                ('_password', models.CharField(blank=True, max_length=256, null=True, verbose_name='Password')),
-                ('_private_key', models.TextField(blank=True, max_length=4096, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key')),
-                ('_public_key', models.TextField(blank=True, max_length=4096, verbose_name='SSH public key')),
-                ('date_created', models.DateTimeField(auto_now_add=True)),
-                ('date_updated', models.DateTimeField(auto_now=True)),
-                ('created_by', models.CharField(max_length=128, null=True, verbose_name='Created by')),
-                ('ip', models.GenericIPAddressField(db_index=True, verbose_name='IP')),
-                ('port', models.IntegerField(default=22, verbose_name='Port')),
-                ('protocol', models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp')], default='ssh', max_length=16, verbose_name='Protocol')),
-                ('comment', models.CharField(blank=True, max_length=128, null=True, verbose_name='Comment')),
-                ('is_active', models.BooleanField(default=True, verbose_name='Is active')),
-                ('domain', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='assets.Domain', verbose_name='Domain')),
-            ],
-            options={
-                'abstract': False,
-            },
-        ),
-        migrations.AddField(
-            model_name='asset',
-            name='domain',
-            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='assets', to='assets.Domain', verbose_name='Domain'),
-        ),
-    ]
--- a/apps/assets/migrations/0012_auto_20180404_1302.py
+++ b/apps/assets/migrations/0012_auto_20180404_1302.py
@@ -1,21 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by Django 1.11 on 2018-04-04 05:02
-from __future__ import unicode_literals
-
-from django.db import migrations, models
-import django.db.models.deletion
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0011_auto_20180326_0957'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='asset',
-            name='domain',
-            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='assets', to='assets.Domain', verbose_name='Domain'),
-        ),
-    ]
--- a/apps/assets/migrations/0013_auto_20180411_1135.py
+++ b/apps/assets/migrations/0013_auto_20180411_1135.py
@@ -1,25 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by Django 1.11 on 2018-04-11 03:35
-from __future__ import unicode_literals
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0012_auto_20180404_1302'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='systemuser',
-            name='assets',
-            field=models.ManyToManyField(blank=True, to='assets.Asset', verbose_name='Assets'),
-        ),
-        migrations.AlterField(
-            model_name='systemuser',
-            name='sudo',
-            field=models.TextField(default='/bin/whoami', verbose_name='Sudo'),
-        ),
-    ]
--- a/apps/assets/migrations/0014_auto_20180427_1245.py
+++ b/apps/assets/migrations/0014_auto_20180427_1245.py
@@ -1,31 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by Django 1.11 on 2018-04-27 04:45
-from __future__ import unicode_literals
-
-import django.core.validators
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0013_auto_20180411_1135'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='adminuser',
-            name='username',
-            field=models.CharField(max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_-]*$', 'Special char not allowed')], verbose_name='Username'),
-        ),
-        migrations.AlterField(
-            model_name='gateway',
-            name='username',
-            field=models.CharField(max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_-]*$', 'Special char not allowed')], verbose_name='Username'),
-        ),
-        migrations.AlterField(
-            model_name='systemuser',
-            name='username',
-            field=models.CharField(max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_-]*$', 'Special char not allowed')], verbose_name='Username'),
-        ),
-    ]
--- a/apps/assets/migrations/0015_auto_20180510_1235.py
+++ b/apps/assets/migrations/0015_auto_20180510_1235.py
@@ -1,31 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by Django 1.11 on 2018-05-10 04:35
-from __future__ import unicode_literals
-
-import django.core.validators
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0014_auto_20180427_1245'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='adminuser',
-            name='username',
-            field=models.CharField(max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
-        ),
-        migrations.AlterField(
-            model_name='gateway',
-            name='username',
-            field=models.CharField(max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
-        ),
-        migrations.AlterField(
-            model_name='systemuser',
-            name='username',
-            field=models.CharField(max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
-        ),
-    ]
--- a/apps/assets/migrations/0016_auto_20180511_1203.py
+++ b/apps/assets/migrations/0016_auto_20180511_1203.py
@@ -1,20 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by Django 1.11 on 2018-05-11 04:03
-from __future__ import unicode_literals
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0015_auto_20180510_1235'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='node',
-            name='value',
-            field=models.CharField(max_length=128, verbose_name='Value'),
-        ),
-    ]
--- a/apps/assets/migrations/0017_auto_20180702_1415.py
+++ b/apps/assets/migrations/0017_auto_20180702_1415.py
@@ -1,58 +0,0 @@
-# -*- coding: utf-8 -*-
-# Generated by Django 1.11 on 2018-07-02 06:15
-from __future__ import unicode_literals
-
-import django.core.validators
-from django.db import migrations, models
-
-
-def migrate_win_to_ssh_protocol(apps, schema_editor):
-    asset_model = apps.get_model("assets", "Asset")
-    db_alias = schema_editor.connection.alias
-    asset_model.objects.using(db_alias).filter(platform__startswith='Win').update(protocol='rdp')
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0016_auto_20180511_1203'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='asset',
-            name='protocol',
-            field=models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp'), ('telnet', 'telnet (beta)')], default='ssh', max_length=128, verbose_name='Protocol'),
-        ),
-        migrations.AddField(
-            model_name='systemuser',
-            name='login_mode',
-            field=models.CharField(choices=[('auto', 'Automatic login'), ('manual', 'Manually login')], default='auto', max_length=10, verbose_name='Login mode'),
-        ),
-        migrations.AlterField(
-            model_name='adminuser',
-            name='username',
-            field=models.CharField(blank=True, max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
-        ),
-        migrations.AlterField(
-            model_name='asset',
-            name='platform',
-            field=models.CharField(choices=[('Linux', 'Linux'), ('Unix', 'Unix'), ('MacOS', 'MacOS'), ('BSD', 'BSD'), ('Windows', 'Windows'), ('Windows2016', 'Windows(2016)'), ('Other', 'Other')], default='Linux', max_length=128, verbose_name='Platform'),
-        ),
-        migrations.AlterField(
-            model_name='gateway',
-            name='username',
-            field=models.CharField(blank=True, max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
-        ),
-        migrations.AlterField(
-            model_name='systemuser',
-            name='protocol',
-            field=models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp'), ('telnet', 'telnet (beta)')], default='ssh', max_length=16, verbose_name='Protocol'),
-        ),
-        migrations.AlterField(
-            model_name='systemuser',
-            name='username',
-            field=models.CharField(blank=True, max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
-        ),
-        migrations.RunPython(migrate_win_to_ssh_protocol),
-    ]
--- a/apps/assets/migrations/0018_auto_20180807_1116.py
+++ b/apps/assets/migrations/0018_auto_20180807_1116.py
@@ -1,84 +0,0 @@
-# Generated by Django 2.0.7 on 2018-08-07 03:16
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0017_auto_20180702_1415'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='adminuser',
-            name='org_id',
-            field=models.CharField(blank=True, default=None, max_length=36, null=True),
-        ),
-        migrations.AddField(
-            model_name='asset',
-            name='org_id',
-            field=models.CharField(blank=True, default=None, max_length=36, null=True),
-        ),
-        migrations.AddField(
-            model_name='domain',
-            name='org_id',
-            field=models.CharField(blank=True, default=None, max_length=36, null=True),
-        ),
-        migrations.AddField(
-            model_name='gateway',
-            name='org_id',
-            field=models.CharField(blank=True, default=None, max_length=36, null=True),
-        ),
-        migrations.AddField(
-            model_name='label',
-            name='org_id',
-            field=models.CharField(blank=True, default=None, max_length=36, null=True),
-        ),
-        migrations.AddField(
-            model_name='node',
-            name='org_id',
-            field=models.CharField(blank=True, default=None, max_length=36, null=True),
-        ),
-        migrations.AddField(
-            model_name='systemuser',
-            name='org_id',
-            field=models.CharField(blank=True, default=None, max_length=36, null=True),
-        ),
-        migrations.AlterField(
-            model_name='adminuser',
-            name='name',
-            field=models.CharField(max_length=128, verbose_name='Name'),
-        ),
-        migrations.AlterField(
-            model_name='asset',
-            name='hostname',
-            field=models.CharField(max_length=128, verbose_name='Hostname'),
-        ),
-        migrations.AlterField(
-            model_name='gateway',
-            name='name',
-            field=models.CharField(max_length=128, verbose_name='Name'),
-        ),
-        migrations.AlterField(
-            model_name='systemuser',
-            name='name',
-            field=models.CharField(max_length=128, verbose_name='Name'),
-        ),
-        migrations.AlterUniqueTogether(
-            name='adminuser',
-            unique_together={('name', 'org_id')},
-        ),
-        migrations.AlterUniqueTogether(
-            name='asset',
-            unique_together={('org_id', 'hostname')},
-        ),
-        migrations.AlterUniqueTogether(
-            name='gateway',
-            unique_together={('name', 'org_id')},
-        ),
-        migrations.AlterUniqueTogether(
-            name='systemuser',
-            unique_together={('name', 'org_id')},
-        ),
-    ]
--- a/apps/assets/migrations/0019_auto_20180816_1320.py
+++ b/apps/assets/migrations/0019_auto_20180816_1320.py
@@ -1,22 +0,0 @@
-# Generated by Django 2.0.7 on 2018-08-16 05:20
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0018_auto_20180807_1116'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='asset',
-            name='cpu_vcpus',
-            field=models.IntegerField(null=True, verbose_name='CPU vcpus'),
-        ),
-        migrations.AlterUniqueTogether(
-            name='label',
-            unique_together={('name', 'value', 'org_id')},
-        ),
-    ]
--- a/apps/assets/migrations/0027_auto_20190521_1703.py
+++ b/apps/assets/migrations/0027_auto_20190521_1703.py
@@ -15,4 +15,9 @@ class Migration(migrations.Migration):
            name='ip',
            field=models.CharField(db_index=True, max_length=128, verbose_name='IP'),
        ),
+        migrations.AlterField(
+            model_name='asset',
+            name='public_ip',
+            field=models.CharField(blank=True, max_length=128, null=True, verbose_name='Public IP'),
+        ),
    ]
--- a/apps/assets/migrations/0028_protocol.py
+++ b/apps/assets/migrations/0028_protocol.py
@@ -0,0 +1,29 @@
+# Generated by Django 2.1.7 on 2019-05-22 02:58
+
+import django.core.validators
+from django.db import migrations, models
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0027_auto_20190521_1703'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Protocol',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp'), ('telnet', 'telnet (beta)'), ('vnc', 'vnc')], default='ssh', max_length=16, verbose_name='Name')),
+                ('port', models.IntegerField(default=22, validators=[django.core.validators.MaxValueValidator(65535), django.core.validators.MinValueValidator(1)], verbose_name='Port')),
+            ],
+        ),
+        migrations.AddField(
+            model_name='asset',
+            name='protocols',
+            field=models.ManyToManyField(to='assets.Protocol',
+                                         verbose_name='Protocol'),
+        ),
+    ]
--- a/apps/assets/migrations/0029_auto_20190522_1114.py
+++ b/apps/assets/migrations/0029_auto_20190522_1114.py
@@ -0,0 +1,13 @@
+# Generated by Django 2.1.7 on 2019-05-22 03:14
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0028_protocol'),
+    ]
+
+    operations = [
+    ]
--- a/apps/assets/migrations/0030_auto_20190619_1135.py
+++ b/apps/assets/migrations/0030_auto_20190619_1135.py
@@ -0,0 +1,19 @@
+# Generated by Django 2.1.7 on 2019-06-19 03:35
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0029_auto_20190522_1114'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='asset',
+            name='admin_user',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.PROTECT, related_name='assets', to='assets.AdminUser', verbose_name='Admin user'),
+        ),
+    ]
--- a/apps/assets/migrations/0031_auto_20190621_1332.py
+++ b/apps/assets/migrations/0031_auto_20190621_1332.py
@@ -0,0 +1,53 @@
+# Generated by Django 2.1.7 on 2019-06-21 05:32
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0030_auto_20190619_1135'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='adminuser',
+            name='date_created',
+            field=models.DateTimeField(auto_now_add=True, verbose_name='Date created'),
+        ),
+        migrations.AlterField(
+            model_name='adminuser',
+            name='date_updated',
+            field=models.DateTimeField(auto_now=True, verbose_name='Date updated'),
+        ),
+        migrations.AlterField(
+            model_name='authbook',
+            name='date_created',
+            field=models.DateTimeField(auto_now_add=True, verbose_name='Date created'),
+        ),
+        migrations.AlterField(
+            model_name='authbook',
+            name='date_updated',
+            field=models.DateTimeField(auto_now=True, verbose_name='Date updated'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='date_created',
+            field=models.DateTimeField(auto_now_add=True, verbose_name='Date created'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='date_updated',
+            field=models.DateTimeField(auto_now=True, verbose_name='Date updated'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='date_created',
+            field=models.DateTimeField(auto_now_add=True, verbose_name='Date created'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='date_updated',
+            field=models.DateTimeField(auto_now=True, verbose_name='Date updated'),
+        ),
+    ]
--- a/apps/assets/migrations/0032_auto_20190624_2108.py
+++ b/apps/assets/migrations/0032_auto_20190624_2108.py
@@ -0,0 +1,75 @@
+# Generated by Django 2.1.7 on 2019-06-24 13:08
+
+import assets.models.utils
+import common.fields.model
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0031_auto_20190621_1332'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='adminuser',
+            name='_password',
+            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+        ),
+        migrations.AlterField(
+            model_name='adminuser',
+            name='_private_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+        ),
+        migrations.AlterField(
+            model_name='adminuser',
+            name='_public_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+        ),
+        migrations.AlterField(
+            model_name='authbook',
+            name='_password',
+            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+        ),
+        migrations.AlterField(
+            model_name='authbook',
+            name='_private_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+        ),
+        migrations.AlterField(
+            model_name='authbook',
+            name='_public_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='_password',
+            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='_private_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='_public_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='_password',
+            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='_private_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='_public_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+        ),
+    ]
--- a/apps/assets/migrations/0033_auto_20190624_2108.py
+++ b/apps/assets/migrations/0033_auto_20190624_2108.py
@@ -0,0 +1,73 @@
+# Generated by Django 2.1.7 on 2019-06-24 13:08
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0032_auto_20190624_2108'),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name='adminuser',
+            old_name='_private_key',
+            new_name='private_key',
+        ),
+        migrations.RenameField(
+            model_name='adminuser',
+            old_name='_public_key',
+            new_name='public_key',
+        ),
+        migrations.RenameField(
+            model_name='authbook',
+            old_name='_private_key',
+            new_name='private_key',
+        ),
+        migrations.RenameField(
+            model_name='authbook',
+            old_name='_public_key',
+            new_name='public_key',
+        ),
+        migrations.RenameField(
+            model_name='gateway',
+            old_name='_private_key',
+            new_name='private_key',
+        ),
+        migrations.RenameField(
+            model_name='gateway',
+            old_name='_public_key',
+            new_name='public_key',
+        ),
+        migrations.RenameField(
+            model_name='systemuser',
+            old_name='_private_key',
+            new_name='private_key',
+        ),
+        migrations.RenameField(
+            model_name='systemuser',
+            old_name='_public_key',
+            new_name='public_key',
+        ),
+        migrations.RenameField(
+            model_name='adminuser',
+            old_name='_password',
+            new_name='password',
+        ),
+        migrations.RenameField(
+            model_name='authbook',
+            old_name='_password',
+            new_name='password',
+        ),
+        migrations.RenameField(
+            model_name='gateway',
+            old_name='_password',
+            new_name='password',
+        ),
+        migrations.RenameField(
+            model_name='systemuser',
+            old_name='_password',
+            new_name='password',
+        ),
+    ]
--- a/apps/assets/migrations/0034_auto_20190705_1348.py
+++ b/apps/assets/migrations/0034_auto_20190705_1348.py
@@ -0,0 +1,39 @@
+# Generated by Django 2.1.7 on 2019-07-05 05:48
+
+from django.db import migrations
+from django.db.models import F
+from django.db.models import CharField, Value as V
+from django.db.models.functions import Concat
+
+
+def migrate_assets_protocol(apps, schema_editor):
+    asset_model = apps.get_model("assets", "Asset")
+    db_alias = schema_editor.connection.alias
+    assets = asset_model.objects.using(db_alias).all().annotate(
+        protocols_new=Concat(
+            'protocol', V('/'), 'port',
+            output_field=CharField(),
+        ),
+    )
+    assets.update(protocols=F('protocols_new'))
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0033_auto_20190624_2108'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='asset',
+            name='protocols',
+        ),
+        migrations.AddField(
+            model_name='asset',
+            name='protocols',
+            field=CharField(blank=True, default='ssh/22', max_length=128, verbose_name='Protocols'),
+        ),
+        migrations.RunPython(migrate_assets_protocol),
+        migrations.DeleteModel(name='Protocol'),
+    ]
--- a/apps/assets/migrations/0035_auto_20190711_2018.py
+++ b/apps/assets/migrations/0035_auto_20190711_2018.py
@@ -0,0 +1,34 @@
+# Generated by Django 2.1.7 on 2019-07-11 12:18
+
+import common.fields.model
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0034_auto_20190705_1348'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='adminuser',
+            name='private_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+        ),
+        migrations.AlterField(
+            model_name='authbook',
+            name='private_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='private_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='private_key',
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+        ),
+    ]
--- a/apps/assets/migrations/0036_auto_20190716_1535.py
+++ b/apps/assets/migrations/0036_auto_20190716_1535.py
@@ -0,0 +1,18 @@
+# Generated by Django 2.1.7 on 2019-07-16 07:35
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0035_auto_20190711_2018'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='commandfilter',
+            name='name',
+            field=models.CharField(max_length=64, unique=True, verbose_name='Name'),
+        ),
+    ]
--- a/apps/assets/migrations/0037_auto_20190724_2002.py
+++ b/apps/assets/migrations/0037_auto_20190724_2002.py
@@ -0,0 +1,18 @@
+# Generated by Django 2.1.7 on 2019-07-24 12:02
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0036_auto_20190716_1535'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='adminuser',
+            name='_become_pass',
+            field=models.CharField(blank=True, default='', max_length=128),
+        ),
+    ]
--- a/apps/assets/migrations/0038_auto_20190911_1634.py
+++ b/apps/assets/migrations/0038_auto_20190911_1634.py
@@ -0,0 +1,23 @@
+# Generated by Django 2.1.7 on 2019-09-11 08:34
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0037_auto_20190724_2002'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='asset',
+            name='protocol',
+            field=models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp'), ('telnet', 'telnet'), ('vnc', 'vnc')], default='ssh', max_length=128, verbose_name='Protocol'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='protocol',
+            field=models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp'), ('telnet', 'telnet'), ('vnc', 'vnc')], default='ssh', max_length=16, verbose_name='Protocol'),
+        ),
+    ]
--- a/apps/assets/migrations/0039_authbook_is_active.py
+++ b/apps/assets/migrations/0039_authbook_is_active.py
@@ -0,0 +1,18 @@
+# Generated by Django 2.1.7 on 2019-09-17 12:22
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0038_auto_20190911_1634'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='authbook',
+            name='is_active',
+            field=models.BooleanField(default=True, verbose_name='Is active'),
+        ),
+    ]
--- a/Show More
+++ b/Show More