fix(i18n): 修改翻译文件

Merge pull request #7229 from jumpserver/dev
v2.16
2025-12-16 17:12:53 +00:00 · 2021-11-18 19:06:54 +08:00 · 2021-11-18 18:51:57 +08:00 · 2021-11-18 18:49:22 +08:00 · 2021-11-18 18:47:01 +08:00 · 2021-11-18 18:07:51 +08:00
665 changed files with 28117 additions and 15184 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -7,3 +7,4 @@ django.db
 celerybeat.pid
 ### Vagrant ###
 .vagrant/
+apps/xpack/.git
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1,2 @@
+*.mmdb filter=lfs diff=lfs merge=lfs -text
+*.mo filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@@ -15,6 +15,7 @@ dump.rdb
 .tox
 .cache/
 .idea/
+.vscode/
 db.sqlite3
 config.py
 config.yml
@@ -38,3 +39,4 @@ logs/*
 .vagrant/
 release/*
 releashe
+/apps/script.py
--- a/25
+++ b/25
@@ -8,7 +8,6 @@ WORKDIR /opt/jumpserver
 ADD . .
 RUN cd utils && bash -ixeu build.sh

-
 # 构建运行时环境
 FROM python:3.8.6-slim
 ARG PIP_MIRROR=https://pypi.douban.com/simple
@@ -18,25 +17,37 @@ ENV PIP_JMS_MIRROR=$PIP_JMS_MIRROR

 WORKDIR /opt/jumpserver

-COPY ./requirements/deb_buster_requirements.txt ./requirements/deb_buster_requirements.txt
+COPY ./requirements/deb_requirements.txt ./requirements/deb_requirements.txt
 RUN sed -i 's/deb.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
    && sed -i 's/security.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
    && apt update \
-    && grep -v '^#' ./requirements/deb_buster_requirements.txt | xargs apt -y install \
+    && apt -y install telnet iproute2 redis-tools default-mysql-client vim wget curl locales procps \
+    && apt -y install $(cat requirements/deb_requirements.txt) \
+    && rm -rf /var/lib/apt/lists/* \
    && localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 \
-    && cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
+    && cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
+    && sed -i "s@# alias l@alias l@g" ~/.bashrc \
+    && echo "set mouse-=a" > ~/.vimrc

 COPY ./requirements/requirements.txt ./requirements/requirements.txt
 RUN pip install --upgrade pip==20.2.4 setuptools==49.6.0 wheel==0.34.2 -i ${PIP_MIRROR} \
-    && pip config set global.index-url ${PIP_MIRROR} \
-    && pip install --no-cache-dir $(grep 'jms' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
-    && pip install --no-cache-dir -r requirements/requirements.txt
+    && pip install --no-cache-dir $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
+    && pip install --no-cache-dir -r requirements/requirements.txt -i ${PIP_MIRROR} \
+    && rm -rf ~/.cache/pip

 COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
 RUN mkdir -p /root/.ssh/ \
    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null" > /root/.ssh/config

+RUN mkdir -p /opt/jumpserver/oracle/ \
+    && wget https://download.jumpserver.org/public/instantclient-basiclite-linux.x64-21.1.0.0.0.tar > /dev/null \
+    && tar xf instantclient-basiclite-linux.x64-21.1.0.0.0.tar -C /opt/jumpserver/oracle/ \
+    && echo "/opt/jumpserver/oracle/instantclient_21_1" > /etc/ld.so.conf.d/oracle-instantclient.conf \
+    && ldconfig \
+    && rm -f instantclient-basiclite-linux.x64-21.1.0.0.0.tar
+
 RUN echo > config.yml
+
 VOLUME /opt/jumpserver/data
 VOLUME /opt/jumpserver/logs

--- a/README.md
+++ b/README.md
@@ -1,132 +1,29 @@
-# JumpServer 多云环境下更好用的堡垒机
+<p align="center"><a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a></p>
+<h3 align="center">多云环境下更好用的堡垒机</h3>

-[![Python3](https://img.shields.io/badge/python-3.6-green.svg?style=plastic)](https://www.python.org/)
-[![Django](https://img.shields.io/badge/django-2.2-brightgreen.svg?style=plastic)](https://www.djangoproject.com/)
-[![Docker Pulls](https://img.shields.io/docker/pulls/jumpserver/jms_all.svg)](https://hub.docker.com/u/jumpserver)
-
- [ENGLISH](https://github.com/jumpserver/jumpserver/blob/master/README_EN.md)
-
-## 紧急BUG修复通知
-JumpServer发现远程执行漏洞，请速度修复
-
-非常感谢  **reactivity of Alibaba Hackerone bug bounty program**(瑞典) 向我们报告了此 BUG
-
-**影响版本:**
-```
-< v2.6.2
-< v2.5.4
-< v2.4.5 
-= v1.5.9
->= v1.5.3
-```
-**安全版本:**
-```
->= v2.6.2
->= v2.5.4
->= v2.4.5 
-= v1.5.9 （版本号没变）
-< v1.5.3
-```
-
-**修复方案:**
-
-将JumpServer升级至安全版本；
-
-**临时修复方案:**
-
-修改 Nginx 配置文件屏蔽漏洞接口 
-
-```
-/api/v1/authentication/connection-token/
-/api/v1/users/connection-token/
-```
-
-Nginx 配置文件位置
-```
-# 社区老版本
-/etc/nginx/conf.d/jumpserver.conf
-
-# 企业老版本
-jumpserver-release/nginx/http_server.conf
- 
-# 新版本在 
-jumpserver-release/compose/config_static/http_server.conf
-```
-
-修改 Nginx 配置文件实例
-```
-### 保证在 /api 之前 和 / 之前
-location /api/v1/authentication/connection-token/ {
-   return 403;
-}
- 
-location /api/v1/users/connection-token/ {
-   return 403;
-}
-### 新增以上这些
- 
-location /api/ {
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header Host $host;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_pass http://core:8080;
-  }
- 
-...
-```
-
-修改完成后重启 nginx
-
-```
-docker方式: 
-docker restart jms_nginx
-
-nginx方式:
-systemctl restart nginx
-
-```
-
-**修复验证**
-
-```
-$ wget https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_bug_check.sh 
-
-# 使用方法 bash jms_bug_check.sh HOST 
-$ bash jms_bug_check.sh demo.jumpserver.org
-漏洞已修复
-```
-
-**入侵检测**
-
-下载脚本到 jumpserver 日志目录，这个目录中存在 gunicorn.log，然后执行
-
-```
-$ pwd
-/opt/jumpserver/core/logs
-
-$ ls gunicorn.log 
-gunicorn.log
-
-$ wget 'https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_check_attack.sh'
-$ bash jms_check_attack.sh
-系统未被入侵
-```
+<p align="center">
+  <a href="https://www.gnu.org/licenses/old-licenses/gpl-2.0"><img src="https://shields.io/github/license/jumpserver/jumpserver" alt="License: GPL v2"></a>
+  <a href="https://shields.io/github/downloads/jumpserver/jumpserver/total"><img src="https://shields.io/github/downloads/jumpserver/jumpserver/total" alt=" release"></a>
+  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Codacy"></a>
+  <a href="https://github.com/jumpserver/jumpserver"><img src="https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square" alt="Stars"></a>
+</p>

 --------------------------
+- [ENGLISH](https://github.com/jumpserver/jumpserver/blob/master/README_EN.md)
+

-JumpServer 正在寻找开发者，一起为改变世界做些贡献吧，哪怕一点点，联系我 <ibuler@fit2cloud.com> 

 JumpServer 是全球首款开源的堡垒机，使用 GNU GPL v2.0 开源协议，是符合 4A 规范的运维安全审计系统。

-JumpServer 使用 Python / Django 为主进行开发，遵循 Web 2.0 规范，配备了业界领先的 Web Terminal 方案，交互界面美观、用户体验好。
+JumpServer 使用 Python 开发，遵循 Web 2.0 规范，配备了业界领先的 Web Terminal 方案，交互界面美观、用户体验好。

 JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向扩展，无资产数量及并发限制。

-改变世界，从一点点开始。
+改变世界，从一点点开始 ...

-> 注: [KubeOperator](https://github.com/KubeOperator/KubeOperator) 是 JumpServer 团队在 Kubernetes 领域的的又一全新力作，欢迎关注和使用。
+> 如需进一步了解 JumpServer 开源项目，推荐阅读 [JumpServer 的初心和使命](https://mp.weixin.qq.com/s/S6q_2rP_9MwaVwyqLQnXzA)

-## 特色优势
+### 特色优势

 - 开源: 零门槛，线上快速获取和安装；
 - 分布式: 轻松支持大规模并发访问；
@@ -136,249 +33,75 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向
 - 多租户: 一套系统，多个子公司和部门同时使用；
 - 多应用支持: 数据库，Windows远程应用，Kubernetes。

-## 版本说明
+### UI 展示

-自 v2.0.0 发布后， JumpServer 版本号命名将变更为：v大版本.功能版本.Bug修复版本。比如：
+![UI展示](https://www.jumpserver.org/images/screenshot/1.png)

-```
-v2.0.1 是 v2.0.0 之后的Bug修复版本；
-v2.1.0 是 v2.0.0 之后的功能版本。
-```
+### 在线体验

-像其它优秀开源项目一样，JumpServer 每个月会发布一个功能版本，并同时维护 3 个功能版本。比如：
+-   环境地址：<https://demo.jumpserver.org/>

-```
-在 v2.4 发布前，我们会同时维护 v2.1、v2.2、v2.3；
-在 v2.4 发布后，我们会同时维护 v2.2、v2.3、v2.4；v2.1 会停止维护。
-```
+| :warning: 注意                 |
+| :--------------------------- |
+| 该环境仅作体验目的使用，我们会定时清理、重置数据！    |
+| 请勿修改体验环境用户的密码！               |
+| 请勿在环境中添加业务生产环境地址、用户名密码等敏感信息！ |

-## 功能列表
-
-<table>
-  <tr>
-    <td rowspan="8">身份认证<br>Authentication</td>
-    <td rowspan="5">登录认证</td>
-    <td>资源统一登录与认证</td>
-  </tr>
-  <tr>
-    <td>LDAP/AD 认证</td>
-  </tr>
-  <tr>
-    <td>RADIUS 认证</td>
-  </tr>
-  <tr>
-    <td>OpenID 认证（实现单点登录）</td>
-  </tr>
-  <tr>
-    <td>CAS 认证 （实现单点登录）</td>
-  </tr>
-  <tr>
-    <td rowspan="2">MFA认证</td>
-    <td>MFA 二次认证（Google Authenticator）</td>
-  </tr>
-  <tr>
-    <td>RADIUS 二次认证</td>
-  </tr>
-  <tr>
-    <td>登录复核（X-PACK）</td>
-    <td>用户登录行为受管理员的监管与控制</td>
-  </tr>
-  <tr>
-    <td rowspan="11">账号管理<br>Account</td>
-    <td rowspan="2">集中账号</td>
-    <td>管理用户管理</td>
-  </tr>
-  <tr>
-    <td>系统用户管理</td>
-  </tr>
-  <tr>
-    <td rowspan="4">统一密码</td>
-    <td>资产密码托管</td>
-  </tr>
-  <tr>
-    <td>自动生成密码</td>
-  </tr>
-  <tr>
-    <td>自动推送密码</td>
-  </tr>
-  <tr>
-    <td>密码过期设置</td>
-  </tr>
-  <tr>
-    <td rowspan="2">批量改密（X-PACK）</td>
-    <td>定期批量改密</td>
-  </tr>
-  <tr>
-    <td>多种密码策略</td>
-  </tr>
-  <tr>
-    <td>多云纳管（X-PACK）</td>
-    <td>对私有云、公有云资产自动统一纳管</td>
-  </tr>
-  <tr>
-    <td>收集用户（X-PACK）</td>
-    <td>自定义任务定期收集主机用户</td>
-  </tr>
-  <tr>
-    <td>密码匣子（X-PACK）</td>
-    <td>统一对资产主机的用户密码进行查看、更新、测试操作</td>
-  </tr>
-  <tr>
-    <td rowspan="15">授权控制<br>Authorization</td>
-    <td>多维授权</td>
-    <td>对用户、用户组、资产、资产节点、应用以及系统用户进行授权</td>
-  </tr>
-  <tr>
-    <td rowspan="4">资产授权</td>
-    <td>资产以树状结构进行展示</td>
-  </tr>
-  <tr>
-    <td>资产和节点均可灵活授权</td>
-  </tr>
-  <tr>
-    <td>节点内资产自动继承授权</td>
-  </tr>
-  <tr>
-    <td>子节点自动继承父节点授权</td>
-  </tr>
-  <tr>
-    <td rowspan="2">应用授权</td>
-    <td>实现更细粒度的应用级授权</td>
-  </tr>
-  <tr>
-    <td>MySQL 数据库应用、RemoteApp 远程应用（X-PACK）</td>
-  </tr>
-  <tr>
-    <td>动作授权</td>
-    <td>实现对授权资产的文件上传、下载以及连接动作的控制</td>
-  </tr>
-  <tr>
-    <td>时间授权</td>
-    <td>实现对授权资源使用时间段的限制</td>
-  </tr>
-  <tr>
-    <td>特权指令</td>
-    <td>实现对特权指令的使用（支持黑白名单）</td>
-  </tr>
-  <tr>
-    <td>命令过滤</td>
-    <td>实现对授权系统用户所执行的命令进行控制</td>
-  </tr>
-  <tr>
-    <td>文件传输</td>
-    <td>SFTP 文件上传/下载</td>
-  </tr>
-  <tr>
-    <td>文件管理</td>
-    <td>实现 Web SFTP 文件管理</td>
-  </tr>
-  <tr>
-    <td>工单管理（X-PACK）</td>
-    <td>支持对用户登录请求行为进行控制</td>
-  </tr>
-  <tr>
-    <td>组织管理（X-PACK）</td>
-    <td>实现多租户管理与权限隔离</td>
-  </tr>
-  <tr>
-    <td rowspan="7">安全审计<br>Audit</td>
-    <td>操作审计</td>
-    <td>用户操作行为审计</td>
-  </tr>
-  <tr>
-    <td rowspan="2">会话审计</td>
-    <td>在线会话内容审计</td>
-  </tr>
-  <tr>
-    <td>历史会话内容审计</td>
-  </tr>
-  <tr>
-    <td rowspan="2">录像审计</td>
-    <td>支持对 Linux、Windows 等资产操作的录像进行回放审计</td>
-  </tr>
-  <tr>
-    <td>支持对 RemoteApp（X-PACK）、MySQL 等应用操作的录像进行回放审计</td>
-  </tr>
-  <tr>
-    <td>指令审计</td>
-    <td>支持对资产和应用等操作的命令进行审计</td>
-  </tr>
-  <tr>
-    <td>文件传输</td>
-    <td>可对文件的上传、下载记录进行审计</td>
-  </tr>
-  <tr>
-    <td rowspan="20">数据库审计<br>Database</td>
-    <td rowspan="2">连接方式</td>
-    <td>命令方式</td>
-  </tr>
-  <tr>
-    <td>Web UI方式 (X-PACK)</td>
-  </tr>
-
-  <tr>
-    <td rowspan="4">支持的数据库</td>
-    <td>MySQL</td>
-  </tr>
-  <tr>
-    <td>Oracle (X-PACK)</td>
-  </tr>
-  <tr>
-    <td>MariaDB (X-PACK)</td>
-  </tr>
-  <tr>
-    <td>PostgreSQL (X-PACK)</td>
-  </tr>
-  <tr>
-    <td rowspan="6">功能亮点</td>
-    <td>语法高亮</td>
-  </tr>
-  <tr>
-    <td>SQL格式化</td>
-  </tr>
-  <tr>
-    <td>支持快捷键</td>
-  </tr>
-  <tr>
-    <td>支持选中执行</td>
-  </tr>
-  <tr>
-    <td>SQL历史查询</td>
-  </tr>
-  <tr>
-    <td>支持页面创建 DB, TABLE</td>
-  </tr>
-  <tr>
-    <td rowspan="2">会话审计</td>
-    <td>命令记录</td>
-  </tr>
-  <tr>
-    <td>录像回放</td>
-  </tr>
-</table>
-
-## 快速开始
+### 快速开始

 - [极速安装](https://docs.jumpserver.org/zh/master/install/setup_by_fast/)
 - [完整文档](https://docs.jumpserver.org)
 - [演示视频](https://www.bilibili.com/video/BV1ZV41127GB)
+- [手动安装](https://github.com/jumpserver/installer)

-## 组件项目
+### 组件项目
 - [Lina](https://github.com/jumpserver/lina) JumpServer Web UI 项目
 - [Luna](https://github.com/jumpserver/luna) JumpServer Web Terminal 项目
- [Koko](https://github.com/jumpserver/koko) JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco)
- [Guacamole](https://github.com/jumpserver/docker-guacamole) JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/)
+- [KoKo](https://github.com/jumpserver/koko) JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco)
+- [Lion](https://github.com/jumpserver/lion-release) JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/)
+- [Clients](https://github.com/jumpserver/clients) JumpServer 客户端 项目
+- [Installer](https://github.com/jumpserver/installer) JumpServer 安装包 项目

-## 致谢
- [Apache Guacamole](https://guacamole.apache.org/) Web页面连接 RDP, SSH, VNC协议设备，JumpServer 图形化连接依赖
+### 社区
+
+如果您在使用过程中有任何疑问或对建议，欢迎提交 [GitHub Issue](https://github.com/jumpserver/jumpserver/issues/new/choose) 或加入到我们的社区当中进行进一步交流沟通。
+
+#### 微信交流群
+
+<img src="https://download.jumpserver.org/images/wecom-group.jpeg" alt="微信群二维码" width="200"/>
+
+### 贡献
+如果有你好的想法创意，或者帮助我们修复了 Bug, 欢迎提交 Pull Request
+
+感谢以下贡献者，让 JumpServer 更加完善
+
+<a href="https://github.com/jumpserver/jumpserver/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=jumpserver/jumpserver" />
+</a>
+
+<a href="https://github.com/jumpserver/koko/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=jumpserver/koko" />
+</a>
+
+<a href="https://github.com/jumpserver/lina/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=jumpserver/lina" />
+</a>
+
+<a href="https://github.com/jumpserver/luna/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=jumpserver/luna" />
+</a>
+
+
+
+### 致谢
+- [Apache Guacamole](https://guacamole.apache.org/) Web页面连接 RDP, SSH, VNC协议设备，JumpServer 图形化组件 Lion 依赖 
 - [OmniDB](https://omnidb.org/) Web页面连接使用数据库，JumpServer Web数据库依赖


-## JumpServer 企业版 
+### JumpServer 企业版 
 - [申请企业版试用](https://jinshuju.net/f/kyOYpi)
-> 注：企业版支持离线安装，申请通过后会提供高速下载链接。

-## 案例研究
+### 案例研究

 - [JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)；
 - [JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)；
@@ -389,7 +112,7 @@ v2.1.0 是 v2.0.0 之后的功能版本。
 - [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)；
 - [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)。

-## 安全说明
+### 安全说明

 JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.jumpserver.org/zh/master/install/install_security/) 部署安装.

@@ -399,12 +122,13 @@ JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.ju
 - support@fit2cloud.com 
 - 400-052-0755

-## License & Copyright
+### License & Copyright

-Copyright (c) 2014-2020 飞致云 FIT2CLOUD, All rights reserved.
+Copyright (c) 2014-2021 飞致云 FIT2CLOUD, All rights reserved.

 Licensed under The GNU General Public License version 2 (GPLv2)  (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

 https://www.gnu.org/licenses/gpl-2.0.html

 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
--- a/README_EN.md
+++ b/README_EN.md
@@ -1,170 +1,91 @@
-## Jumpserver 
+<p align="center"><a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a></p>
+<h3 align="center">Open Source Bastion Host</h3>

-[![Python3](https://img.shields.io/badge/python-3.6-green.svg?style=plastic)](https://www.python.org/)
-[![Django](https://img.shields.io/badge/django-2.2-brightgreen.svg?style=plastic)](https://www.djangoproject.com/)
-[![Docker Pulls](https://img.shields.io/docker/pulls/jumpserver/jms_all.svg)](https://hub.docker.com/u/jumpserver)
+<p align="center">
+  <a href="https://www.gnu.org/licenses/old-licenses/gpl-2.0"><img src="https://shields.io/github/license/jumpserver/jumpserver" alt="License: GPL v2"></a>
+  <a href="https://shields.io/github/downloads/jumpserver/jumpserver/total"><img src="https://shields.io/github/downloads/jumpserver/jumpserver/total" alt=" release"></a>
+  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Codacy"></a>
+  <a href="https://github.com/jumpserver/jumpserver"><img src="https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square" alt="Stars"></a>
+</p>
+
+JumpServer is the world's first open-source Bastion Host and is licensed under the GNU GPL v2.0. It is a 4A-compliant professional operation and maintenance security audit system.
+
+JumpServer uses Python / Django for development, follows Web 2.0 specifications, and is equipped with an industry-leading Web Terminal solution that provides a beautiful user interface and great user experience
+
+JumpServer adopts a distributed architecture to support multi-branch deployment across multiple cross-regional areas. The central node provides APIs, and login nodes are deployed in each branch. It can be scaled horizontally without concurrency restrictions.
+
+Change the world by taking every little step

 ----
-## CRITICAL BUG WARNING
+### Advantages

-Recently we have found a critical bug for remote execution vulnerability which leads to pre-auth and info leak, please fix it as soon as possible.
-
-Thanks for **reactivity from Alibaba Hackerone bug bounty program** report us this bug
-
-**Vulnerable version:**
-```
-< v2.6.2
-< v2.5.4
-< v2.4.5 
-= v1.5.9
->= v1.5.3
-```
-
-**Safe and Stable version:**
-```
->= v2.6.2
->= v2.5.4
->= v2.4.5 
-= v1.5.9 （version tag didn't change）
-< v1.5.3
-```
-
-**Bug Fix Solution:**
-Upgrade to the latest version or the version mentioned above
+- Open Source: huge transparency and free to access with quick installation process.
+- Distributed: support large-scale concurrent access with ease.
+- No Plugin required: all you need is a browser, the ultimate Web Terminal experience.
+- Multi-Cloud supported: a unified system to manage assets on different clouds at the same time
+- Cloud storage: audit records are stored in the cloud. Data lost no more!
+- Multi-Tenant system: multiple subsidiary companies or departments access the same system simultaneously.
+- Many applications supported: link to databases, windows remote applications, and Kubernetes cluster, etc.


-**Temporary Solution (upgrade asap):**
+### JumpServer Component Projects
+- [Lina](https://github.com/jumpserver/lina) JumpServer Web UI
+- [Luna](https://github.com/jumpserver/luna) JumpServer Web Terminal
+- [KoKo](https://github.com/jumpserver/koko) JumpServer Character protocaol Connector, replace original Python Version [Coco](https://github.com/jumpserver/coco)
+- [Lion](https://github.com/jumpserver/lion-release) JumpServer Graphics protocol Connector，rely on [Apache Guacamole](https://guacamole.apache.org/)

-Modify the Nginx config file and disable the vulnerable api listed below
+### Contribution
+If you have any good ideas or helping us to fix bugs, please submit a Pull Request and accept our thanks :)

-```
-/api/v1/authentication/connection-token/
-/api/v1/users/connection-token/
-```
+Thanks to the following contributors for making JumpServer better everyday!

-Path to Nginx config file
+<a href="https://github.com/jumpserver/jumpserver/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=jumpserver/jumpserver" />
+</a>

-```
-# Previous Community version
-/etc/nginx/conf.d/jumpserver.conf
+<a href="https://github.com/jumpserver/koko/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=jumpserver/koko" />
+</a>

-# Previous Enterprise version
-jumpserver-release/nginx/http_server.conf
+<a href="https://github.com/jumpserver/lina/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=jumpserver/lina" />
+</a>

-# Latest version
-jumpserver-release/compose/config_static/http_server.conf
-```
+<a href="https://github.com/jumpserver/luna/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=jumpserver/luna" />
+</a>

-Changes in Nginx config file
-
-```
-### Put the following code on top of location server, or before /api and /
-location /api/v1/authentication/connection-token/ {
-   return 403;
-}
- 
-location /api/v1/users/connection-token/ {
-   return 403;
-}
-### End right here
- 
-location /api/ {
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header Host $host;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_pass http://core:8080;
-  }
- 
-...
-```
-
-Save the file and restart Nginx
-
-```
-docker deployment: 
-$ docker restart jms_nginx
-
-rpm or other deployment:
-$ systemctl restart nginx
-
-```
-
-**Bug Fix Verification**
-
-```
-# Download the following script to check if it is fixed
-$ wget https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_bug_check.sh 
-
-# Run the code to verify it
-$ bash jms_bug_check.sh demo.jumpserver.org
-漏洞已修复 (It means the bug is fixed)
-漏洞未修复 (It means the bug is not fixed and the system is still vulnerable)
-```
+### Thanks to
+- [Apache Guacamole](https://guacamole.apache.org/) Web page connection RDP, SSH, VNC protocol equipment. JumpServer graphical connection dependent.
+- [OmniDB](https://omnidb.org/) Web page connection to databases. JumpServer Web database dependent.


-**Attack Simulation**
+### JumpServer Enterprise Version 
+- [Apply for it](https://jinshuju.net/f/kyOYpi)

-Go to the logs directory which should contain gunicorn.log file. Then download the "attack" script and execute it
+### Case Study

-```
-$ pwd
-/opt/jumpserver/core/logs
+- [JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)；
+- [JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)；
+- [携程 JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)；
+- [小红书的JumpServer堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)；
+- [JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)；
+- [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)；
+- [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)；
+- [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)。

-$ ls gunicorn.log
-gunicorn.log
+### For safety instructions

-$ wget 'https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_check_attack.sh'
-$ bash jms_check_attack.sh
-系统未被入侵 (It means the system is safe)
-系统已被入侵 (It means the system is being attacked)
-```
+JumpServer is a security product. Please refer to [Basic Security Recommendations](https://docs.jumpserver.org/zh/master/install/install_security/) for deployment and installation.

--------------------------
-
----
-
- [中文版](https://github.com/jumpserver/jumpserver/blob/master/README.md)
-
-Jumpserver is the world's first open-source PAM (Privileged Access Management System) and is licensed under the GNU GPL v2.0. It is a 4A-compliant professional operation and maintenance security audit system.
-
-Jumpserver uses Python / Django for development, follows Web 2.0 specifications, and is equipped with an industry-leading Web Terminal solution that provides a beautiful user interface and great user experience
-
-Jumpserver adopts a distributed architecture to support multi-branch deployment across multiple cross-regional areas. The central node provides APIs, and login nodes are deployed in each branch. It can be scaled horizontally without concurrency restrictions.
-
-Change the world, starting from little things.
-
----
-
-### Features
-
- ![Jumpserver 功能](https://jumpserver-release.oss-cn-hangzhou.aliyuncs.com/Jumpserver148.jpeg "Jumpserver 功能")
-
-### Start 
-
-Quick start  [Docker Install](http://docs.jumpserver.org/zh/docs/dockerinstall.html)
-
-Step by Step deployment. [Docs](http://docs.jumpserver.org/zh/docs/step_by_step.html)
-
-Full documentation [Docs](http://docs.jumpserver.org)
-
-### Demo、Video 和 Snapshot
-
-We provide online demo, demo video and screenshots to get you started quickly.
-
-[Demo](https://demo.jumpserver.org/auth/login/?next=/)
-[Video](https://fit2cloud2-offline-installer.oss-cn-beijing.aliyuncs.com/tools/Jumpserver%20%E4%BB%8B%E7%BB%8Dv1.4.mp4)
-[Snapshot](http://docs.jumpserver.org/zh/docs/snapshot.html)
-
-### SDK
-
-We provide the SDK for your other systems to quickly interact with the Jumpserver API.
-
- [Python](https://github.com/jumpserver/jumpserver-python-sdk) Jumpserver other components use this SDK to complete the interaction.
- [Java](https://github.com/KaiJunYan/jumpserver-java-sdk.git) Thanks to 恺珺 for providing his Java SDK vesrion.
+If you find a security problem, please contact us directly：

+- ibuler@fit2cloud.com 
+- support@fit2cloud.com 
+- 400-052-0755

 ### License & Copyright
-Copyright (c) 2014-2019 Beijing Duizhan Tech, Inc., All rights reserved.
+Copyright (c) 2014-2021 Beijing Duizhan Tech, Inc., All rights reserved.

 Licensed under The GNU General Public License version 2 (GPLv2)  (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,9 @@
+# 安全说明
+
+JumpServer 是一款正在成长的安全产品， 请参考 [基本安全建议](https://docs.jumpserver.org/zh/master/install/install_security/) 部署安装.
+
+如果你发现安全问题，请直接联系我们，我们携手让世界更好：
+
+- ibuler@fit2cloud.com
+- support@fit2cloud.com
+- 400-052-0755
--- a/apps/perms/async_tasks/init.py
+++ b/apps/perms/async_tasks/init.py
--- a/apps/acls/admin.py
+++ b/apps/acls/admin.py
@@ -0,0 +1,3 @@
+from django.contrib import admin
+
+# Register your models here.
--- a/apps/acls/api/init.py
+++ b/apps/acls/api/init.py
@@ -0,0 +1,3 @@
+from .login_acl import *
+from .login_asset_acl import *
+from .login_asset_check import *
--- a/apps/acls/api/login_acl.py
+++ b/apps/acls/api/login_acl.py
@@ -0,0 +1,20 @@
+from common.permissions import IsOrgAdmin, HasQueryParamsUserAndIsCurrentOrgMember
+from common.drf.api import JMSBulkModelViewSet
+from ..models import LoginACL
+from .. import serializers
+from ..filters import LoginAclFilter
+
+__all__ = ['LoginACLViewSet', ]
+
+
+class LoginACLViewSet(JMSBulkModelViewSet):
+    queryset = LoginACL.objects.all()
+    filterset_class = LoginAclFilter
+    search_fields = ('name',)
+    permission_classes = (IsOrgAdmin,)
+    serializer_class = serializers.LoginACLSerializer
+
+    def get_permissions(self):
+        if self.action in ["retrieve", "list"]:
+            self.permission_classes = (IsOrgAdmin, HasQueryParamsUserAndIsCurrentOrgMember)
+        return super().get_permissions()
--- a/apps/acls/api/login_asset_acl.py
+++ b/apps/acls/api/login_asset_acl.py
@@ -0,0 +1,14 @@
+from orgs.mixins.api import OrgBulkModelViewSet
+from common.permissions import IsOrgAdmin
+from .. import models, serializers
+
+
+__all__ = ['LoginAssetACLViewSet']
+
+
+class LoginAssetACLViewSet(OrgBulkModelViewSet):
+    model = models.LoginAssetACL
+    filterset_fields = ('name', )
+    search_fields = filterset_fields
+    permission_classes = (IsOrgAdmin, )
+    serializer_class = serializers.LoginAssetACLSerializer
--- a/apps/acls/api/login_asset_check.py
+++ b/apps/acls/api/login_asset_check.py
@@ -0,0 +1,75 @@
+from rest_framework.response import Response
+from rest_framework.generics import CreateAPIView
+
+from common.permissions import IsAppUser
+from common.utils import reverse, lazyproperty
+from orgs.utils import tmp_to_org
+from tickets.api import GenericTicketStatusRetrieveCloseAPI
+from ..models import LoginAssetACL
+from .. import serializers
+
+__all__ = ['LoginAssetCheckAPI', 'LoginAssetConfirmStatusAPI']
+
+
+class LoginAssetCheckAPI(CreateAPIView):
+    permission_classes = (IsAppUser,)
+    serializer_class = serializers.LoginAssetCheckSerializer
+
+    def create(self, request, *args, **kwargs):
+        is_need_confirm, response_data = self.check_if_need_confirm()
+        return Response(data=response_data, status=200)
+
+    def check_if_need_confirm(self):
+        queries = {
+            'user': self.serializer.user, 'asset': self.serializer.asset,
+            'system_user': self.serializer.system_user,
+            'action': LoginAssetACL.ActionChoices.login_confirm
+        }
+        with tmp_to_org(self.serializer.org):
+            acl = LoginAssetACL.filter(**queries).valid().first()
+
+        if not acl:
+            is_need_confirm = False
+            response_data = {}
+        else:
+            is_need_confirm = True
+            response_data = self._get_response_data_of_need_confirm(acl)
+        response_data['need_confirm'] = is_need_confirm
+        return is_need_confirm, response_data
+
+    def _get_response_data_of_need_confirm(self, acl):
+        ticket = LoginAssetACL.create_login_asset_confirm_ticket(
+            user=self.serializer.user,
+            asset=self.serializer.asset,
+            system_user=self.serializer.system_user,
+            assignees=acl.reviewers.all(),
+            org_id=self.serializer.org.id
+        )
+        confirm_status_url = reverse(
+            view_name='api-acls:login-asset-confirm-status',
+            kwargs={'pk': str(ticket.id)}
+        )
+        ticket_detail_url = reverse(
+            view_name='api-tickets:ticket-detail',
+            kwargs={'pk': str(ticket.id)},
+            external=True, api_to_ui=True
+        )
+        ticket_detail_url = '{url}?type={type}'.format(url=ticket_detail_url, type=ticket.type)
+        ticket_assignees = ticket.current_node.first().ticket_assignees.all()
+        data = {
+            'check_confirm_status': {'method': 'GET', 'url': confirm_status_url},
+            'close_confirm': {'method': 'DELETE', 'url': confirm_status_url},
+            'ticket_detail_url': ticket_detail_url,
+            'reviewers': [str(ticket_assignee.assignee) for ticket_assignee in ticket_assignees]
+        }
+        return data
+
+    @lazyproperty
+    def serializer(self):
+        serializer = self.get_serializer(data=self.request.data)
+        serializer.is_valid(raise_exception=True)
+        return serializer
+
+
+class LoginAssetConfirmStatusAPI(GenericTicketStatusRetrieveCloseAPI):
+    pass
--- a/apps/acls/apps.py
+++ b/apps/acls/apps.py
@@ -0,0 +1,5 @@
+from django.apps import AppConfig
+
+
+class AclsConfig(AppConfig):
+    name = 'acls'
--- a/apps/acls/filters.py
+++ b/apps/acls/filters.py
@@ -0,0 +1,15 @@
+from django_filters import rest_framework as filters
+from common.drf.filters import BaseFilterSet
+
+from acls.models import LoginACL
+
+
+class LoginAclFilter(BaseFilterSet):
+    user = filters.UUIDFilter(field_name='user_id')
+    user_display = filters.CharFilter(field_name='user__name')
+
+    class Meta:
+        model = LoginACL
+        fields = (
+            'name', 'user', 'user_display', 'action'
+        )
--- a/apps/acls/migrations/0001_initial.py
+++ b/apps/acls/migrations/0001_initial.py
@@ -0,0 +1,61 @@
+# Generated by Django 3.1 on 2021-03-11 09:53
+
+from django.conf import settings
+import django.core.validators
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='LoginACL',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('created_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Created by')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('name', models.CharField(max_length=128, verbose_name='Name')),
+                ('priority', models.IntegerField(default=50, help_text='1-100, the lower the value will be match first', validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(100)], verbose_name='Priority')),
+                ('is_active', models.BooleanField(default=True, verbose_name='Active')),
+                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
+                ('ip_group', models.JSONField(default=list, verbose_name='Login IP')),
+                ('action', models.CharField(choices=[('reject', 'Reject'), ('allow', 'Allow')], default='reject', max_length=64, verbose_name='Action')),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='login_acls', to=settings.AUTH_USER_MODEL, verbose_name='User')),
+            ],
+            options={
+                'ordering': ('priority', '-date_updated', 'name'),
+            },
+        ),
+        migrations.CreateModel(
+            name='LoginAssetACL',
+            fields=[
+                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('created_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Created by')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('name', models.CharField(max_length=128, verbose_name='Name')),
+                ('priority', models.IntegerField(default=50, help_text='1-100, the lower the value will be match first', validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(100)], verbose_name='Priority')),
+                ('is_active', models.BooleanField(default=True, verbose_name='Active')),
+                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
+                ('users', models.JSONField(verbose_name='User')),
+                ('system_users', models.JSONField(verbose_name='System User')),
+                ('assets', models.JSONField(verbose_name='Asset')),
+                ('action', models.CharField(choices=[('login_confirm', 'Login confirm')], default='login_confirm', max_length=64, verbose_name='Action')),
+                ('reviewers', models.ManyToManyField(blank=True, related_name='review_login_asset_acls', to=settings.AUTH_USER_MODEL, verbose_name='Reviewers')),
+            ],
+            options={
+                'ordering': ('priority', '-date_updated', 'name'),
+                'unique_together': {('name', 'org_id')},
+            },
+        ),
+    ]
--- a/apps/acls/migrations/0002_auto_20210926_1047.py
+++ b/apps/acls/migrations/0002_auto_20210926_1047.py
@@ -0,0 +1,98 @@
+# Generated by Django 3.1.12 on 2021-09-26 02:47
+import django
+from django.conf import settings
+from django.db import migrations, models, transaction
+from acls.models import LoginACL
+
+LOGIN_CONFIRM_ZH = '登录复核'
+LOGIN_CONFIRM_EN = 'Login confirm'
+
+DEFAULT_TIME_PERIODS = [{'id': i, 'value': '00:00~00:00'} for i in range(7)]
+
+
+def has_zh(name: str) -> bool:
+    for i in name:
+        if u'\u4e00' <= i <= u'\u9fff':
+            return True
+    return False
+
+
+def migrate_login_confirm(apps, schema_editor):
+    login_acl_model = apps.get_model("acls", "LoginACL")
+    login_confirm_model = apps.get_model("authentication", "LoginConfirmSetting")
+
+    with transaction.atomic():
+        for instance in login_confirm_model.objects.filter(is_active=True):
+            user = instance.user
+            reviewers = instance.reviewers.all()
+            login_confirm = LOGIN_CONFIRM_ZH if has_zh(user.name) else LOGIN_CONFIRM_EN
+            date_created = instance.date_created.strftime('%Y-%m-%d %H:%M:%S')
+            if reviewers.count() == 0:
+                continue
+            data = {
+                'user': user,
+                'name': f'{user.name}-{login_confirm} ({date_created})',
+                'created_by': instance.created_by,
+                'action': LoginACL.ActionChoices.confirm,
+                'rules': {'ip_group': ['*'], 'time_period': DEFAULT_TIME_PERIODS}
+            }
+            instance = login_acl_model.objects.create(**data)
+            instance.reviewers.set(reviewers)
+
+
+def migrate_ip_group(apps, schema_editor):
+    login_acl_model = apps.get_model("acls", "LoginACL")
+    updates = list()
+    with transaction.atomic():
+        for instance in login_acl_model.objects.exclude(action=LoginACL.ActionChoices.confirm):
+            instance.rules = {'ip_group': instance.ip_group, 'time_period': DEFAULT_TIME_PERIODS}
+            updates.append(instance)
+        login_acl_model.objects.bulk_update(updates, ['rules', ])
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('acls', '0001_initial'),
+        ('authentication', '0004_ssotoken'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='loginacl',
+            name='action',
+            field=models.CharField(choices=[('reject', 'Reject'), ('allow', 'Allow'), ('confirm', 'Login confirm')],
+                                   default='reject', max_length=64, verbose_name='Action'),
+        ),
+        migrations.AddField(
+            model_name='loginacl',
+            name='reviewers',
+            field=models.ManyToManyField(blank=True, related_name='login_confirm_acls',
+                                         to=settings.AUTH_USER_MODEL, verbose_name='Reviewers'),
+        ),
+        migrations.AlterField(
+            model_name='loginacl',
+            name='user',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE,
+                                    related_name='login_acls', to=settings.AUTH_USER_MODEL, verbose_name='User'),
+        ),
+        migrations.AddField(
+            model_name='loginacl',
+            name='rules',
+            field=models.JSONField(default=dict, verbose_name='Rule'),
+        ),
+        migrations.RunPython(migrate_login_confirm),
+        migrations.RunPython(migrate_ip_group),
+        migrations.RemoveField(
+            model_name='loginacl',
+            name='ip_group',
+        ),
+        migrations.AlterModelOptions(
+            name='loginacl',
+            options={'ordering': ('priority', '-date_updated', 'name'), 'verbose_name': 'Login acl'},
+        ),
+        migrations.AlterModelOptions(
+            name='loginassetacl',
+            options={'ordering': ('priority', '-date_updated', 'name'), 'verbose_name': 'Login asset acl'},
+        ),
+    ]
--- a/apps/acls/migrations/init.py
+++ b/apps/acls/migrations/init.py
--- a/apps/acls/models/init.py
+++ b/apps/acls/models/init.py
@@ -0,0 +1,2 @@
+from .login_acl import *
+from .login_asset_acl import *
--- a/apps/acls/models/base.py
+++ b/apps/acls/models/base.py
@@ -0,0 +1,35 @@
+from django.db import models
+from django.utils.translation import ugettext_lazy as _
+from django.core.validators import MinValueValidator, MaxValueValidator
+from common.mixins import CommonModelMixin
+
+
+__all__ = ['BaseACL', 'BaseACLQuerySet']
+
+
+class BaseACLQuerySet(models.QuerySet):
+    def active(self):
+        return self.filter(is_active=True)
+
+    def inactive(self):
+        return self.filter(is_active=False)
+
+    def valid(self):
+        return self.active()
+
+    def invalid(self):
+        return self.inactive()
+
+
+class BaseACL(CommonModelMixin):
+    name = models.CharField(max_length=128, verbose_name=_('Name'))
+    priority = models.IntegerField(
+        default=50, verbose_name=_("Priority"),
+        help_text=_("1-100, the lower the value will be match first"),
+        validators=[MinValueValidator(1), MaxValueValidator(100)]
+    )
+    is_active = models.BooleanField(default=True, verbose_name=_("Active"))
+    comment = models.TextField(default='', blank=True, verbose_name=_('Comment'))
+
+    class Meta:
+        abstract = True
--- a/apps/acls/models/login_acl.py
+++ b/apps/acls/models/login_acl.py
@@ -0,0 +1,128 @@
+from django.db import models
+from django.utils.translation import ugettext_lazy as _
+from .base import BaseACL, BaseACLQuerySet
+from common.utils import get_request_ip, get_ip_city
+from common.utils.ip import contains_ip
+from common.utils.time_period import contains_time_period
+from common.utils.timezone import local_now_display
+
+
+class ACLManager(models.Manager):
+
+    def valid(self):
+        return self.get_queryset().valid()
+
+
+class LoginACL(BaseACL):
+    class ActionChoices(models.TextChoices):
+        reject = 'reject', _('Reject')
+        allow = 'allow', _('Allow')
+        confirm = 'confirm', _('Login confirm')
+
+    # 用户
+    user = models.ForeignKey(
+        'users.User', on_delete=models.CASCADE, verbose_name=_('User'),
+        related_name='login_acls'
+    )
+    # 规则
+    rules = models.JSONField(default=dict, verbose_name=_('Rule'))
+    # 动作
+    action = models.CharField(
+        max_length=64, verbose_name=_('Action'),
+        choices=ActionChoices.choices, default=ActionChoices.reject
+    )
+    reviewers = models.ManyToManyField(
+        'users.User', verbose_name=_("Reviewers"),
+        related_name="login_confirm_acls", blank=True
+    )
+    objects = ACLManager.from_queryset(BaseACLQuerySet)()
+
+    class Meta:
+        ordering = ('priority', '-date_updated', 'name')
+        verbose_name = _('Login acl')
+
+    def __str__(self):
+        return self.name
+
+    @property
+    def action_reject(self):
+        return self.action == self.ActionChoices.reject
+
+    @property
+    def action_allow(self):
+        return self.action == self.ActionChoices.allow
+
+    @classmethod
+    def filter_acl(cls, user):
+        return user.login_acls.all().valid().distinct()
+
+    @staticmethod
+    def allow_user_confirm_if_need(user, ip):
+        acl = LoginACL.filter_acl(user).filter(
+            action=LoginACL.ActionChoices.confirm
+        ).first()
+        acl = acl if acl and acl.reviewers.exists() else None
+        if not acl:
+            return False, acl
+        ip_group = acl.rules.get('ip_group')
+        time_periods = acl.rules.get('time_period')
+        is_contain_ip = contains_ip(ip, ip_group)
+        is_contain_time_period = contains_time_period(time_periods)
+        return is_contain_ip and is_contain_time_period, acl
+
+    @staticmethod
+    def allow_user_to_login(user, ip):
+        acl = LoginACL.filter_acl(user).exclude(
+            action=LoginACL.ActionChoices.confirm
+        ).first()
+        if not acl:
+            return True, ''
+        ip_group = acl.rules.get('ip_group')
+        time_periods = acl.rules.get('time_period')
+        is_contain_ip = contains_ip(ip, ip_group)
+        is_contain_time_period = contains_time_period(time_periods)
+
+        reject_type = ''
+        if is_contain_ip and is_contain_time_period:
+            # 满足条件
+            allow = acl.action_allow
+            if not allow:
+                reject_type = 'ip' if is_contain_ip else 'time'
+        else:
+            # 不满足条件
+            # 如果acl本身允许，那就拒绝；如果本身拒绝，那就允许
+            allow = not acl.action_allow
+            if not allow:
+                reject_type = 'ip' if not is_contain_ip else 'time'
+
+        return allow, reject_type
+
+    @staticmethod
+    def construct_confirm_ticket_meta(request=None):
+        login_ip = get_request_ip(request) if request else ''
+        login_ip = login_ip or '0.0.0.0'
+        login_city = get_ip_city(login_ip)
+        login_datetime = local_now_display()
+        ticket_meta = {
+            'apply_login_ip': login_ip,
+            'apply_login_city': login_city,
+            'apply_login_datetime': login_datetime,
+        }
+        return ticket_meta
+
+    def create_confirm_ticket(self, request=None):
+        from tickets import const
+        from tickets.models import Ticket
+        from orgs.models import Organization
+        ticket_title = _('Login confirm') + ' {}'.format(self.user)
+        ticket_meta = self.construct_confirm_ticket_meta(request)
+        data = {
+            'title': ticket_title,
+            'type': const.TicketType.login_confirm.value,
+            'meta': ticket_meta,
+            'org_id': Organization.ROOT_ID,
+        }
+        ticket = Ticket.objects.create(**data)
+        ticket.create_process_map_and_node(self.reviewers.all())
+        ticket.open(self.user)
+        return ticket
--- a/apps/acls/models/login_asset_acl.py
+++ b/apps/acls/models/login_asset_acl.py
@@ -0,0 +1,103 @@
+from django.db import models
+from django.db.models import Q
+from django.utils.translation import ugettext_lazy as _
+from orgs.mixins.models import OrgModelMixin, OrgManager
+from .base import BaseACL, BaseACLQuerySet
+from common.utils.ip import contains_ip
+
+
+class ACLManager(OrgManager):
+
+    def valid(self):
+        return self.get_queryset().valid()
+
+
+class LoginAssetACL(BaseACL, OrgModelMixin):
+    class ActionChoices(models.TextChoices):
+        login_confirm = 'login_confirm', _('Login confirm')
+
+    # 条件
+    users = models.JSONField(verbose_name=_('User'))
+    system_users = models.JSONField(verbose_name=_('System User'))
+    assets = models.JSONField(verbose_name=_('Asset'))
+    # 动作
+    action = models.CharField(
+        max_length=64, choices=ActionChoices.choices, default=ActionChoices.login_confirm,
+        verbose_name=_('Action')
+    )
+    # 动作: 附加字段
+    # - login_confirm
+    reviewers = models.ManyToManyField(
+        'users.User', related_name='review_login_asset_acls', blank=True,
+        verbose_name=_("Reviewers")
+    )
+
+    objects = ACLManager.from_queryset(BaseACLQuerySet)()
+
+    class Meta:
+        unique_together = ('name', 'org_id')
+        ordering = ('priority', '-date_updated', 'name')
+        verbose_name = _('Login asset acl')
+
+    def __str__(self):
+        return self.name
+
+    @classmethod
+    def filter(cls, user, asset, system_user, action):
+        queryset = cls.objects.filter(action=action)
+        queryset = cls.filter_user(user, queryset)
+        queryset = cls.filter_asset(asset, queryset)
+        queryset = cls.filter_system_user(system_user, queryset)
+        return queryset
+
+    @classmethod
+    def filter_user(cls, user, queryset):
+        queryset = queryset.filter(
+            Q(users__username_group__contains=user.username) |
+            Q(users__username_group__contains='*')
+        )
+        return queryset
+
+    @classmethod
+    def filter_asset(cls, asset, queryset):
+        queryset = queryset.filter(
+            Q(assets__hostname_group__contains=asset.hostname) |
+            Q(assets__hostname_group__contains='*')
+        )
+        ids = [q.id for q in queryset if contains_ip(asset.ip, q.assets.get('ip_group', []))]
+        queryset = cls.objects.filter(id__in=ids)
+        return queryset
+
+    @classmethod
+    def filter_system_user(cls, system_user, queryset):
+        queryset = queryset.filter(
+            Q(system_users__name_group__contains=system_user.name) |
+            Q(system_users__name_group__contains='*')
+        ).filter(
+            Q(system_users__username_group__contains=system_user.username) |
+            Q(system_users__username_group__contains='*')
+        ).filter(
+            Q(system_users__protocol_group__contains=system_user.protocol) |
+            Q(system_users__protocol_group__contains='*')
+        )
+        return queryset
+
+    @classmethod
+    def create_login_asset_confirm_ticket(cls, user, asset, system_user, assignees, org_id):
+        from tickets.const import TicketType
+        from tickets.models import Ticket
+        data = {
+            'title': _('Login asset confirm') + ' ({})'.format(user),
+            'type': TicketType.login_asset_confirm,
+            'meta': {
+                'apply_login_user': str(user),
+                'apply_login_asset': str(asset),
+                'apply_login_system_user': str(system_user),
+            },
+            'org_id': org_id,
+        }
+        ticket = Ticket.objects.create(**data)
+        ticket.create_process_map_and_node(assignees)
+        ticket.open(applicant=user)
+        return ticket
+
--- a/apps/acls/serializers/init.py
+++ b/apps/acls/serializers/init.py
@@ -0,0 +1,3 @@
+from .login_acl import *
+from .login_asset_acl import *
+from .login_asset_check import *
--- a/apps/acls/serializers/login_acl.py
+++ b/apps/acls/serializers/login_acl.py
@@ -0,0 +1,56 @@
+from django.utils.translation import ugettext as _
+from rest_framework import serializers
+from common.drf.serializers import BulkModelSerializer
+from common.drf.serializers import MethodSerializer
+from jumpserver.utils import has_valid_xpack_license
+from ..models import LoginACL
+from .rules import RuleSerializer
+
+__all__ = ['LoginACLSerializer', ]
+
+common_help_text = _('Format for comma-delimited string, with * indicating a match all. ')
+
+
+class LoginACLSerializer(BulkModelSerializer):
+    user_display = serializers.ReadOnlyField(source='user.username', label=_('Username'))
+    reviewers_display = serializers.SerializerMethodField(label=_('Reviewers'))
+    action_display = serializers.ReadOnlyField(source='get_action_display', label=_('Action'))
+    reviewers_amount = serializers.IntegerField(read_only=True, source='reviewers.count')
+    rules = MethodSerializer()
+
+    class Meta:
+        model = LoginACL
+        fields_mini = ['id', 'name']
+        fields_small = fields_mini + [
+            'priority', 'rules', 'action', 'action_display',
+            'is_active', 'user', 'user_display',
+            'date_created', 'date_updated', 'reviewers_amount',
+            'comment', 'created_by'
+        ]
+        fields_fk = ['user', 'user_display']
+        fields_m2m = ['reviewers', 'reviewers_display']
+        fields = fields_small + fields_fk + fields_m2m
+        extra_kwargs = {
+            'priority': {'default': 50},
+            'is_active': {'default': True},
+            "reviewers": {'allow_null': False, 'required': True},
+        }
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.set_action_choices()
+
+    def set_action_choices(self):
+        action = self.fields.get('action')
+        if not action:
+            return
+        choices = action._choices
+        if not has_valid_xpack_license():
+            choices.pop(LoginACL.ActionChoices.confirm, None)
+        action._choices = choices
+
+    def get_rules_serializer(self):
+        return RuleSerializer()
+
+    def get_reviewers_display(self, obj):
+        return ','.join([str(user) for user in obj.reviewers.all()])
--- a/apps/acls/serializers/login_asset_acl.py
+++ b/apps/acls/serializers/login_asset_acl.py
@@ -0,0 +1,105 @@
+from rest_framework import serializers
+from django.utils.translation import ugettext_lazy as _
+from orgs.mixins.serializers import BulkOrgResourceModelSerializer
+from assets.models import SystemUser
+from acls import models
+from orgs.models import Organization
+
+
+__all__ = ['LoginAssetACLSerializer']
+
+
+common_help_text = _('Format for comma-delimited string, with * indicating a match all. ')
+
+
+class LoginAssetACLUsersSerializer(serializers.Serializer):
+    username_group = serializers.ListField(
+        default=['*'], child=serializers.CharField(max_length=128), label=_('Username'),
+        help_text=common_help_text
+    )
+
+
+class LoginAssetACLAssestsSerializer(serializers.Serializer):
+    ip_group_help_text = _(
+        'Format for comma-delimited string, with * indicating a match all. '
+        'Such as: '
+        '192.168.10.1, 192.168.1.0/24, 10.1.1.1-10.1.1.20, 2001:db8:2de::e13, 2001:db8:1a:1110::/64 '
+        '(Domain name support)'
+    )
+
+    ip_group = serializers.ListField(
+        default=['*'], child=serializers.CharField(max_length=1024), label=_('IP'),
+        help_text=ip_group_help_text
+    )
+    hostname_group = serializers.ListField(
+        default=['*'], child=serializers.CharField(max_length=128), label=_('Hostname'),
+        help_text=common_help_text
+    )
+
+
+class LoginAssetACLSystemUsersSerializer(serializers.Serializer):
+    protocol_group_help_text = _(
+        'Format for comma-delimited string, with * indicating a match all. '
+        'Protocol options: {}'
+    )
+
+    name_group = serializers.ListField(
+        default=['*'], child=serializers.CharField(max_length=128), label=_('Name'),
+        help_text=common_help_text
+    )
+    username_group = serializers.ListField(
+        default=['*'], child=serializers.CharField(max_length=128), label=_('Username'),
+        help_text=common_help_text
+    )
+    protocol_group = serializers.ListField(
+        default=['*'], child=serializers.CharField(max_length=16), label=_('Protocol'),
+        help_text=protocol_group_help_text.format(
+            ', '.join([SystemUser.Protocol.ssh, SystemUser.Protocol.telnet])
+        )
+    )
+
+    @staticmethod
+    def validate_protocol_group(protocol_group):
+        unsupported_protocols = set(protocol_group) - set(SystemUser.ASSET_CATEGORY_PROTOCOLS + ['*'])
+        if unsupported_protocols:
+            error = _('Unsupported protocols: {}').format(unsupported_protocols)
+            raise serializers.ValidationError(error)
+        return protocol_group
+
+
+class LoginAssetACLSerializer(BulkOrgResourceModelSerializer):
+    users = LoginAssetACLUsersSerializer()
+    assets = LoginAssetACLAssestsSerializer()
+    system_users = LoginAssetACLSystemUsersSerializer()
+    reviewers_amount = serializers.IntegerField(read_only=True, source='reviewers.count')
+    action_display = serializers.ReadOnlyField(source='get_action_display', label=_('Action'))
+
+    class Meta:
+        model = models.LoginAssetACL
+        fields_mini = ['id', 'name']
+        fields_small = fields_mini + [
+            'users', 'system_users', 'assets',
+            'is_active',
+            'date_created', 'date_updated',
+            'priority', 'action', 'action_display', 'comment', 'created_by', 'org_id'
+        ]
+        fields_m2m = ['reviewers', 'reviewers_amount']
+        fields = fields_small + fields_m2m
+        extra_kwargs = {
+            "reviewers": {'allow_null': False, 'required': True},
+            'priority': {'default': 50},
+            'is_active': {'default': True},
+        }
+
+    def validate_reviewers(self, reviewers):
+        org_id = self.fields['org_id'].default()
+        org = Organization.get_instance(org_id)
+        if not org:
+            error = _('The organization `{}` does not exist'.format(org_id))
+            raise serializers.ValidationError(error)
+        users = org.get_members()
+        valid_reviewers = list(set(reviewers) & set(users))
+        if not valid_reviewers:
+            error = _('None of the reviewers belong to Organization `{}`'.format(org.name))
+            raise serializers.ValidationError(error)
+        return valid_reviewers
--- a/apps/acls/serializers/login_asset_check.py
+++ b/apps/acls/serializers/login_asset_check.py
@@ -0,0 +1,71 @@
+from django.utils.translation import ugettext_lazy as _
+from rest_framework import serializers
+from orgs.utils import tmp_to_root_org
+from common.utils import get_object_or_none, lazyproperty
+from users.models import User
+from assets.models import Asset, SystemUser
+
+
+__all__ = ['LoginAssetCheckSerializer']
+
+
+class LoginAssetCheckSerializer(serializers.Serializer):
+    user_id = serializers.UUIDField(required=True, allow_null=False)
+    asset_id = serializers.UUIDField(required=True, allow_null=False)
+    system_user_id = serializers.UUIDField(required=True, allow_null=False)
+    system_user_username = serializers.CharField(max_length=128, default='')
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.user = None
+        self.asset = None
+        self._system_user = None
+        self._system_user_username = None
+
+    def validate_user_id(self, user_id):
+        self.user = self.validate_object_exist(User, user_id)
+        return user_id
+
+    def validate_asset_id(self, asset_id):
+        self.asset = self.validate_object_exist(Asset, asset_id)
+        return asset_id
+
+    def validate_system_user_id(self, system_user_id):
+        self._system_user = self.validate_object_exist(SystemUser, system_user_id)
+        return system_user_id
+
+    def validate_system_user_username(self, system_user_username):
+        system_user_id = self.initial_data.get('system_user_id')
+        system_user = self.validate_object_exist(SystemUser, system_user_id)
+        if self._system_user.login_mode == SystemUser.LOGIN_MANUAL \
+                and not system_user.username \
+                and not system_user.username_same_with_user \
+                and not system_user_username:
+            error = 'Missing parameter: system_user_username'
+            raise serializers.ValidationError(error)
+        self._system_user_username = system_user_username
+        return system_user_username
+
+    @staticmethod
+    def validate_object_exist(model, field_id):
+        with tmp_to_root_org():
+            obj = get_object_or_none(model, pk=field_id)
+        if not obj:
+            error = '{} Model object does not exist'.format(model.__name__)
+            raise serializers.ValidationError(error)
+        return obj
+
+    @lazyproperty
+    def system_user(self):
+        if self._system_user.username_same_with_user:
+            username = self.user.username
+        elif self._system_user.login_mode == SystemUser.LOGIN_MANUAL:
+            username = self._system_user_username
+        else:
+            username = self._system_user.username
+        self._system_user.username = username
+        return self._system_user
+
+    @lazyproperty
+    def org(self):
+        return self.asset.org
--- a/apps/acls/serializers/rules/init.py
+++ b/apps/acls/serializers/rules/init.py
@@ -0,0 +1 @@
+from .rules import *
--- a/apps/acls/serializers/rules/rules.py
+++ b/apps/acls/serializers/rules/rules.py
@@ -0,0 +1,34 @@
+# coding: utf-8
+#
+from rest_framework import serializers
+from django.utils.translation import ugettext_lazy as _
+
+from common.utils import get_logger
+from common.utils.ip import is_ip_address, is_ip_network, is_ip_segment
+
+logger = get_logger(__file__)
+
+__all__ = ['RuleSerializer']
+
+
+def ip_group_child_validator(ip_group_child):
+    is_valid = ip_group_child == '*' \
+               or is_ip_address(ip_group_child) \
+               or is_ip_network(ip_group_child) \
+               or is_ip_segment(ip_group_child)
+    if not is_valid:
+        error = _('IP address invalid: `{}`').format(ip_group_child)
+        raise serializers.ValidationError(error)
+
+
+class RuleSerializer(serializers.Serializer):
+    ip_group_help_text = _(
+        'Format for comma-delimited string, with * indicating a match all. '
+        'Such as: '
+        '192.168.10.1, 192.168.1.0/24, 10.1.1.1-10.1.1.20, 2001:db8:2de::e13, 2001:db8:1a:1110::/64 '
+    )
+
+    ip_group = serializers.ListField(
+        default=['*'], label=_('IP'), help_text=ip_group_help_text,
+        child=serializers.CharField(max_length=1024, validators=[ip_group_child_validator]))
+    time_period = serializers.ListField(default=[], label=_('Time Period'))
--- a/apps/acls/tests.py
+++ b/apps/acls/tests.py
@@ -0,0 +1,3 @@
+from django.test import TestCase
+
+# Create your tests here.
--- a/apps/acls/urls/init.py
+++ b/apps/acls/urls/init.py
@@ -0,0 +1 @@
+from .api_urls import *
--- a/apps/acls/urls/api_urls.py
+++ b/apps/acls/urls/api_urls.py
@@ -0,0 +1,18 @@
+from django.urls import path
+from rest_framework_bulk.routes import BulkRouter
+from .. import api
+
+
+app_name = 'acls'
+
+
+router = BulkRouter()
+router.register(r'login-acls', api.LoginACLViewSet, 'login-acl')
+router.register(r'login-asset-acls', api.LoginAssetACLViewSet, 'login-asset-acl')
+
+urlpatterns = [
+    path('login-asset/check/', api.LoginAssetCheckAPI.as_view(), name='login-asset-check'),
+    path('login-asset-confirm/<uuid:pk>/status/', api.LoginAssetConfirmStatusAPI.as_view(), name='login-asset-confirm-status')
+]
+
+urlpatterns += router.urls
--- a/apps/acls/utils.py
+++ b/apps/acls/utils.py
--- a/apps/applications/api/init.py
+++ b/apps/applications/api/init.py
@@ -1,3 +1,4 @@
 from .application import *
+from .account import *
 from .mixin import *
 from .remote_app import *
--- a/apps/applications/api/account.py
+++ b/apps/applications/api/account.py
@@ -0,0 +1,58 @@
+# coding: utf-8
+#
+
+from django_filters import rest_framework as filters
+from django.db.models import F, Q
+
+from common.drf.filters import BaseFilterSet
+from common.drf.api import JMSBulkModelViewSet
+from ..models import Account
+from ..hands import IsOrgAdminOrAppUser, IsOrgAdmin, NeedMFAVerify
+from .. import serializers
+
+
+class AccountFilterSet(BaseFilterSet):
+    username = filters.CharFilter(method='do_nothing')
+    type = filters.CharFilter(field_name='type', lookup_expr='exact')
+    category = filters.CharFilter(field_name='category', lookup_expr='exact')
+    app_display = filters.CharFilter(field_name='app_display', lookup_expr='exact')
+
+    class Meta:
+        model = Account
+        fields = ['app', 'systemuser']
+
+    @property
+    def qs(self):
+        qs = super().qs
+        qs = self.filter_username(qs)
+        return qs
+
+    def filter_username(self, qs):
+        username = self.get_query_param('username')
+        if not username:
+            return qs
+        qs = qs.filter(Q(username=username) | Q(systemuser__username=username)).distinct()
+        return qs
+
+
+class ApplicationAccountViewSet(JMSBulkModelViewSet):
+    model = Account
+    search_fields = ['username', 'app_display']
+    filterset_class = AccountFilterSet
+    filterset_fields = ['username', 'app_display', 'type', 'category', 'app']
+    serializer_class = serializers.AppAccountSerializer
+    permission_classes = (IsOrgAdmin,)
+
+    def get_queryset(self):
+        queryset = Account.objects.all() \
+            .annotate(type=F('app__type')) \
+            .annotate(app_display=F('app__name')) \
+            .annotate(systemuser_display=F('systemuser__name')) \
+            .annotate(category=F('app__category'))
+        return queryset
+
+
+class ApplicationAccountSecretViewSet(ApplicationAccountViewSet):
+    serializer_class = serializers.AppAccountSecretSerializer
+    permission_classes = [IsOrgAdminOrAppUser, NeedMFAVerify]
+    http_method_names = ['get', 'options']
--- a/apps/applications/api/application.py
+++ b/apps/applications/api/application.py
@@ -2,18 +2,37 @@
 #

 from orgs.mixins.api import OrgBulkModelViewSet
+from rest_framework.decorators import action
+from rest_framework.response import Response

+from common.tree import TreeNodeSerializer
+from common.mixins.api import SuggestionMixin
 from ..hands import IsOrgAdminOrAppUser
-from .. import models, serializers
-
+from .. import serializers
+from ..models import Application

 __all__ = ['ApplicationViewSet']


-class ApplicationViewSet(OrgBulkModelViewSet):
-    model = models.Application
-    filterset_fields = ('name', 'type', 'category')
-    search_fields = filterset_fields
+class ApplicationViewSet(SuggestionMixin, OrgBulkModelViewSet):
+    model = Application
+    filterset_fields = {
+        'name': ['exact'],
+        'category': ['exact'],
+        'type': ['exact', 'in'],
+    }
+    search_fields = ('name', 'type', 'category')
    permission_classes = (IsOrgAdminOrAppUser,)
-    serializer_class = serializers.ApplicationSerializer
+    serializer_classes = {
+        'default': serializers.AppSerializer,
+        'get_tree': TreeNodeSerializer,
+        'suggestion': serializers.MiniAppSerializer
+    }

+    @action(methods=['GET'], detail=False, url_path='tree')
+    def get_tree(self, request, *args, **kwargs):
+        show_count = request.query_params.get('show_count', '1') == '1'
+        queryset = self.filter_queryset(self.get_queryset())
+        tree_nodes = Application.create_tree_nodes(queryset, show_count=show_count)
+        serializer = self.get_serializer(tree_nodes, many=True)
+        return Response(serializer.data)
--- a/apps/applications/api/mixin.py
+++ b/apps/applications/api/mixin.py
@@ -1,89 +1,55 @@
-from orgs.models import Organization
+from django.utils.translation import ugettext as _

+from common.tree import TreeNode
+from orgs.models import Organization
+from ..models import Application

 __all__ = ['SerializeApplicationToTreeNodeMixin']


 class SerializeApplicationToTreeNodeMixin:
+    @staticmethod
+    def filter_organizations(applications):
+        organization_ids = set(applications.values_list('org_id', flat=True))
+        organizations = [Organization.get_instance(org_id) for org_id in organization_ids]
+        organizations.sort(key=lambda x: x.name)
+        return organizations

    @staticmethod
-    def _serialize_db(db):
-        return {
-            'id': db.id,
-            'name': db.name,
-            'title': db.name,
-            'pId': '',
-            'open': False,
-            'iconSkin': 'database',
-            'meta': {'type': 'database_app'}
-        }
-
-    @staticmethod
-    def _serialize_remote_app(remote_app):
-        return {
-            'id': remote_app.id,
-            'name': remote_app.name,
-            'title': remote_app.name,
-            'pId': '',
-            'open': False,
-            'isParent': False,
-            'iconSkin': 'chrome',
-            'meta': {'type': 'remote_app'}
-        }
-
-    @staticmethod
-    def _serialize_cloud(cloud):
-        return {
-            'id': cloud.id,
-            'name': cloud.name,
-            'title': cloud.name,
-            'pId': '',
-            'open': False,
-            'isParent': False,
-            'iconSkin': 'k8s',
-            'meta': {'type': 'k8s_app'}
-        }
-
-    def _serialize_application(self, application):
-        method_name = f'_serialize_{application.category}'
-        data = getattr(self, method_name)(application)
-        data.update({
-            'pId': application.org.id,
-            'org_name': application.org_name
-        })
-        return data
-
-    def serialize_applications(self, applications):
-        data = [self._serialize_application(application) for application in applications]
-        return data
-
-    @staticmethod
-    def _serialize_organization(org):
-        return {
-            'id': org.id,
-            'name': org.name,
-            'title': org.name,
+    def create_root_node():
+        name = _('My applications')
+        node = TreeNode(**{
+            'id': 'applications',
+            'name': name,
+            'title': name,
            'pId': '',
            'open': True,
            'isParent': True,
            'meta': {
-                'type': 'node'
+                'type': 'root'
            }
-        }
-
-    def serialize_organizations(self, organizations):
-        data = [self._serialize_organization(org) for org in organizations]
-        return data
-
-    @staticmethod
-    def filter_organizations(applications):
-        organizations_id = set(applications.values_list('org_id', flat=True))
-        organizations = [Organization.get_instance(org_id) for org_id in organizations_id]
-        return organizations
+        })
+        return node

    def serialize_applications_with_org(self, applications):
+        if not applications:
+            return []
+        root_node = self.create_root_node()
+        tree_nodes = [root_node]
        organizations = self.filter_organizations(applications)
-        data_organizations = self.serialize_organizations(organizations)
-        data_applications = self.serialize_applications(applications)
-        data = data_organizations + data_applications
-        return data
+
+        for i, org in enumerate(organizations):
+            # 组织节点
+            org_node = org.as_tree_node(pid=root_node.id)
+            tree_nodes.append(org_node)
+            org_applications = applications.filter(org_id=org.id)
+            count = org_applications.count()
+            org_node.name += '({})'.format(count)
+
+            # 各应用节点
+            apps_nodes = Application.create_tree_nodes(
+                queryset=org_applications, root_node=org_node,
+                show_empty=False
+            )
+            tree_nodes += apps_nodes
+        return tree_nodes
--- a/apps/applications/const.py
+++ b/apps/applications/const.py
@@ -1,11 +1,10 @@
 #  coding: utf-8
 #
-
 from django.db.models import TextChoices
 from django.utils.translation import ugettext_lazy as _


-class ApplicationCategoryChoices(TextChoices):
+class AppCategory(TextChoices):
    db = 'db', _('Database')
    remote_app = 'remote_app', _('Remote app')
    cloud = 'cloud', 'Cloud'
@@ -15,7 +14,7 @@ class ApplicationCategoryChoices(TextChoices):
        return dict(cls.choices).get(category, '')


-class ApplicationTypeChoices(TextChoices):
+class AppType(TextChoices):
    # db category
    mysql = 'mysql', 'MySQL'
    oracle = 'oracle', 'Oracle'
@@ -31,19 +30,38 @@ class ApplicationTypeChoices(TextChoices):
    # cloud category
    k8s = 'k8s', 'Kubernetes'

+    @classmethod
+    def category_types_mapper(cls):
+        return {
+            AppCategory.db: [cls.mysql, cls.oracle, cls.pgsql, cls.mariadb],
+            AppCategory.remote_app: [cls.chrome, cls.mysql_workbench, cls.vmware_client, cls.custom],
+            AppCategory.cloud: [cls.k8s]
+        }
+
+    @classmethod
+    def type_category_mapper(cls):
+        mapper = {}
+        for category, tps in cls.category_types_mapper().items():
+            for tp in tps:
+                mapper[tp] = category
+        return mapper
+
    @classmethod
    def get_label(cls, tp):
        return dict(cls.choices).get(tp, '')

    @classmethod
    def db_types(cls):
-        return [cls.mysql.value, cls.oracle.value, cls.pgsql.value, cls.mariadb.value]
+        return [tp.value for tp in cls.category_types_mapper()[AppCategory.db]]

    @classmethod
    def remote_app_types(cls):
-        return [cls.chrome.value, cls.mysql_workbench.value, cls.vmware_client.value, cls.custom.value]
+        return [tp.value for tp in cls.category_types_mapper()[AppCategory.remote_app]]

    @classmethod
    def cloud_types(cls):
-        return [cls.k8s.value]
+        return [tp.value for tp in cls.category_types_mapper()[AppCategory.cloud]]
+
+
+

--- a/apps/applications/hands.py
+++ b/apps/applications/hands.py
@@ -11,5 +11,5 @@
 """


-from common.permissions import IsAppUser, IsOrgAdmin, IsValidUser, IsOrgAdminOrAppUser
+from common.permissions import IsAppUser, IsOrgAdmin, IsValidUser, IsOrgAdminOrAppUser, NeedMFAVerify
 from users.models import User, UserGroup
--- a/apps/applications/migrations/0009_applicationuser.py
+++ b/apps/applications/migrations/0009_applicationuser.py
@@ -0,0 +1,25 @@
+# Generated by Django 3.1.6 on 2021-06-23 09:48
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0070_auto_20210426_1515'),
+        ('applications', '0008_auto_20210104_0435'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='ApplicationUser',
+            fields=[
+            ],
+            options={
+                'proxy': True,
+                'indexes': [],
+                'constraints': [],
+            },
+            bases=('assets.systemuser',),
+        ),
+    ]
--- a/apps/applications/migrations/0010_appaccount_historicalappaccount.py
+++ b/apps/applications/migrations/0010_appaccount_historicalappaccount.py
@@ -0,0 +1,76 @@
+# Generated by Django 3.1.12 on 2021-08-26 09:07
+
+import assets.models.base
+import common.fields.model
+from django.conf import settings
+import django.core.validators
+from django.db import migrations, models
+import django.db.models.deletion
+import simple_history.models
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('assets', '0076_delete_assetuser'),
+        ('applications', '0009_applicationuser'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='HistoricalAccount',
+            fields=[
+                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('id', models.UUIDField(db_index=True, default=uuid.uuid4)),
+                ('name', models.CharField(max_length=128, verbose_name='Name')),
+                ('username', models.CharField(blank=True, db_index=True, max_length=128, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username')),
+                ('password', common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
+                ('private_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
+                ('public_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
+                ('comment', models.TextField(blank=True, verbose_name='Comment')),
+                ('date_created', models.DateTimeField(blank=True, editable=False, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(blank=True, editable=False, verbose_name='Date updated')),
+                ('created_by', models.CharField(max_length=128, null=True, verbose_name='Created by')),
+                ('version', models.IntegerField(default=1, verbose_name='Version')),
+                ('history_id', models.AutoField(primary_key=True, serialize=False)),
+                ('history_date', models.DateTimeField()),
+                ('history_change_reason', models.CharField(max_length=100, null=True)),
+                ('history_type', models.CharField(choices=[('+', 'Created'), ('~', 'Changed'), ('-', 'Deleted')], max_length=1)),
+                ('app', models.ForeignKey(blank=True, db_constraint=False, null=True, on_delete=django.db.models.deletion.DO_NOTHING, related_name='+', to='applications.application', verbose_name='Database')),
+                ('history_user', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='+', to=settings.AUTH_USER_MODEL)),
+                ('systemuser', models.ForeignKey(blank=True, db_constraint=False, null=True, on_delete=django.db.models.deletion.DO_NOTHING, related_name='+', to='assets.systemuser', verbose_name='System user')),
+            ],
+            options={
+                'verbose_name': 'historical Account',
+                'ordering': ('-history_date', '-history_id'),
+                'get_latest_by': 'history_date',
+            },
+            bases=(simple_history.models.HistoricalChanges, models.Model),
+        ),
+        migrations.CreateModel(
+            name='Account',
+            fields=[
+                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=128, verbose_name='Name')),
+                ('username', models.CharField(blank=True, db_index=True, max_length=128, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username')),
+                ('password', common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
+                ('private_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
+                ('public_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
+                ('comment', models.TextField(blank=True, verbose_name='Comment')),
+                ('date_created', models.DateTimeField(auto_now_add=True, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('created_by', models.CharField(max_length=128, null=True, verbose_name='Created by')),
+                ('version', models.IntegerField(default=1, verbose_name='Version')),
+                ('app', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='applications.application', verbose_name='Database')),
+                ('systemuser', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='assets.systemuser', verbose_name='System user')),
+            ],
+            options={
+                'verbose_name': 'Account',
+                'unique_together': {('username', 'app', 'systemuser')},
+            },
+            bases=(models.Model, assets.models.base.AuthMixin),
+        ),
+    ]
--- a/apps/applications/migrations/0011_auto_20210826_1759.py
+++ b/apps/applications/migrations/0011_auto_20210826_1759.py
@@ -0,0 +1,40 @@
+# Generated by Django 3.1.12 on 2021-08-26 09:59
+
+from django.db import migrations, transaction
+from django.db.models import F
+
+
+def migrate_app_account(apps, schema_editor):
+    db_alias = schema_editor.connection.alias
+    app_perm_model = apps.get_model("perms", "ApplicationPermission")
+    app_account_model = apps.get_model("applications", 'Account')
+
+    queryset = app_perm_model.objects \
+        .exclude(system_users__isnull=True) \
+        .exclude(applications__isnull=True) \
+        .annotate(systemuser=F('system_users')) \
+        .annotate(app=F('applications')) \
+        .values('app', 'systemuser', 'org_id')
+
+    accounts = []
+    for p in queryset:
+        if not p['app']:
+            continue
+        account = app_account_model(
+            app_id=p['app'], systemuser_id=p['systemuser'],
+            version=1, org_id=p['org_id']
+        )
+        accounts.append(account)
+
+    app_account_model.objects.using(db_alias).bulk_create(accounts, ignore_conflicts=True)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('applications', '0010_appaccount_historicalappaccount'),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_app_account)
+    ]
--- a/apps/applications/migrations/0012_auto_20211014_2209.py
+++ b/apps/applications/migrations/0012_auto_20211014_2209.py
@@ -0,0 +1,23 @@
+# Generated by Django 3.1.13 on 2021-10-14 14:09
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('applications', '0011_auto_20210826_1759'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='account',
+            name='username',
+            field=models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username'),
+        ),
+        migrations.AlterField(
+            model_name='historicalaccount',
+            name='username',
+            field=models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username'),
+        ),
+    ]
--- a/apps/applications/migrations/0013_auto_20211026_1711.py
+++ b/apps/applications/migrations/0013_auto_20211026_1711.py
@@ -0,0 +1,17 @@
+# Generated by Django 3.1.13 on 2021-10-26 09:11
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('applications', '0012_auto_20211014_2209'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='application',
+            options={'ordering': ('name',), 'verbose_name': 'Application'},
+        ),
+    ]
--- a/apps/applications/models/init.py
+++ b/apps/applications/models/init.py
@@ -1 +1,2 @@
 from .application import *
+from .account import *
--- a/apps/applications/models/account.py
+++ b/apps/applications/models/account.py
@@ -0,0 +1,88 @@
+from django.db import models
+from simple_history.models import HistoricalRecords
+from django.utils.translation import ugettext_lazy as _
+
+from common.utils import lazyproperty
+from assets.models.base import BaseUser
+
+
+class Account(BaseUser):
+    app = models.ForeignKey('applications.Application', on_delete=models.CASCADE, null=True, verbose_name=_('Database'))
+    systemuser = models.ForeignKey('assets.SystemUser', on_delete=models.CASCADE, null=True, verbose_name=_("System user"))
+    version = models.IntegerField(default=1, verbose_name=_('Version'))
+    history = HistoricalRecords()
+
+    auth_attrs = ['username', 'password', 'private_key', 'public_key']
+
+    class Meta:
+        verbose_name = _('Account')
+        unique_together = [('username', 'app', 'systemuser')]
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.auth_snapshot = {}
+
+    def get_or_systemuser_attr(self, attr):
+        val = getattr(self, attr, None)
+        if val:
+            return val
+        if self.systemuser:
+            return getattr(self.systemuser, attr, '')
+        return ''
+
+    def load_auth(self):
+        for attr in self.auth_attrs:
+            value = self.get_or_systemuser_attr(attr)
+            self.auth_snapshot[attr] = [getattr(self, attr), value]
+            setattr(self, attr, value)
+
+    def unload_auth(self):
+        if not self.systemuser:
+            return
+
+        for attr, values in self.auth_snapshot.items():
+            origin_value, loaded_value = values
+            current_value = getattr(self, attr, '')
+            if current_value == loaded_value:
+                setattr(self, attr, origin_value)
+
+    def save(self, *args, **kwargs):
+        self.unload_auth()
+        instance = super().save(*args, **kwargs)
+        self.load_auth()
+        return instance
+
+    @lazyproperty
+    def category(self):
+        return self.app.category
+
+    @lazyproperty
+    def type(self):
+        return self.app.type
+
+    @lazyproperty
+    def app_display(self):
+        return self.systemuser.name
+
+    @property
+    def username_display(self):
+        return self.get_or_systemuser_attr('username') or ''
+
+    @lazyproperty
+    def systemuser_display(self):
+        if not self.systemuser:
+            return ''
+        return str(self.systemuser)
+
+    @property
+    def smart_name(self):
+        username = self.username_display
+
+        if self.app:
+            app = str(self.app)
+        else:
+            app = '*'
+        return '{}@{}'.format(username, app)
+
+    def __str__(self):
+        return self.smart_name
--- a/apps/applications/models/application.py
+++ b/apps/applications/models/application.py
@@ -1,18 +1,174 @@
+from collections import defaultdict
+
 from django.db import models
 from django.utils.translation import ugettext_lazy as _

 from orgs.mixins.models import OrgModelMixin
 from common.mixins import CommonModelMixin
+from common.tree import TreeNode
+from assets.models import Asset, SystemUser
 from .. import const


-class Application(CommonModelMixin, OrgModelMixin):
+class ApplicationTreeNodeMixin:
+    id: str
+    name: str
+    type: str
+    category: str
+
+    @classmethod
+    def create_choice_node(cls, c, id_, pid, tp, opened=False, counts=None,
+                           show_empty=True, show_count=True):
+        count = counts.get(c.value, 0)
+        if count == 0 and not show_empty:
+            return None
+        label = c.label
+        if count is not None and show_count:
+            label = '{} ({})'.format(label, count)
+        data = {
+            'id': id_,
+            'name': label,
+            'title': label,
+            'pId': pid,
+            'isParent': bool(count),
+            'open': opened,
+            'iconSkin': '',
+            'meta': {
+                'type': tp,
+                'data': {
+                    'name': c.name,
+                    'value': c.value
+                }
+            }
+        }
+        return TreeNode(**data)
+
+    @classmethod
+    def create_root_tree_node(cls, queryset, show_count=True):
+        count = queryset.count() if show_count else None
+        root_id = 'applications'
+        root_name = _('Applications')
+        if count is not None and show_count:
+            root_name = '{} ({})'.format(root_name, count)
+        node = TreeNode(**{
+            'id': root_id,
+            'name': root_name,
+            'title': root_name,
+            'pId': '',
+            'isParent': True,
+            'open': True,
+            'iconSkin': '',
+            'meta': {
+                'type': 'applications_root',
+            }
+        })
+        return node
+
+    @classmethod
+    def create_category_tree_nodes(cls, root_node, counts=None, show_empty=True, show_count=True):
+        nodes = []
+        categories = const.AppType.category_types_mapper().keys()
+        for category in categories:
+            i = root_node.id + '_' + category.value
+            node = cls.create_choice_node(
+                category, i, pid=root_node.id, tp='category',
+                counts=counts, opened=False, show_empty=show_empty,
+                show_count=show_count
+            )
+            if not node:
+                continue
+            nodes.append(node)
+        return nodes
+
+    @classmethod
+    def create_types_tree_nodes(cls, root_node, counts, show_empty=True, show_count=True):
+        nodes = []
+        type_category_mapper = const.AppType.type_category_mapper()
+        for tp in const.AppType.type_category_mapper().keys():
+            category = type_category_mapper.get(tp)
+            pid = root_node.id + '_' + category.value
+            i = root_node.id + '_' + tp.value
+            node = cls.create_choice_node(
+                tp, i, pid, tp='type', counts=counts, opened=False,
+                show_empty=show_empty, show_count=show_count
+            )
+            if not node:
+                continue
+            nodes.append(node)
+        return nodes
+
+    @staticmethod
+    def get_tree_node_counts(queryset):
+        counts = defaultdict(int)
+        values = queryset.values_list('type', 'category')
+        for i in values:
+            tp = i[0]
+            category = i[1]
+            counts[tp] += 1
+            counts[category] += 1
+        return counts
+
+    @classmethod
+    def create_tree_nodes(cls, queryset, root_node=None, show_empty=True, show_count=True):
+        counts = cls.get_tree_node_counts(queryset)
+        tree_nodes = []
+
+        # 根节点有可能是组织名称
+        if root_node is None:
+            root_node = cls.create_root_tree_node(queryset, show_count=show_count)
+            tree_nodes.append(root_node)
+
+        # 类别的节点
+        tree_nodes += cls.create_category_tree_nodes(
+            root_node, counts, show_empty=show_empty,
+            show_count=show_count
+        )
+
+        # 类型的节点
+        tree_nodes += cls.create_types_tree_nodes(
+            root_node, counts, show_empty=show_empty,
+            show_count=show_count
+        )
+
+        # 应用的节点
+        for app in queryset:
+            pid = root_node.id + '_' + app.type
+            tree_nodes.append(app.as_tree_node(pid))
+        return tree_nodes
+
+    def as_tree_node(self, pid):
+        icon_skin_category_mapper = {
+            'remote_app': 'chrome',
+            'db': 'database',
+            'cloud': 'cloud'
+        }
+        icon_skin = icon_skin_category_mapper.get(self.category, 'file')
+        node = TreeNode(**{
+            'id': str(self.id),
+            'name': self.name,
+            'title': self.name,
+            'pId': pid,
+            'isParent': False,
+            'open': False,
+            'iconSkin': icon_skin,
+            'meta': {
+                'type': 'application',
+                'data': {
+                    'category': self.category,
+                    'type': self.type,
+                }
+            }
+        })
+        return node
+
+
+class Application(CommonModelMixin, OrgModelMixin, ApplicationTreeNodeMixin):
    name = models.CharField(max_length=128, verbose_name=_('Name'))
    category = models.CharField(
-        max_length=16, choices=const.ApplicationCategoryChoices.choices, verbose_name=_('Category')
+        max_length=16, choices=const.AppCategory.choices, verbose_name=_('Category')
    )
    type = models.CharField(
-        max_length=16, choices=const.ApplicationTypeChoices.choices, verbose_name=_('Type')
+        max_length=16, choices=const.AppType.choices, verbose_name=_('Type')
    )
    domain = models.ForeignKey(
        'assets.Domain', null=True, blank=True, related_name='applications',
@@ -24,6 +180,7 @@ class Application(CommonModelMixin, OrgModelMixin):
    )

    class Meta:
+        verbose_name = _('Application')
        unique_together = [('org_id', 'name')]
        ordering = ('name',)

@@ -34,4 +191,41 @@ class Application(CommonModelMixin, OrgModelMixin):

    @property
    def category_remote_app(self):
-        return self.category == const.ApplicationCategoryChoices.remote_app.value
+        return self.category == const.AppCategory.remote_app.value
+
+    def get_rdp_remote_app_setting(self):
+        from applications.serializers.attrs import get_serializer_class_by_application_type
+        if not self.category_remote_app:
+            raise ValueError(f"Not a remote app application: {self.name}")
+        serializer_class = get_serializer_class_by_application_type(self.type)
+        fields = serializer_class().get_fields()
+
+        parameters = [self.type]
+        for field_name in list(fields.keys()):
+            if field_name in ['asset']:
+                continue
+            value = self.attrs.get(field_name)
+            if not value:
+                continue
+            if field_name == 'path':
+                value = '\"%s\"' % value
+            parameters.append(str(value))
+
+        parameters = ' '.join(parameters)
+        return {
+            'program': '||jmservisor',
+            'working_directory': '',
+            'parameters': parameters
+        }
+
+    def get_remote_app_asset(self):
+        asset_id = self.attrs.get('asset')
+        if not asset_id:
+            raise ValueError("Remote App not has asset attr")
+        asset = Asset.objects.filter(id=asset_id).first()
+        return asset
+
+
+class ApplicationUser(SystemUser):
+    class Meta:
+        proxy = True
--- a/apps/applications/serializers/application.py
+++ b/apps/applications/serializers/application.py
@@ -3,18 +3,24 @@

 from rest_framework import serializers
 from django.utils.translation import ugettext_lazy as _
-from orgs.mixins.serializers import BulkOrgResourceModelSerializer
-from common.drf.serializers import MethodSerializer
-from .attrs import category_serializer_classes_mapping, type_serializer_classes_mapping

+from orgs.mixins.serializers import BulkOrgResourceModelSerializer
+from assets.serializers.base import AuthSerializerMixin
+from common.drf.serializers import MethodSerializer
+from .attrs import (
+    category_serializer_classes_mapping,
+    type_serializer_classes_mapping
+)
 from .. import models
+from .. import const

 __all__ = [
-    'ApplicationSerializer', 'ApplicationSerializerMixin',
+    'AppSerializer', 'MiniAppSerializer', 'AppSerializerMixin',
+    'AppAccountSerializer', 'AppAccountSecretSerializer'
 ]


-class ApplicationSerializerMixin(serializers.Serializer):
+class AppSerializerMixin(serializers.Serializer):
    attrs = MethodSerializer()

    def get_attrs_serializer(self):
@@ -42,17 +48,26 @@ class ApplicationSerializerMixin(serializers.Serializer):
            serializer = serializer_class
        return serializer

+    def create(self, validated_data):
+        return super().create(validated_data)

-class ApplicationSerializer(ApplicationSerializerMixin, BulkOrgResourceModelSerializer):
-    category_display = serializers.ReadOnlyField(source='get_category_display', label=_('Category'))
-    type_display = serializers.ReadOnlyField(source='get_type_display', label=_('Type'))
+    def update(self, instance, validated_data):
+        return super().update(instance, validated_data)
+
+
+class AppSerializer(AppSerializerMixin, BulkOrgResourceModelSerializer):
+    category_display = serializers.ReadOnlyField(source='get_category_display', label=_('Category display'))
+    type_display = serializers.ReadOnlyField(source='get_type_display', label=_('Type display'))

    class Meta:
        model = models.Application
-        fields = [
-            'id', 'name', 'category', 'category_display', 'type', 'type_display', 'attrs',
-            'domain', 'created_by', 'date_created', 'date_updated', 'comment'
+        fields_mini = ['id', 'name']
+        fields_small = fields_mini + [
+            'category', 'category_display', 'type', 'type_display',
+            'attrs', 'date_created', 'date_updated', 'created_by', 'comment'
        ]
+        fields_fk = ['domain']
+        fields = fields_small + fields_fk
        read_only_fields = [
            'created_by', 'date_created', 'date_updated', 'get_type_display',
        ]
@@ -62,3 +77,64 @@ class ApplicationSerializer(ApplicationSerializerMixin, BulkOrgResourceModelSeri
        _attrs.update(attrs)
        return _attrs

+
+class MiniAppSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = models.Application
+        fields = AppSerializer.Meta.fields_mini
+
+
+class AppAccountSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
+    category = serializers.ChoiceField(label=_('Category'), choices=const.AppCategory.choices, read_only=True)
+    category_display = serializers.SerializerMethodField(label=_('Category display'))
+    type = serializers.ChoiceField(label=_('Type'), choices=const.AppType.choices, read_only=True)
+    type_display = serializers.SerializerMethodField(label=_('Type display'))
+
+    category_mapper = dict(const.AppCategory.choices)
+    type_mapper = dict(const.AppType.choices)
+
+    class Meta:
+        model = models.Account
+        fields_mini = ['id', 'username', 'version']
+        fields_write_only = ['password', 'private_key']
+        fields_fk = ['systemuser', 'systemuser_display', 'app', 'app_display']
+        fields = fields_mini + fields_fk + fields_write_only + [
+            'type', 'type_display', 'category', 'category_display',
+        ]
+        extra_kwargs = {
+            'username': {'default': '', 'required': False},
+            'password': {'write_only': True},
+            'app_display': {'label': _('Application display')},
+            'systemuser_display': {'label': _('System User')}
+        }
+        use_model_bulk_create = True
+        model_bulk_create_kwargs = {
+            'ignore_conflicts': True
+        }
+
+    def get_category_display(self, obj):
+        return self.category_mapper.get(obj.category)
+
+    def get_type_display(self, obj):
+        return self.type_mapper.get(obj.type)
+
+    @classmethod
+    def setup_eager_loading(cls, queryset):
+        """ Perform necessary eager loading of data. """
+        queryset = queryset.prefetch_related('systemuser', 'app')
+        return queryset
+
+    def to_representation(self, instance):
+        instance.load_auth()
+        return super().to_representation(instance)
+
+
+class AppAccountSecretSerializer(AppAccountSerializer):
+    class Meta(AppAccountSerializer.Meta):
+        extra_kwargs = {
+            'password': {'write_only': False},
+            'private_key': {'write_only': False},
+            'public_key': {'write_only': False},
+            'app_display': {'label': _('Application display')},
+            'systemuser_display': {'label': _('System User')}
+        }
--- a/apps/applications/serializers/attrs/application_category/remote_app.py
+++ b/apps/applications/serializers/attrs/application_category/remote_app.py
@@ -5,7 +5,7 @@ from rest_framework import serializers
 from django.utils.translation import ugettext_lazy as _
 from django.core.exceptions import ObjectDoesNotExist

-from common.utils import get_logger, is_uuid
+from common.utils import get_logger, is_uuid, get_object_or_none
 from assets.models import Asset

 logger = get_logger(__file__)
@@ -14,39 +14,48 @@ logger = get_logger(__file__)
 __all__ = ['RemoteAppSerializer']


-class CharPrimaryKeyRelatedField(serializers.PrimaryKeyRelatedField):
+class ExistAssetPrimaryKeyRelatedField(serializers.PrimaryKeyRelatedField):

    def to_internal_value(self, data):
        instance = super().to_internal_value(data)
        return str(instance.id)

-    def to_representation(self, value):
-        # value is instance.id
+    def to_representation(self, _id):
+        # _id 是 instance.id
        if self.pk_field is not None:
-            return self.pk_field.to_representation(value)
-        return value
+            return self.pk_field.to_representation(_id)
+        # 解决删除资产后，远程应用更新页面会显示资产ID的问题
+        asset = get_object_or_none(Asset, id=_id)
+        if not asset:
+            return None
+        return _id


 class RemoteAppSerializer(serializers.Serializer):
    asset_info = serializers.SerializerMethodField()
-    asset = CharPrimaryKeyRelatedField(
-        queryset=Asset.objects, required=False, label=_("Asset"), allow_null=True
+    asset = ExistAssetPrimaryKeyRelatedField(
+        queryset=Asset.objects, required=True, label=_("Asset"), allow_null=True
    )
    path = serializers.CharField(
        max_length=128, label=_('Application path'), allow_null=True
    )

+    def validate_asset(self, asset):
+        if not asset:
+            raise serializers.ValidationError(_('This field is required.'))
+        return asset
+
    @staticmethod
    def get_asset_info(obj):
        asset_id = obj.get('asset')
-        if not asset_id or is_uuid(asset_id):
+        if not asset_id or not is_uuid(asset_id):
            return {}
        try:
-            asset = Asset.objects.filter(id=str(asset_id)).values_list('id', 'hostname')
+            asset = Asset.objects.get(id=str(asset_id))
        except ObjectDoesNotExist as e:
            logger.error(e)
            return {}
        if not asset:
            return {}
-        asset_info = {'id': str(asset[0]), 'hostname': asset[1]}
+        asset_info = {'id': str(asset.id), 'hostname': asset.hostname}
        return asset_info
--- a/apps/applications/serializers/attrs/attrs.py
+++ b/apps/applications/serializers/attrs/attrs.py
@@ -14,9 +14,9 @@ __all__ = [
 # ---------------------------------------------------

 category_serializer_classes_mapping = {
-    const.ApplicationCategoryChoices.db.value: application_category.DBSerializer,
-    const.ApplicationCategoryChoices.remote_app.value: application_category.RemoteAppSerializer,
-    const.ApplicationCategoryChoices.cloud.value: application_category.CloudSerializer,
+    const.AppCategory.db.value: application_category.DBSerializer,
+    const.AppCategory.remote_app.value: application_category.RemoteAppSerializer,
+    const.AppCategory.cloud.value: application_category.CloudSerializer,
 }

 # define `attrs` field `type serializers mapping`
@@ -24,17 +24,17 @@ category_serializer_classes_mapping = {

 type_serializer_classes_mapping = {
    # db
-    const.ApplicationTypeChoices.mysql.value: application_type.MySQLSerializer,
-    const.ApplicationTypeChoices.mariadb.value: application_type.MariaDBSerializer,
-    const.ApplicationTypeChoices.oracle.value: application_type.OracleSerializer,
-    const.ApplicationTypeChoices.pgsql.value: application_type.PostgreSerializer,
+    const.AppType.mysql.value: application_type.MySQLSerializer,
+    const.AppType.mariadb.value: application_type.MariaDBSerializer,
+    const.AppType.oracle.value: application_type.OracleSerializer,
+    const.AppType.pgsql.value: application_type.PostgreSerializer,
    # remote-app
-    const.ApplicationTypeChoices.chrome.value: application_type.ChromeSerializer,
-    const.ApplicationTypeChoices.mysql_workbench.value: application_type.MySQLWorkbenchSerializer,
-    const.ApplicationTypeChoices.vmware_client.value: application_type.VMwareClientSerializer,
-    const.ApplicationTypeChoices.custom.value: application_type.CustomSerializer,
+    const.AppType.chrome.value: application_type.ChromeSerializer,
+    const.AppType.mysql_workbench.value: application_type.MySQLWorkbenchSerializer,
+    const.AppType.vmware_client.value: application_type.VMwareClientSerializer,
+    const.AppType.custom.value: application_type.CustomSerializer,
    # cloud
-    const.ApplicationTypeChoices.k8s.value: application_type.K8SSerializer
+    const.AppType.k8s.value: application_type.K8SSerializer
 }


--- a/apps/applications/serializers/remote_app.py
+++ b/apps/applications/serializers/remote_app.py
@@ -27,31 +27,5 @@ class RemoteAppConnectionInfoSerializer(serializers.ModelSerializer):
        return obj.attrs.get('asset')

    @staticmethod
-    def get_parameters(obj):
-        """
-        返回Guacamole需要的RemoteApp配置参数信息中的parameters参数
-        """
-        from .attrs import get_serializer_class_by_application_type
-        serializer_class = get_serializer_class_by_application_type(obj.type)
-        fields = serializer_class().get_fields()
-
-        parameters = [obj.type]
-        for field_name in list(fields.keys()):
-            if field_name in ['asset']:
-                continue
-            value = obj.attrs.get(field_name)
-            if not value:
-                continue
-            if field_name == 'path':
-                value = '\"%s\"' % value
-            parameters.append(str(value))
-
-        parameters = ' '.join(parameters)
-        return parameters
-
-    def get_parameter_remote_app(self, obj):
-        return {
-            'program': '||jmservisor',
-            'working_directory': '',
-            'parameters': self.get_parameters(obj)
-        }
+    def get_parameter_remote_app(obj):
+        return obj.get_rdp_remote_app_setting()
--- a/apps/applications/urls/api_urls.py
+++ b/apps/applications/urls/api_urls.py
@@ -10,10 +10,14 @@ app_name = 'applications'

 router = BulkRouter()
 router.register(r'applications', api.ApplicationViewSet, 'application')
+router.register(r'accounts', api.ApplicationAccountViewSet, 'application-account')
+router.register(r'account-secrets', api.ApplicationAccountSecretViewSet, 'application-account-secret')


 urlpatterns = [
    path('remote-apps/<uuid:pk>/connection-info/', api.RemoteAppConnectionInfoApi.as_view(), name='remote-app-connection-info'),
+    # path('accounts/', api.ApplicationAccountViewSet.as_view(), name='application-account'),
+    # path('account-secrets/', api.ApplicationAccountSecretViewSet.as_view(), name='application-account-secret')
 ]


--- a/apps/assets/api/init.py
+++ b/apps/assets/api/init.py
@@ -4,9 +4,9 @@ from .asset import *
 from .label import *
 from .system_user import *
 from .system_user_relation import *
+from .accounts import *
 from .node import *
 from .domain import *
 from .cmd_filter import *
-from .asset_user import *
 from .gathered_user import *
 from .favorite_asset import *
--- a/apps/assets/api/accounts.py
+++ b/apps/assets/api/accounts.py
@@ -0,0 +1,114 @@
+from django.db.models import F, Q
+from rest_framework.decorators import action
+from django_filters import rest_framework as filters
+from rest_framework.response import Response
+from django.shortcuts import get_object_or_404
+from rest_framework.generics import CreateAPIView
+
+from orgs.mixins.api import OrgBulkModelViewSet
+from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser, NeedMFAVerify
+from common.drf.filters import BaseFilterSet
+from ..tasks.account_connectivity import test_accounts_connectivity_manual
+from ..models import AuthBook, Node
+from .. import serializers
+
+__all__ = ['AccountViewSet', 'AccountSecretsViewSet', 'AccountTaskCreateAPI']
+
+
+class AccountFilterSet(BaseFilterSet):
+    username = filters.CharFilter(method='do_nothing')
+    ip = filters.CharFilter(field_name='ip', lookup_expr='exact')
+    hostname = filters.CharFilter(field_name='hostname', lookup_expr='exact')
+    node = filters.CharFilter(method='do_nothing')
+
+    @property
+    def qs(self):
+        qs = super().qs
+        qs = self.filter_username(qs)
+        qs = self.filter_node(qs)
+        return qs
+
+    def filter_username(self, qs):
+        username = self.get_query_param('username')
+        if not username:
+            return qs
+        qs = qs.filter(Q(username=username) | Q(systemuser__username=username)).distinct()
+        return qs
+
+    def filter_node(self, qs):
+        node_id = self.get_query_param('node')
+        if not node_id:
+            return qs
+        node = get_object_or_404(Node, pk=node_id)
+        node_ids = node.get_all_children(with_self=True).values_list('id', flat=True)
+        node_ids = list(node_ids)
+        qs = qs.filter(asset__nodes__in=node_ids)
+        return qs
+
+    class Meta:
+        model = AuthBook
+        fields = [
+            'asset', 'systemuser', 'id',
+        ]
+
+
+class AccountViewSet(OrgBulkModelViewSet):
+    model = AuthBook
+    filterset_fields = ("username", "asset", "systemuser", 'ip', 'hostname')
+    search_fields = ('username', 'ip', 'hostname', 'systemuser__username')
+    filterset_class = AccountFilterSet
+    serializer_classes = {
+        'default': serializers.AccountSerializer,
+        'verify_account': serializers.AssetTaskSerializer
+    }
+    permission_classes = (IsOrgAdmin,)
+
+    def get_queryset(self):
+        queryset = super().get_queryset() \
+            .annotate(ip=F('asset__ip')) \
+            .annotate(hostname=F('asset__hostname'))
+        return queryset
+
+    @action(methods=['post'], detail=True, url_path='verify')
+    def verify_account(self, request, *args, **kwargs):
+        account = super().get_object()
+        task = test_accounts_connectivity_manual.delay([account])
+        return Response(data={'task': task.id})
+
+
+class AccountSecretsViewSet(AccountViewSet):
+    """
+    因为可能要导出所有账号，所以单独建立了一个 viewset
+    """
+    serializer_classes = {
+        'default': serializers.AccountSecretSerializer
+    }
+    permission_classes = (IsOrgAdmin, NeedMFAVerify)
+    http_method_names = ['get']
+
+
+class AccountTaskCreateAPI(CreateAPIView):
+    permission_classes = (IsOrgAdminOrAppUser,)
+    serializer_class = serializers.AccountTaskSerializer
+    filterset_fields = AccountViewSet.filterset_fields
+    search_fields = AccountViewSet.search_fields
+    filterset_class = AccountViewSet.filterset_class
+
+    def get_accounts(self):
+        queryset = AuthBook.objects.all()
+        queryset = self.filter_queryset(queryset)
+        return queryset
+
+    def perform_create(self, serializer):
+        accounts = self.get_accounts()
+        task = test_accounts_connectivity_manual.delay(accounts)
+        data = getattr(serializer, '_data', {})
+        data["task"] = task.id
+        setattr(serializer, '_data', data)
+        return task
+
+    def get_exception_handler(self):
+        def handler(e, context):
+            return Response({"error": str(e)}, status=400)
+
+        return handler
--- a/apps/assets/api/admin_user.py
+++ b/apps/assets/api/admin_user.py
@@ -1,105 +1,30 @@
-
-
-from django.db import transaction
 from django.db.models import Count
-from django.shortcuts import get_object_or_404
-from django.utils.translation import ugettext as _
-from rest_framework import status
-from rest_framework.response import Response
-from orgs.mixins.api import OrgBulkModelViewSet
-from orgs.mixins import generics

+from orgs.mixins.api import OrgBulkModelViewSet
 from common.utils import get_logger
 from ..hands import IsOrgAdmin
-from ..models import AdminUser, Asset
+from ..models import SystemUser
 from .. import serializers
-from ..tasks import test_admin_user_connectivity_manual


 logger = get_logger(__file__)
-__all__ = [
-    'AdminUserViewSet', 'ReplaceNodesAdminUserApi',
-    'AdminUserTestConnectiveApi', 'AdminUserAuthApi',
-    'AdminUserAssetsListView',
-]
+__all__ = ['AdminUserViewSet']


+# 兼容一下老的 api
 class AdminUserViewSet(OrgBulkModelViewSet):
    """
    Admin user api set, for add,delete,update,list,retrieve resource
    """
-    model = AdminUser
+    model = SystemUser
    filterset_fields = ("name", "username")
    search_fields = filterset_fields
    serializer_class = serializers.AdminUserSerializer
    permission_classes = (IsOrgAdmin,)
+    ordering_fields = ('name',)
+    ordering = ('name', )

    def get_queryset(self):
-        queryset = super().get_queryset()
+        queryset = super().get_queryset().filter(type=SystemUser.Type.admin)
        queryset = queryset.annotate(assets_amount=Count('assets'))
        return queryset
-
-    def destroy(self, request, *args, **kwargs):
-        instance = self.get_object()
-        has_related_asset = instance.assets.exists()
-        if has_related_asset:
-            data = {'msg': _('Deleted failed, There are related assets')}
-            return Response(data=data, status=status.HTTP_400_BAD_REQUEST)
-        return super().destroy(request, *args, **kwargs)
-
-
-class AdminUserAuthApi(generics.UpdateAPIView):
-    model = AdminUser
-    serializer_class = serializers.AdminUserAuthSerializer
-    permission_classes = (IsOrgAdmin,)
-
-
-class ReplaceNodesAdminUserApi(generics.UpdateAPIView):
-    model = AdminUser
-    serializer_class = serializers.ReplaceNodeAdminUserSerializer
-    permission_classes = (IsOrgAdmin,)
-
-    def update(self, request, *args, **kwargs):
-        admin_user = self.get_object()
-        serializer = self.serializer_class(data=request.data)
-        if serializer.is_valid():
-            nodes = serializer.validated_data['nodes']
-            assets = []
-            for node in nodes:
-                assets.extend([asset.id for asset in node.get_all_assets()])
-
-            with transaction.atomic():
-                Asset.objects.filter(id__in=assets).update(admin_user=admin_user)
-
-            return Response({"msg": "ok"})
-        else:
-            return Response({'error': serializer.errors}, status=400)
-
-
-class AdminUserTestConnectiveApi(generics.RetrieveAPIView):
-    """
-    Test asset admin user assets_connectivity
-    """
-    model = AdminUser
-    permission_classes = (IsOrgAdmin,)
-    serializer_class = serializers.TaskIDSerializer
-
-    def retrieve(self, request, *args, **kwargs):
-        admin_user = self.get_object()
-        task = test_admin_user_connectivity_manual.delay(admin_user)
-        return Response({"task": task.id})
-
-
-class AdminUserAssetsListView(generics.ListAPIView):
-    permission_classes = (IsOrgAdmin,)
-    serializer_class = serializers.AssetSimpleSerializer
-    filterset_fields = ("hostname", "ip")
-    search_fields = filterset_fields
-
-    def get_object(self):
-        pk = self.kwargs.get('pk')
-        return get_object_or_404(AdminUser, pk=pk)
-
-    def get_queryset(self):
-        admin_user = self.get_object()
-        return admin_user.get_related_assets()
--- a/apps/assets/api/asset.py
+++ b/apps/assets/api/asset.py
@@ -2,32 +2,40 @@
 #
 from assets.api import FilterAssetByNodeMixin
 from rest_framework.viewsets import ModelViewSet
-from rest_framework.generics import RetrieveAPIView
-from rest_framework.response import Response
-from rest_framework import status
+from rest_framework.generics import RetrieveAPIView, ListAPIView
 from django.shortcuts import get_object_or_404
+from django.db.models import Q

 from common.utils import get_logger, get_object_or_none
 from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser, IsSuperUser
+from common.mixins.api import SuggestionMixin
+from users.models import User, UserGroup
+from users.serializers import UserSerializer, UserGroupSerializer
+from users.filters import UserFilter
+from perms.models import AssetPermission
+from perms.serializers import AssetPermissionSerializer
+from perms.filters import AssetPermissionFilter
 from orgs.mixins.api import OrgBulkModelViewSet
 from orgs.mixins import generics
 from ..models import Asset, Node, Platform
 from .. import serializers
 from ..tasks import (
-    update_assets_hardware_info_manual, test_assets_connectivity_manual
+    update_assets_hardware_info_manual, test_assets_connectivity_manual,
+    test_system_users_connectivity_a_asset, push_system_users_a_asset
 )
 from ..filters import FilterAssetByNodeFilterBackend, LabelFilterBackend, IpInFilterBackend

-
 logger = get_logger(__file__)
 __all__ = [
    'AssetViewSet', 'AssetPlatformRetrieveApi',
    'AssetGatewayListApi', 'AssetPlatformViewSet',
    'AssetTaskCreateApi', 'AssetsTaskCreateApi',
+    'AssetPermUserListApi', 'AssetPermUserPermissionsListApi',
+    'AssetPermUserGroupListApi', 'AssetPermUserGroupPermissionsListApi',
 ]


-class AssetViewSet(FilterAssetByNodeMixin, OrgBulkModelViewSet):
+class AssetViewSet(SuggestionMixin, FilterAssetByNodeMixin, OrgBulkModelViewSet):
    """
    API endpoint that allows Asset to be viewed or edited.
    """
@@ -35,17 +43,17 @@ class AssetViewSet(FilterAssetByNodeMixin, OrgBulkModelViewSet):
    filterset_fields = {
        'hostname': ['exact'],
        'ip': ['exact'],
-        'systemuser__id': ['exact'],
-        'admin_user__id': ['exact'],
+        'system_users__id': ['exact'],
        'platform__base': ['exact'],
        'is_active': ['exact'],
        'protocols': ['exact', 'icontains']
    }
    search_fields = ("hostname", "ip")
    ordering_fields = ("hostname", "ip", "port", "cpu_cores")
+    ordering = ('hostname', )
    serializer_classes = {
        'default': serializers.AssetSerializer,
-        'display': serializers.AssetDisplaySerializer,
+        'suggestion': serializers.MiniAssetSerializer
    }
    permission_classes = (IsOrgAdminOrAppUser,)
    extra_filter_backends = [FilterAssetByNodeFilterBackend, LabelFilterBackend, IpInFilterBackend]
@@ -98,21 +106,27 @@ class AssetPlatformViewSet(ModelViewSet):


 class AssetsTaskMixin:
+
    def perform_assets_task(self, serializer):
        data = serializer.validated_data
-        assets = data['assets']
        action = data['action']
+        assets = data.get('assets', [])
        if action == "refresh":
            task = update_assets_hardware_info_manual.delay(assets)
        else:
+            # action == 'test':
            task = test_assets_connectivity_manual.delay(assets)
+        return task
+
+    def perform_create(self, serializer):
+        task = self.perform_assets_task(serializer)
+        self.set_task_to_serializer_data(serializer, task)
+
+    def set_task_to_serializer_data(self, serializer, task):
        data = getattr(serializer, '_data', {})
        data["task"] = task.id
        setattr(serializer, '_data', data)

-    def perform_create(self, serializer):
-        self.perform_assets_task(serializer)
-

 class AssetTaskCreateApi(AssetsTaskMixin, generics.CreateAPIView):
    model = Asset
@@ -121,13 +135,37 @@ class AssetTaskCreateApi(AssetsTaskMixin, generics.CreateAPIView):

    def create(self, request, *args, **kwargs):
        pk = self.kwargs.get('pk')
+        request.data['asset'] = pk
        request.data['assets'] = [pk]
        return super().create(request, *args, **kwargs)

+    def perform_asset_task(self, serializer):
+        data = serializer.validated_data
+        action = data['action']
+        if action not in ['push_system_user', 'test_system_user']:
+            return
+        asset = data['asset']
+        system_users = data.get('system_users')
+        if not system_users:
+            system_users = asset.get_all_systemusers()
+        if action == 'push_system_user':
+            task = push_system_users_a_asset.delay(system_users, asset=asset)
+        elif action == 'test_system_user':
+            task = test_system_users_connectivity_a_asset.delay(system_users, asset=asset)
+        else:
+            task = None
+        return task
+
+    def perform_create(self, serializer):
+        task = self.perform_asset_task(serializer)
+        if not task:
+            task = self.perform_assets_task(serializer)
+        self.set_task_to_serializer_data(serializer, task)
+

 class AssetsTaskCreateApi(AssetsTaskMixin, generics.CreateAPIView):
    model = Asset
-    serializer_class = serializers.AssetTaskSerializer
+    serializer_class = serializers.AssetsTaskSerializer
    permission_classes = (IsOrgAdmin,)


@@ -142,3 +180,102 @@ class AssetGatewayListApi(generics.ListAPIView):
            return []
        queryset = asset.domain.gateways.filter(protocol='ssh')
        return queryset
+
+
+class BaseAssetPermUserOrUserGroupListApi(ListAPIView):
+    permission_classes = (IsOrgAdmin,)
+
+    def get_object(self):
+        asset_id = self.kwargs.get('pk')
+        asset = get_object_or_404(Asset, pk=asset_id)
+        return asset
+
+    def get_asset_related_perms(self):
+        asset = self.get_object()
+        nodes = asset.get_all_nodes(flat=True)
+        perms = AssetPermission.objects.filter(Q(assets=asset) | Q(nodes__in=nodes))
+        return perms
+
+
+class AssetPermUserListApi(BaseAssetPermUserOrUserGroupListApi):
+    filterset_class = UserFilter
+    search_fields = ('username', 'email', 'name', 'id', 'source', 'role')
+    serializer_class = UserSerializer
+
+    def get_queryset(self):
+        perms = self.get_asset_related_perms()
+        users = User.objects.filter(
+            Q(assetpermissions__in=perms) | Q(groups__assetpermissions__in=perms)
+        ).distinct()
+        return users
+
+
+class AssetPermUserGroupListApi(BaseAssetPermUserOrUserGroupListApi):
+    serializer_class = UserGroupSerializer
+
+    def get_queryset(self):
+        perms = self.get_asset_related_perms()
+        user_groups = UserGroup.objects.filter(assetpermissions__in=perms).distinct()
+        return user_groups
+
+
+class BaseAssetPermUserOrUserGroupPermissionsListApiMixin(generics.ListAPIView):
+    permission_classes = (IsOrgAdmin,)
+    model = AssetPermission
+    serializer_class = AssetPermissionSerializer
+    filterset_class = AssetPermissionFilter
+    search_fields = ('name',)
+
+    def get_object(self):
+        asset_id = self.kwargs.get('pk')
+        asset = get_object_or_404(Asset, pk=asset_id)
+        return asset
+
+    def filter_asset_related(self, queryset):
+        asset = self.get_object()
+        nodes = asset.get_all_nodes(flat=True)
+        perms = queryset.filter(Q(assets=asset) | Q(nodes__in=nodes))
+        return perms
+
+    def filter_queryset(self, queryset):
+        queryset = super().filter_queryset(queryset)
+        queryset = self.filter_asset_related(queryset)
+        return queryset
+
+
+class AssetPermUserPermissionsListApi(BaseAssetPermUserOrUserGroupPermissionsListApiMixin):
+    def filter_queryset(self, queryset):
+        queryset = super().filter_queryset(queryset)
+        queryset = self.filter_user_related(queryset)
+        queryset = queryset.distinct()
+        return queryset
+
+    def filter_user_related(self, queryset):
+        user = self.get_perm_user()
+        user_groups = user.groups.all()
+        perms = queryset.filter(Q(users=user) | Q(user_groups__in=user_groups))
+        return perms
+
+    def get_perm_user(self):
+        user_id = self.kwargs.get('perm_user_id')
+        user = get_object_or_404(User, pk=user_id)
+        return user
+
+
+class AssetPermUserGroupPermissionsListApi(BaseAssetPermUserOrUserGroupPermissionsListApiMixin):
+    def filter_queryset(self, queryset):
+        queryset = super().filter_queryset(queryset)
+        queryset = self.filter_user_group_related(queryset)
+        queryset = queryset.distinct()
+        return queryset
+
+    def filter_user_group_related(self, queryset):
+        user_group = self.get_perm_user_group()
+        perms = queryset.filter(user_groups=user_group)
+        return perms
+
+    def get_perm_user_group(self):
+        user_group_id = self.kwargs.get('perm_user_group_id')
+        user_group = get_object_or_404(UserGroup, pk=user_group_id)
+        return user_group
+
--- a/apps/assets/api/asset_user.py
+++ b/apps/assets/api/asset_user.py
@@ -1,157 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-import coreapi
-from django.conf import settings
-from rest_framework.response import Response
-from rest_framework import generics, filters
-from rest_framework_bulk import BulkModelViewSet
-
-from common.permissions import IsOrgAdminOrAppUser, NeedMFAVerify
-from common.utils import get_object_or_none, get_logger
-from common.mixins import CommonApiMixin
-from ..backends import AssetUserManager
-from ..models import Asset, Node, SystemUser
-from .. import serializers
-from ..tasks import (
-    test_asset_users_connectivity_manual, push_system_user_a_asset_manual
-)
-
-
-__all__ = [
-    'AssetUserViewSet', 'AssetUserAuthInfoViewSet', 'AssetUserTaskCreateAPI',
-]
-
-
-logger = get_logger(__name__)
-
-
-class AssetUserFilterBackend(filters.BaseFilterBackend):
-    def filter_queryset(self, request, queryset, view):
-        kwargs = {}
-        for field in view.filterset_fields:
-            value = request.GET.get(field)
-            if not value:
-                continue
-            if field == "node_id":
-                value = get_object_or_none(Node, pk=value)
-                kwargs["node"] = value
-                continue
-            elif field == "asset_id":
-                field = "asset"
-            kwargs[field] = value
-        if kwargs:
-            queryset = queryset.filter(**kwargs)
-        logger.debug("Filter {}".format(kwargs))
-        return queryset
-
-
-class AssetUserSearchBackend(filters.BaseFilterBackend):
-    def filter_queryset(self, request, queryset, view):
-        value = request.GET.get('search')
-        if not value:
-            return queryset
-        queryset = queryset.search(value)
-        return queryset
-
-
-class AssetUserLatestFilterBackend(filters.BaseFilterBackend):
-    def get_schema_fields(self, view):
-        return [
-            coreapi.Field(
-                name='latest', location='query', required=False,
-                type='string', example='1',
-                description='Only the latest version'
-            )
-        ]
-
-    def filter_queryset(self, request, queryset, view):
-        latest = request.GET.get('latest') == '1'
-        if latest:
-            queryset = queryset.distinct()
-        return queryset
-
-
-class AssetUserViewSet(CommonApiMixin, BulkModelViewSet):
-    serializer_classes = {
-        'default': serializers.AssetUserWriteSerializer,
-        'display': serializers.AssetUserReadSerializer,
-        'retrieve': serializers.AssetUserReadSerializer,
-    }
-    permission_classes = [IsOrgAdminOrAppUser]
-    filterset_fields = [
-        "id", "ip", "hostname", "username",
-        "asset_id", "node_id",
-        "prefer", "prefer_id",
-    ]
-    search_fields = ["ip", "hostname", "username"]
-    filter_backends = [
-        AssetUserFilterBackend, AssetUserSearchBackend,
-        AssetUserLatestFilterBackend,
-    ]
-
-    def allow_bulk_destroy(self, qs, filtered):
-        return False
-
-    def get_object(self):
-        pk = self.kwargs.get("pk")
-        if pk is None:
-            return
-        queryset = self.get_queryset()
-        obj = queryset.get(id=pk)
-        return obj
-
-    def get_exception_handler(self):
-        def handler(e, context):
-            logger.error(e, exc_info=True)
-            return Response({"error": str(e)}, status=400)
-        return handler
-
-    def perform_destroy(self, instance):
-        manager = AssetUserManager()
-        manager.delete(instance)
-
-    def get_queryset(self):
-        manager = AssetUserManager()
-        queryset = manager.all()
-        return queryset
-
-
-class AssetUserAuthInfoViewSet(AssetUserViewSet):
-    serializer_classes = {"default": serializers.AssetUserAuthInfoSerializer}
-    http_method_names = ['get', 'post']
-    permission_classes = [IsOrgAdminOrAppUser]
-
-    def get_permissions(self):
-        if settings.SECURITY_VIEW_AUTH_NEED_MFA:
-            self.permission_classes = [IsOrgAdminOrAppUser, NeedMFAVerify]
-        return super().get_permissions()
-
-
-class AssetUserTaskCreateAPI(generics.CreateAPIView):
-    permission_classes = (IsOrgAdminOrAppUser,)
-    serializer_class = serializers.AssetUserTaskSerializer
-    filter_backends = AssetUserViewSet.filter_backends
-    filterset_fields = AssetUserViewSet.filterset_fields
-
-    def get_asset_users(self):
-        manager = AssetUserManager()
-        queryset = manager.all()
-        for cls in self.filter_backends:
-            queryset = cls().filter_queryset(self.request, queryset, self)
-        return list(queryset)
-
-    def perform_create(self, serializer):
-        asset_users = self.get_asset_users()
-        # action = serializer.validated_data["action"]
-        # only this
-        # if action == "test":
-        task = test_asset_users_connectivity_manual.delay(asset_users)
-        data = getattr(serializer, '_data', {})
-        data["task"] = task.id
-        setattr(serializer, '_data', data)
-        return task
-
-    def get_exception_handler(self):
-        def handler(e, context):
-            return Response({"error": str(e)}, status=400)
-        return handler
--- a/apps/assets/api/cmd_filter.py
+++ b/apps/assets/api/cmd_filter.py
@@ -1,15 +1,22 @@
 # -*- coding: utf-8 -*-
 #

+from rest_framework.response import Response
+from rest_framework.generics import CreateAPIView
 from django.shortcuts import get_object_or_404

+from common.utils import reverse
+from common.utils import lazyproperty
 from orgs.mixins.api import OrgBulkModelViewSet
-from ..hands import IsOrgAdmin
+from tickets.api import GenericTicketStatusRetrieveCloseAPI
+from ..hands import IsOrgAdmin, IsAppUser
 from ..models import CommandFilter, CommandFilterRule
 from .. import serializers

-
-__all__ = ['CommandFilterViewSet', 'CommandFilterRuleViewSet']
+__all__ = [
+    'CommandFilterViewSet', 'CommandFilterRuleViewSet', 'CommandConfirmAPI',
+    'CommandConfirmStatusAPI'
+]


 class CommandFilterViewSet(OrgBulkModelViewSet):
@@ -35,3 +42,50 @@ class CommandFilterRuleViewSet(OrgBulkModelViewSet):
        return cmd_filter.rules.all()


+class CommandConfirmAPI(CreateAPIView):
+    permission_classes = (IsAppUser,)
+    serializer_class = serializers.CommandConfirmSerializer
+
+    def create(self, request, *args, **kwargs):
+        ticket = self.create_command_confirm_ticket()
+        response_data = self.get_response_data(ticket)
+        return Response(data=response_data, status=200)
+
+    def create_command_confirm_ticket(self):
+        ticket = self.serializer.cmd_filter_rule.create_command_confirm_ticket(
+            run_command=self.serializer.data.get('run_command'),
+            session=self.serializer.session,
+            cmd_filter_rule=self.serializer.cmd_filter_rule,
+            org_id=self.serializer.org.id
+        )
+        return ticket
+
+    @staticmethod
+    def get_response_data(ticket):
+        confirm_status_url = reverse(
+            view_name='api-assets:command-confirm-status',
+            kwargs={'pk': str(ticket.id)}
+        )
+        ticket_detail_url = reverse(
+            view_name='api-tickets:ticket-detail',
+            kwargs={'pk': str(ticket.id)},
+            external=True, api_to_ui=True
+        )
+        ticket_detail_url = '{url}?type={type}'.format(url=ticket_detail_url, type=ticket.type)
+        ticket_assignees = ticket.current_node.first().ticket_assignees.all()
+        return {
+            'check_confirm_status': {'method': 'GET', 'url': confirm_status_url},
+            'close_confirm': {'method': 'DELETE', 'url': confirm_status_url},
+            'ticket_detail_url': ticket_detail_url,
+            'reviewers': [str(ticket_assignee.assignee) for ticket_assignee in ticket_assignees]
+        }
+
+    @lazyproperty
+    def serializer(self):
+        serializer = self.get_serializer(data=self.request.data)
+        serializer.is_valid(raise_exception=True)
+        return serializer
+
+
+class CommandConfirmStatusAPI(GenericTicketStatusRetrieveCloseAPI):
+    pass
--- a/apps/assets/api/domain.py
+++ b/apps/assets/api/domain.py
@@ -22,6 +22,8 @@ class DomainViewSet(OrgBulkModelViewSet):
    search_fields = filterset_fields
    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = serializers.DomainSerializer
+    ordering_fields = ('name',)
+    ordering = ('name', )

    def get_serializer_class(self):
        if self.request.query_params.get('gateway'):
@@ -33,7 +35,7 @@ class GatewayViewSet(OrgBulkModelViewSet):
    model = Gateway
    filterset_fields = ("domain__name", "name", "username", "ip", "domain")
    search_fields = ("domain__name", "name", "username", "ip")
-    permission_classes = (IsOrgAdmin,)
+    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = serializers.GatewaySerializer


--- a/apps/assets/api/mixin.py
+++ b/apps/assets/api/mixin.py
@@ -1,14 +1,15 @@
 from typing import List

+from common.utils.common import timeit
 from assets.models import Node, Asset
-from assets.pagination import AssetLimitOffsetPagination
-from common.utils import lazyproperty, dict_get_any, is_uuid, get_object_or_none
+from assets.pagination import NodeAssetTreePagination
+from common.utils import lazyproperty
 from assets.utils import get_node, is_query_node_all_assets


 class SerializeToTreeNodeMixin:
-    permission_classes = ()

+    @timeit
    def serialize_nodes(self, nodes: List[Node], with_asset_amount=False):
        if with_asset_amount:
            def _name(node: Node):
@@ -25,7 +26,7 @@ class SerializeToTreeNodeMixin:
                'isParent': True,
                'open': node.is_org_root(),
                'meta': {
-                    'node': {
+                    'data': {
                        "id": node.id,
                        "key": node.key,
                        "value": node.value,
@@ -45,6 +46,7 @@ class SerializeToTreeNodeMixin:
            return platform
        return default

+    @timeit
    def serialize_assets(self, assets, node_key=None):
        if node_key is None:
            get_pid = lambda asset: getattr(asset, 'parent_key', '')
@@ -63,7 +65,7 @@ class SerializeToTreeNodeMixin:
                'chkDisabled': not asset.is_active,
                'meta': {
                    'type': 'asset',
-                    'asset': {
+                    'data': {
                        'id': asset.id,
                        'hostname': asset.hostname,
                        'ip': asset.ip,
@@ -79,7 +81,7 @@ class SerializeToTreeNodeMixin:


 class FilterAssetByNodeMixin:
-    pagination_class = AssetLimitOffsetPagination
+    pagination_class = NodeAssetTreePagination

    @lazyproperty
    def is_query_node_all_assets(self):
--- a/apps/assets/api/node.py
+++ b/apps/assets/api/node.py
@@ -8,7 +8,6 @@ from rest_framework.response import Response
 from rest_framework.decorators import action
 from django.utils.translation import ugettext_lazy as _
 from django.shortcuts import get_object_or_404, Http404
-from django.utils.decorators import method_decorator
 from django.db.models.signals import m2m_changed

 from common.const.http import POST
@@ -17,20 +16,19 @@ from common.const.signals import PRE_REMOVE, POST_REMOVE
 from assets.models import Asset
 from common.utils import get_logger, get_object_or_none
 from common.tree import TreeNodeSerializer
-from common.const.distributed_lock_key import UPDATE_NODE_TREE_LOCK_KEY
 from orgs.mixins.api import OrgModelViewSet
 from orgs.mixins import generics
-from orgs.lock import org_level_transaction_lock
 from orgs.utils import current_org
-from assets.tasks import check_node_assets_amount_task
 from ..hands import IsOrgAdmin
 from ..models import Node
 from ..tasks import (
    update_node_assets_hardware_info_manual,
    test_node_assets_connectivity_manual,
+    check_node_assets_amount_task
 )
 from .. import serializers
 from .mixin import SerializeToTreeNodeMixin
+from assets.locks import NodeAddChildrenLock


 logger = get_logger(__file__)
@@ -50,17 +48,17 @@ class NodeViewSet(OrgModelViewSet):
    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.NodeSerializer

-    @action(methods=[POST], detail=False, url_name='launch-check-assets-amount-task')
-    def launch_check_assets_amount_task(self, request):
-        task = check_node_assets_amount_task.delay(current_org.id)
-        return Response(data={'task': task.id})
-
    # 仅支持根节点指直接创建，子节点下的节点需要通过children接口创建
    def perform_create(self, serializer):
        child_key = Node.org_root().get_next_child_key()
        serializer.validated_data["key"] = child_key
        serializer.save()

+    @action(methods=[POST], detail=False, url_path='check_assets_amount_task')
+    def check_assets_amount_task(self, request):
+        task = check_node_assets_amount_task.delay(current_org.id)
+        return Response(data={'task': task.id})
+
    def perform_update(self, serializer):
        node = self.get_object()
        if node.is_org_root() and node.value != serializer.validated_data['value']:
@@ -73,8 +71,8 @@ class NodeViewSet(OrgModelViewSet):
        if node.is_org_root():
            error = _("You can't delete the root node ({})".format(node.value))
            return Response(data={'error': error}, status=status.HTTP_403_FORBIDDEN)
-        if node.has_children_or_has_assets():
-            error = _("Deletion failed and the node contains children or assets")
+        if node.has_offspring_assets():
+            error = _("Deletion failed and the node contains assets")
            return Response(data={'error': error}, status=status.HTTP_403_FORBIDDEN)
        return super().destroy(request, *args, **kwargs)

@@ -117,6 +115,7 @@ class NodeChildrenApi(generics.ListCreateAPIView):
        return super().initial(request, *args, **kwargs)

    def perform_create(self, serializer):
+        with NodeAddChildrenLock(self.instance):
            data = serializer.validated_data
            _id = data.get("id")
            value = data.get("value")
@@ -130,9 +129,13 @@ class NodeChildrenApi(generics.ListCreateAPIView):
    def get_object(self):
        pk = self.kwargs.get('pk') or self.request.query_params.get('id')
        key = self.request.query_params.get("key")
+
        if not pk and not key:
-            node = Node.org_root()
            self.is_initial = True
+            if current_org.is_root():
+                node = None
+            else:
+                node = Node.org_root()
            return node
        if pk:
            node = get_object_or_404(Node, pk=pk)
@@ -140,16 +143,26 @@ class NodeChildrenApi(generics.ListCreateAPIView):
            node = get_object_or_404(Node, key=key)
        return node

+    def get_org_root_queryset(self, query_all):
+        if query_all:
+            return Node.objects.all()
+        else:
+            return Node.org_root_nodes()
+
    def get_queryset(self):
        query_all = self.request.query_params.get("all", "0") == "all"
-        if not self.instance:
-            return Node.objects.none()
+
+        if self.is_initial and current_org.is_root():
+            return self.get_org_root_queryset(query_all)

        if self.is_initial:
            with_self = True
        else:
            with_self = False

+        if not self.instance:
+            return Node.objects.none()
+
        if query_all:
            queryset = self.instance.get_all_children(with_self=with_self)
        else:
@@ -181,12 +194,12 @@ class NodeChildrenAsTreeApi(SerializeToTreeNodeMixin, NodeChildrenApi):

    def get_assets(self):
        include_assets = self.request.query_params.get('assets', '0') == '1'
-        if not include_assets:
+        if not self.instance or not include_assets:
            return []
        assets = self.instance.get_assets().only(
-            "id", "hostname", "ip", "os",
-            "org_id", "protocols", "is_active"
-        )
+            "id", "hostname", "ip", "os", "platform_id",
+            "org_id", "protocols", "is_active",
+        ).prefetch_related('platform')
        return self.serialize_assets(assets, self.instance.key)


@@ -210,17 +223,16 @@ class NodeAddChildrenApi(generics.UpdateAPIView):
    serializer_class = serializers.NodeAddChildrenSerializer
    instance = None

-    def put(self, request, *args, **kwargs):
+    def update(self, request, *args, **kwargs):
+        """ 同时支持 put 和 patch 方法"""
        instance = self.get_object()
-        nodes_id = request.data.get("nodes")
-        children = Node.objects.filter(id__in=nodes_id)
+        node_ids = request.data.get("nodes")
+        children = Node.objects.filter(id__in=node_ids)
        for node in children:
            node.parent = instance
        return Response("OK")


-@method_decorator(org_level_transaction_lock(UPDATE_NODE_TREE_LOCK_KEY), name='patch')
-@method_decorator(org_level_transaction_lock(UPDATE_NODE_TREE_LOCK_KEY), name='put')
 class NodeAddAssetsApi(generics.UpdateAPIView):
    model = Node
    serializer_class = serializers.NodeAssetsSerializer
@@ -233,8 +245,6 @@ class NodeAddAssetsApi(generics.UpdateAPIView):
        instance.assets.add(*tuple(assets))


-@method_decorator(org_level_transaction_lock(UPDATE_NODE_TREE_LOCK_KEY), name='patch')
-@method_decorator(org_level_transaction_lock(UPDATE_NODE_TREE_LOCK_KEY), name='put')
 class NodeRemoveAssetsApi(generics.UpdateAPIView):
    model = Node
    serializer_class = serializers.NodeAssetsSerializer
@@ -247,12 +257,13 @@ class NodeRemoveAssetsApi(generics.UpdateAPIView):
        node.assets.remove(*assets)

        # 把孤儿资产添加到 root 节点
-        orphan_assets = Asset.objects.filter(id__in=[a.id for a in assets], nodes__isnull=True).distinct()
+        orphan_assets = Asset.objects.filter(
+            id__in=[a.id for a in assets],
+            nodes__isnull=True
+        ).distinct()
        Node.org_root().assets.add(*orphan_assets)


-@method_decorator(org_level_transaction_lock(UPDATE_NODE_TREE_LOCK_KEY), name='patch')
-@method_decorator(org_level_transaction_lock(UPDATE_NODE_TREE_LOCK_KEY), name='put')
 class MoveAssetsToNodeApi(generics.UpdateAPIView):
    model = Node
    serializer_class = serializers.NodeAssetsSerializer
--- a/apps/assets/api/system_user.py
+++ b/apps/assets/api/system_user.py
@@ -3,28 +3,29 @@ from django.shortcuts import get_object_or_404
 from rest_framework.response import Response

 from common.utils import get_logger
-from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser
-from common.drf.filters import CustomFilter
+from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser, IsValidUser
 from orgs.mixins.api import OrgBulkModelViewSet
 from orgs.mixins import generics
-from orgs.utils import tmp_to_org
+from common.mixins.api import SuggestionMixin
+from orgs.utils import tmp_to_root_org
+from rest_framework.decorators import action
 from ..models import SystemUser, Asset
 from .. import serializers
-from ..serializers import SystemUserWithAuthInfoSerializer
+from ..serializers import SystemUserWithAuthInfoSerializer, SystemUserTempAuthSerializer
 from ..tasks import (
    push_system_user_to_assets_manual, test_system_user_connectivity_manual,
    push_system_user_to_assets
 )

-
 logger = get_logger(__file__)
 __all__ = [
    'SystemUserViewSet', 'SystemUserAuthInfoApi', 'SystemUserAssetAuthInfoApi',
    'SystemUserCommandFilterRuleListApi', 'SystemUserTaskApi', 'SystemUserAssetsListView',
+    'SystemUserTempAuthInfoApi', 'SystemUserAppAuthInfoApi',
 ]


-class SystemUserViewSet(OrgBulkModelViewSet):
+class SystemUserViewSet(SuggestionMixin, OrgBulkModelViewSet):
    """
    System user api set, for add,delete,update,list,retrieve resource
    """
@@ -32,16 +33,45 @@ class SystemUserViewSet(OrgBulkModelViewSet):
    filterset_fields = {
        'name': ['exact'],
        'username': ['exact'],
-        'protocol': ['exact', 'in']
+        'protocol': ['exact', 'in'],
+        'type': ['exact', 'in'],
    }
    search_fields = filterset_fields
    serializer_class = serializers.SystemUserSerializer
    serializer_classes = {
        'default': serializers.SystemUserSerializer,
-        'list': serializers.SystemUserListSerializer,
+        'suggestion': serializers.MiniSystemUserSerializer
    }
+    ordering_fields = ('name', 'protocol', 'login_mode')
+    ordering = ('name', )
    permission_classes = (IsOrgAdminOrAppUser,)

+    @action(methods=['get'], detail=False, url_path='su-from')
+    def su_from(self, request, *args, **kwargs):
+        """ API 获取可选的 su_from 系统用户"""
+        queryset = self.filter_queryset(self.get_queryset())
+        queryset = queryset.filter(
+            protocol=SystemUser.Protocol.ssh, login_mode=SystemUser.LOGIN_AUTO
+        )
+        return self.get_paginate_response_if_need(queryset)
+
+    @action(methods=['get'], detail=True, url_path='su-to')
+    def su_to(self, request, *args, **kwargs):
+        """ 获取系统用户的所有 su_to 系统用户 """
+        pk = kwargs.get('pk')
+        system_user = get_object_or_404(SystemUser, pk=pk)
+        queryset = system_user.su_to.all()
+        queryset = self.filter_queryset(queryset)
+        return self.get_paginate_response_if_need(queryset)
+
+    def get_paginate_response_if_need(self, queryset):
+        page = self.paginate_queryset(queryset)
+        if page is not None:
+            serializer = self.get_serializer(page, many=True)
+            return self.get_paginated_response(serializer.data)
+        serializer = self.get_serializer(queryset, many=True)
+        return Response(serializer.data)
+

 class SystemUserAuthInfoApi(generics.RetrieveUpdateDestroyAPIView):
    """
@@ -57,6 +87,25 @@ class SystemUserAuthInfoApi(generics.RetrieveUpdateDestroyAPIView):
        return Response(status=204)


+class SystemUserTempAuthInfoApi(generics.CreateAPIView):
+    model = SystemUser
+    permission_classes = (IsValidUser,)
+    serializer_class = SystemUserTempAuthSerializer
+
+    def create(self, request, *args, **kwargs):
+        serializer = super().get_serializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        pk = kwargs.get('pk')
+        user = self.request.user
+        data = serializer.validated_data
+        instance_id = data.get('instance_id')
+
+        with tmp_to_root_org():
+            instance = get_object_or_404(SystemUser, pk=pk)
+            instance.set_temp_auth(instance_id, user.id, data)
+        return Response(serializer.data, status=201)
+
+
 class SystemUserAssetAuthInfoApi(generics.RetrieveAPIView):
    """
    Get system user with asset auth info
@@ -65,21 +114,28 @@ class SystemUserAssetAuthInfoApi(generics.RetrieveAPIView):
    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = SystemUserWithAuthInfoSerializer

-    def get_exception_handler(self):
-        def handler(e, context):
-            return Response({"error": str(e)}, status=400)
-        return handler
+    def get_object(self):
+        instance = super().get_object()
+        asset_id = self.kwargs.get('asset_id')
+        user_id = self.request.query_params.get("user_id")
+        username = self.request.query_params.get("username")
+        instance.load_asset_more_auth(asset_id, username, user_id)
+        return instance
+
+
+class SystemUserAppAuthInfoApi(generics.RetrieveAPIView):
+    """
+    Get system user with asset auth info
+    """
+    model = SystemUser
+    permission_classes = (IsOrgAdminOrAppUser,)
+    serializer_class = SystemUserWithAuthInfoSerializer

    def get_object(self):
        instance = super().get_object()
-        username = instance.username
-        if instance.username_same_with_user:
-            username = self.request.query_params.get("username")
-        asset_id = self.kwargs.get('aid')
-        asset = get_object_or_404(Asset, pk=asset_id)
-
-        with tmp_to_org(asset.org_id):
-            instance.load_asset_special_auth(asset=asset, username=username)
+        app_id = self.kwargs.get('app_id')
+        user_id = self.request.query_params.get("user_id")
+        instance.load_app_more_auth(app_id, user_id)
        return instance


@@ -87,19 +143,19 @@ class SystemUserTaskApi(generics.CreateAPIView):
    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.SystemUserTaskSerializer

-    def do_push(self, system_user, assets_id=None):
-        if assets_id is None:
+    def do_push(self, system_user, asset_ids=None):
+        if asset_ids is None:
            task = push_system_user_to_assets_manual.delay(system_user)
        else:
            username = self.request.query_params.get('username')
            task = push_system_user_to_assets.delay(
-                system_user.id, assets_id, username=username
+                system_user.id, asset_ids, username=username
            )
        return task

    @staticmethod
-    def do_test(system_user):
-        task = test_system_user_connectivity_manual.delay(system_user)
+    def do_test(system_user, asset_ids):
+        task = test_system_user_connectivity_manual.delay(system_user, asset_ids)
        return task

    def get_object(self):
@@ -109,16 +165,20 @@ class SystemUserTaskApi(generics.CreateAPIView):
    def perform_create(self, serializer):
        action = serializer.validated_data["action"]
        asset = serializer.validated_data.get('asset')
+
+        if asset:
+            assets = [asset]
+        else:
            assets = serializer.validated_data.get('assets') or []

+        asset_ids = [asset.id for asset in assets]
+        asset_ids = asset_ids if asset_ids else None
+
        system_user = self.get_object()
        if action == 'push':
-            assets = [asset] if asset else assets
-            assets_id = [asset.id for asset in assets]
-            assets_id = assets_id if assets_id else None
-            task = self.do_push(system_user, assets_id)
+            task = self.do_push(system_user, asset_ids)
        else:
-            task = self.do_test(system_user)
+            task = self.do_test(system_user, asset_ids)
        data = getattr(serializer, '_data', {})
        data["task"] = task.id
        setattr(serializer, '_data', data)
--- a/apps/assets/api/system_user_relation.py
+++ b/apps/assets/api/system_user_relation.py
@@ -1,30 +1,36 @@
 # -*- coding: utf-8 -*-
 #
 from collections import defaultdict
-from django.db.models import F, Value
+from django.db.models import F, Value, Model
 from django.db.models.signals import m2m_changed
 from django.db.models.functions import Concat

 from common.permissions import IsOrgAdmin
+from common.utils import get_logger
 from orgs.mixins.api import OrgBulkModelViewSet
 from orgs.utils import current_org
 from .. import models, serializers

 __all__ = [
    'SystemUserAssetRelationViewSet', 'SystemUserNodeRelationViewSet',
-    'SystemUserUserRelationViewSet',
+    'SystemUserUserRelationViewSet', 'BaseRelationViewSet',
 ]

+logger = get_logger(__name__)
+

 class RelationMixin:
+    model: Model
+
    def get_queryset(self):
        queryset = self.model.objects.all()
+        if not current_org.is_root():
            org_id = current_org.org_id()
-        if org_id is not None:
            queryset = queryset.filter(systemuser__org_id=org_id)
+
        queryset = queryset.annotate(systemuser_display=Concat(
-            F('systemuser__name'), Value('('), F('systemuser__username'),
-            Value(')')
+            F('systemuser__name'), Value('('),
+            F('systemuser__username'), Value(')')
        ))
        return queryset

@@ -40,10 +46,11 @@ class RelationMixin:
            system_users_objects_map[i.systemuser].append(_id)

        sender = self.get_sender()
-        for system_user, objects in system_users_objects_map.items():
+        for system_user, object_ids in system_users_objects_map.items():
+            logger.debug('System user relation changed, send m2m_changed signals')
            m2m_changed.send(
                sender=sender, instance=system_user, action='post_add',
-                reverse=False, model=model, pk_set=objects
+                reverse=False, model=model, pk_set=set(object_ids)
            )

    def get_sender(self):
@@ -70,7 +77,7 @@ class SystemUserAssetRelationViewSet(BaseRelationViewSet):
    ]
    search_fields = [
        "id", "asset__hostname", "asset__ip",
-        "systemuser__name", "systemuser__username"
+        "systemuser__name", "systemuser__username",
    ]

    def get_objects_attr(self):
--- a/apps/assets/apps.py
+++ b/apps/assets/apps.py
@@ -1,16 +1,6 @@
 from __future__ import unicode_literals

 from django.apps import AppConfig
-from django.db.models.signals import post_migrate
-
-
-def initial_some_nodes():
-    from .models import Node
-    Node.initial_some_nodes()
-
-
-def initial_some_nodes_callback(sender, **kwargs):
-    initial_some_nodes()


 class AssetsConfig(AppConfig):
@@ -19,7 +9,3 @@ class AssetsConfig(AppConfig):
    def ready(self):
        super().ready()
        from . import signals_handler
-        try:
-            initial_some_nodes()
-        except Exception:
-            post_migrate.connect(initial_some_nodes_callback, sender=self)
--- a/apps/assets/backends/init.py
+++ b/apps/assets/backends/init.py
@@ -1 +0,0 @@
-from .manager import AssetUserManager
--- a/apps/assets/backends/base.py
+++ b/apps/assets/backends/base.py
@@ -1,48 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from abc import abstractmethod
-
-from ..models import Asset
-
-
-class BaseBackend:
-    @abstractmethod
-    def all(self):
-        pass
-
-    @abstractmethod
-    def filter(self, username=None, hostname=None, ip=None, assets=None,
-               node=None, prefer_id=None, **kwargs):
-        pass
-
-    @abstractmethod
-    def search(self, item):
-        pass
-
-    @abstractmethod
-    def get_queryset(self):
-        pass
-
-    @abstractmethod
-    def delete(self, union_id):
-        pass
-
-    @staticmethod
-    def qs_to_values(qs):
-        values = qs.values(
-            'hostname', 'ip', "asset_id",
-            'username', 'password', 'private_key', 'public_key',
-            'score', 'version',
-            "asset_username", "union_id",
-            'date_created', 'date_updated',
-            'org_id', 'backend',
-        )
-        return values
-
-    @staticmethod
-    def make_assets_as_id(assets):
-        if not assets:
-            return []
-        if isinstance(assets[0], Asset):
-            assets = [a.id for a in assets]
-        return assets
--- a/apps/assets/backends/db.py
+++ b/apps/assets/backends/db.py
@@ -1,318 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from django.utils.translation import ugettext as _
-from functools import reduce
-from django.db.models import F, CharField, Value, IntegerField, Q, Count
-from django.db.models.functions import Concat
-
-from common.utils import get_object_or_none
-from orgs.utils import current_org
-from ..models import AuthBook, SystemUser, Asset, AdminUser
-from .base import BaseBackend
-
-
-class DBBackend(BaseBackend):
-    union_id_length = 2
-
-    def __init__(self, queryset=None):
-        if queryset is None:
-            queryset = self.all()
-        self.queryset = queryset
-
-    def _clone(self):
-        return self.__class__(self.queryset)
-
-    def all(self):
-        return AuthBook.objects.none()
-
-    def count(self):
-        return self.queryset.count()
-
-    def get_queryset(self):
-        return self.queryset
-
-    def delete(self, union_id):
-        cleaned_union_id = union_id.split('_')
-        # 如果union_id通不过本检查，代表可能不是本backend, 应该返回空
-        if not self._check_union_id(union_id, cleaned_union_id):
-            return
-        return self._perform_delete_by_union_id(cleaned_union_id)
-
-    def _perform_delete_by_union_id(self, union_id_cleaned):
-        pass
-
-    def filter(self, assets=None, node=None, prefer=None, prefer_id=None,
-               union_id=None, id__in=None, **kwargs):
-        clone = self._clone()
-        clone._filter_union_id(union_id)
-        clone._filter_prefer(prefer, prefer_id)
-        clone._filter_node(node)
-        clone._filter_assets(assets)
-        clone._filter_other(kwargs)
-        clone._filter_id_in(id__in)
-        return clone
-
-    def _filter_union_id(self, union_id):
-        if not union_id:
-            return
-        cleaned_union_id = union_id.split('_')
-        # 如果union_id通不过本检查，代表可能不是本backend, 应该返回空
-        if not self._check_union_id(union_id, cleaned_union_id):
-            self.queryset = self.queryset.none()
-            return
-        return self._perform_filter_union_id(union_id, cleaned_union_id)
-
-    def _check_union_id(self, union_id, cleaned_union_id):
-        return union_id and len(cleaned_union_id) == self.union_id_length
-
-    def _perform_filter_union_id(self, union_id, union_id_cleaned):
-        self.queryset = self.queryset.filter(union_id=union_id)
-
-    def _filter_assets(self, assets):
-        assets_id = self.make_assets_as_id(assets)
-        if assets_id:
-            self.queryset = self.queryset.filter(asset_id__in=assets_id)
-
-    def _filter_node(self, node):
-        pass
-
-    def _filter_id_in(self, ids):
-        if ids and isinstance(ids, list):
-            self.queryset = self.queryset.filter(union_id__in=ids)
-
-    @staticmethod
-    def clean_kwargs(kwargs):
-        return {k: v for k, v in kwargs.items() if v}
-
-    def _filter_other(self, kwargs):
-        kwargs = self.clean_kwargs(kwargs)
-        if kwargs:
-            self.queryset = self.queryset.filter(**kwargs)
-
-    def _filter_prefer(self, prefer, prefer_id):
-        pass
-
-    def search(self, item):
-        qs = []
-        for i in ['hostname', 'ip', 'username']:
-            kwargs = {i + '__startswith': item}
-            qs.append(Q(**kwargs))
-        q = reduce(lambda x, y: x | y, qs)
-        clone = self._clone()
-        clone.queryset = clone.queryset.filter(q).distinct()
-        return clone
-
-
-class SystemUserBackend(DBBackend):
-    model = SystemUser.assets.through
-    backend = 'system_user'
-    prefer = backend
-    base_score = 0
-    union_id_length = 2
-
-    def _filter_prefer(self, prefer, prefer_id):
-        if prefer and prefer != self.prefer:
-            self.queryset = self.queryset.none()
-
-        if prefer_id:
-            self.queryset = self.queryset.filter(systemuser__id=prefer_id)
-
-    def _perform_filter_union_id(self, union_id, union_id_cleaned):
-        system_user_id, asset_id = union_id_cleaned
-        self.queryset = self.queryset.filter(
-            asset_id=asset_id, systemuser__id=system_user_id,
-        )
-
-    def _perform_delete_by_union_id(self, union_id_cleaned):
-        system_user_id, asset_id = union_id_cleaned
-        system_user = get_object_or_none(SystemUser, pk=system_user_id)
-        asset = get_object_or_none(Asset, pk=asset_id)
-        if all((system_user, asset)):
-            system_user.assets.remove(asset)
-
-    def _filter_node(self, node):
-        if node:
-            self.queryset = self.queryset.filter(asset__nodes__id=node.id)
-
-    def get_annotate(self):
-        kwargs = dict(
-            hostname=F("asset__hostname"),
-            ip=F("asset__ip"),
-            username=F("systemuser__username"),
-            password=F("systemuser__password"),
-            private_key=F("systemuser__private_key"),
-            public_key=F("systemuser__public_key"),
-            score=F("systemuser__priority") + self.base_score,
-            version=Value(0, IntegerField()),
-            date_created=F("systemuser__date_created"),
-            date_updated=F("systemuser__date_updated"),
-            asset_username=Concat(F("asset__id"), Value("_"),
-                                  F("systemuser__username"),
-                                  output_field=CharField()),
-            union_id=Concat(F("systemuser_id"), Value("_"), F("asset_id"),
-                            output_field=CharField()),
-            org_id=F("asset__org_id"),
-            backend=Value(self.backend, CharField())
-        )
-        return kwargs
-
-    def get_filter(self):
-        return dict(
-            systemuser__username_same_with_user=False,
-        )
-
-    def all(self):
-        kwargs = self.get_annotate()
-        filters = self.get_filter()
-        qs = self.model.objects.all().annotate(**kwargs)
-        if current_org.org_id() is not None:
-            filters['org_id'] = current_org.org_id()
-        qs = qs.filter(**filters)
-        qs = self.qs_to_values(qs)
-        return qs
-
-
-class DynamicSystemUserBackend(SystemUserBackend):
-    backend = 'system_user_dynamic'
-    prefer = 'system_user'
-    union_id_length = 3
-
-    def get_annotate(self):
-        kwargs = super().get_annotate()
-        kwargs.update(dict(
-            username=F("systemuser__users__username"),
-            asset_username=Concat(
-                F("asset__id"), Value("_"),
-                F("systemuser__users__username"),
-                output_field=CharField()
-            ),
-            union_id=Concat(
-                F("systemuser_id"), Value("_"), F("asset_id"),
-                Value("_"), F("systemuser__users__id"),
-                output_field=CharField()
-            ),
-            users_count=Count('systemuser__users'),
-        ))
-        return kwargs
-
-    def _perform_filter_union_id(self, union_id, union_id_cleaned):
-        system_user_id, asset_id, user_id = union_id_cleaned
-        self.queryset = self.queryset.filter(
-            asset_id=asset_id, systemuser_id=system_user_id,
-            union_id=union_id,
-        )
-
-    def _perform_delete_by_union_id(self, union_id_cleaned):
-        system_user_id, asset_id, user_id = union_id_cleaned
-        system_user = get_object_or_none(SystemUser, pk=system_user_id)
-        if not system_user:
-            return
-        system_user.users.remove(user_id)
-        if system_user.users.count() == 0:
-            system_user.assets.remove(asset_id)
-
-    def get_filter(self):
-        return dict(
-            users_count__gt=0,
-            systemuser__username_same_with_user=True
-        )
-
-
-class AdminUserBackend(DBBackend):
-    model = Asset
-    backend = 'admin_user'
-    prefer = backend
-    base_score = 200
-
-    def _filter_prefer(self, prefer, prefer_id):
-        if prefer and prefer != self.backend:
-            self.queryset = self.queryset.none()
-        if prefer_id:
-            self.queryset = self.queryset.filter(admin_user__id=prefer_id)
-
-    def _filter_node(self, node):
-        if node:
-            self.queryset = self.queryset.filter(nodes__id=node.id)
-
-    def _perform_filter_union_id(self, union_id, union_id_cleaned):
-        admin_user_id, asset_id = union_id_cleaned
-        self.queryset = self.queryset.filter(
-            id=asset_id, admin_user_id=admin_user_id,
-        )
-
-    def _perform_delete_by_union_id(self, union_id_cleaned):
-        raise PermissionError(_("Could not remove asset admin user"))
-
-    def all(self):
-        qs = self.model.objects.all().annotate(
-            asset_id=F("id"),
-            username=F("admin_user__username"),
-            password=F("admin_user__password"),
-            private_key=F("admin_user__private_key"),
-            public_key=F("admin_user__public_key"),
-            score=Value(self.base_score, IntegerField()),
-            version=Value(0, IntegerField()),
-            date_updated=F("admin_user__date_updated"),
-            asset_username=Concat(F("id"), Value("_"), F("admin_user__username"), output_field=CharField()),
-            union_id=Concat(F("admin_user_id"), Value("_"), F("id"), output_field=CharField()),
-            backend=Value(self.backend, CharField()),
-        )
-        qs = self.qs_to_values(qs)
-        return qs
-
-
-class AuthbookBackend(DBBackend):
-    model = AuthBook
-    backend = 'db'
-    prefer = backend
-    base_score = 400
-
-    def _filter_node(self, node):
-        if node:
-            self.queryset = self.queryset.filter(asset__nodes__id=node.id)
-
-    def _filter_prefer(self, prefer, prefer_id):
-        if not prefer or not prefer_id:
-            return
-        if prefer.lower() == "admin_user":
-            model = AdminUser
-        elif prefer.lower() == "system_user":
-            model = SystemUser
-        else:
-            self.queryset = self.queryset.none()
-            return
-        obj = get_object_or_none(model, pk=prefer_id)
-        if obj is None:
-            self.queryset = self.queryset.none()
-            return
-        username = obj.get_username()
-        if isinstance(username, str):
-            self.queryset = self.queryset.filter(username=username)
-        # dynamic system user return more username
-        else:
-            self.queryset = self.queryset.filter(username__in=username)
-
-    def _perform_filter_union_id(self, union_id, union_id_cleaned):
-        authbook_id, asset_id = union_id_cleaned
-        self.queryset = self.queryset.filter(
-            id=authbook_id, asset_id=asset_id,
-        )
-
-    def _perform_delete_by_union_id(self, union_id_cleaned):
-        authbook_id, asset_id = union_id_cleaned
-        authbook = get_object_or_none(AuthBook, pk=authbook_id)
-        if authbook.is_latest:
-            raise PermissionError(_("Latest version could not be delete"))
-        AuthBook.objects.filter(id=authbook_id).delete()
-
-    def all(self):
-        qs = self.model.objects.all().annotate(
-            hostname=F("asset__hostname"),
-            ip=F("asset__ip"),
-            score=F('version') + self.base_score,
-            asset_username=Concat(F("asset__id"), Value("_"), F("username"), output_field=CharField()),
-            union_id=Concat(F("id"), Value("_"), F("asset_id"), output_field=CharField()),
-            backend=Value(self.backend, CharField()),
-        )
-        qs = self.qs_to_values(qs)
-        return qs
--- a/apps/assets/backends/manager.py
+++ b/apps/assets/backends/manager.py
@@ -1,162 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from itertools import chain, groupby
-from django.core.exceptions import MultipleObjectsReturned, ObjectDoesNotExist
-
-from orgs.utils import current_org
-from common.utils import get_logger, lazyproperty
-from common.struct import QuerySetChain
-
-from ..models import AssetUser, AuthBook
-from .db import (
-    AuthbookBackend, SystemUserBackend, AdminUserBackend,
-    DynamicSystemUserBackend
-)
-
-logger = get_logger(__name__)
-
-
-class NotSupportError(Exception):
-    pass
-
-
-class AssetUserQueryset:
-    ObjectDoesNotExist = ObjectDoesNotExist
-    MultipleObjectsReturned = MultipleObjectsReturned
-
-    def __init__(self, backends=()):
-        self.backends = backends
-        self._distinct_queryset = None
-
-    def backends_queryset(self):
-        return [b.get_queryset() for b in self.backends]
-
-    @lazyproperty
-    def backends_counts(self):
-        return [b.count() for b in self.backends]
-
-    def filter(self, hostname=None, ip=None, username=None,
-               assets=None, asset=None, node=None,
-               id=None, prefer_id=None, prefer=None, id__in=None):
-        if not assets and asset:
-            assets = [asset]
-
-        kwargs = dict(
-            hostname=hostname, ip=ip, username=username,
-            assets=assets, node=node, prefer=prefer, prefer_id=prefer_id,
-            id__in=id__in, union_id=id,
-        )
-        logger.debug("Filter: {}".format(kwargs))
-        backends = []
-        for backend in self.backends:
-            clone = backend.filter(**kwargs)
-            backends.append(clone)
-        return self._clone(backends)
-
-    def _clone(self, backends=None):
-        if backends is None:
-            backends = self.backends
-        return self.__class__(backends)
-
-    def search(self, item):
-        backends = []
-        for backend in self.backends:
-            new = backend.search(item)
-            backends.append(new)
-        return self._clone(backends)
-
-    def distinct(self):
-        logger.debug("Distinct asset user queryset")
-        queryset_chain = chain(*(backend.get_queryset() for backend in self.backends))
-        queryset_sorted = sorted(
-            queryset_chain,
-            key=lambda item: (item["asset_username"], item["score"]),
-            reverse=True,
-        )
-        results = groupby(queryset_sorted, key=lambda item: item["asset_username"])
-        final = [next(result[1]) for result in results]
-        self._distinct_queryset = final
-        return self
-
-    def get(self, latest=False, **kwargs):
-        queryset = self.filter(**kwargs)
-        if latest:
-            queryset = queryset.distinct()
-        queryset = list(queryset)
-        count = len(queryset)
-        if count == 1:
-            data = queryset[0]
-            return data
-        elif count > 1:
-            msg = 'Should return 1 record, but get {}'.format(count)
-            raise MultipleObjectsReturned(msg)
-        else:
-            msg = 'No record found(org is {})'.format(current_org.name)
-            raise ObjectDoesNotExist(msg)
-
-    def get_latest(self, **kwargs):
-        return self.get(latest=True, **kwargs)
-
-    @staticmethod
-    def to_asset_user(data):
-        obj = AssetUser()
-        for k, v in data.items():
-            setattr(obj, k, v)
-        return obj
-
-    @property
-    def queryset(self):
-        if self._distinct_queryset is not None:
-            return self._distinct_queryset
-        return QuerySetChain(self.backends_queryset())
-
-    def count(self):
-        if self._distinct_queryset is not None:
-            return len(self._distinct_queryset)
-        else:
-            return sum(self.backends_counts)
-
-    def __getitem__(self, ndx):
-        return self.queryset.__getitem__(ndx)
-
-    def __iter__(self):
-        self._data = iter(self.queryset)
-        return self
-
-    def __next__(self):
-        return self.to_asset_user(next(self._data))
-
-
-class AssetUserManager:
-    support_backends = (
-        ('db', AuthbookBackend),
-        ('system_user', SystemUserBackend),
-        ('admin_user', AdminUserBackend),
-        ('system_user_dynamic', DynamicSystemUserBackend),
-    )
-
-    def __init__(self):
-        self.backends = [backend() for name, backend in self.support_backends]
-        self._queryset = AssetUserQueryset(self.backends)
-
-    def all(self):
-        return self._queryset
-
-    def delete(self, obj):
-        name_backends_map = dict(self.support_backends)
-        backend_name = obj.backend
-        backend_cls = name_backends_map.get(backend_name)
-        union_id = obj.union_id
-        if backend_cls:
-            backend_cls().delete(union_id)
-        else:
-            raise ObjectDoesNotExist("Not backend found")
-
-    @staticmethod
-    def create(**kwargs):
-        # 使用create方法创建AuthBook对象，解决并发创建问题（添加锁机制）
-        authbook = AuthBook.create(**kwargs)
-        return authbook
-
-    def __getattr__(self, item):
-        return getattr(self._queryset, item)
--- a/apps/assets/backends/utils.py
+++ b/apps/assets/backends/utils.py
@@ -1,7 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-
-# from django.conf import settings
-
-# from .vault import VaultBackend
-
--- a/apps/assets/backends/vault.py
+++ b/apps/assets/backends/vault.py
@@ -1,4 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-
-
--- a/apps/assets/locks.py
+++ b/apps/assets/locks.py
@@ -0,0 +1,29 @@
+from orgs.utils import current_org
+from common.utils.lock import DistributedLock
+from assets.models import Node
+
+
+class NodeTreeUpdateLock(DistributedLock):
+    name_template = 'assets.node.tree.update.<org_id:{org_id}>'
+
+    def get_name(self):
+        if current_org:
+            org_id = current_org.id
+        else:
+            org_id = 'current_org_is_null'
+        name = self.name_template.format(
+            org_id=org_id
+        )
+        return name
+
+    def __init__(self):
+        name = self.get_name()
+        super().__init__(name=name, release_on_transaction_commit=True, reentrant=True)
+
+
+class NodeAddChildrenLock(DistributedLock):
+    name_template = 'assets.node.add_children.<org_id:{org_id}>'
+
+    def __init__(self, node: Node):
+        name = self.name_template.format(org_id=node.org_id)
+        super().__init__(name=name, release_on_transaction_commit=True)
--- a/apps/assets/migrations/0002_auto_20180105_1807.py
+++ b/apps/assets/migrations/0002_auto_20180105_1807.py
@@ -0,0 +1,35 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11 on 2018-01-05 10:07
+from __future__ import unicode_literals
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='adminuser',
+            options={'ordering': ['name'], 'verbose_name': 'Admin user'},
+        ),
+        migrations.AlterModelOptions(
+            name='asset',
+            options={'verbose_name': 'Asset'},
+        ),
+        migrations.AlterModelOptions(
+            name='assetgroup',
+            options={'ordering': ['name'], 'verbose_name': 'Asset group'},
+        ),
+        migrations.AlterModelOptions(
+            name='cluster',
+            options={'ordering': ['name'], 'verbose_name': 'Cluster'},
+        ),
+        migrations.AlterModelOptions(
+            name='systemuser',
+            options={'ordering': ['name'], 'verbose_name': 'System user'},
+        ),
+    ]
--- a/apps/assets/migrations/0003_auto_20180109_2331.py
+++ b/apps/assets/migrations/0003_auto_20180109_2331.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11 on 2018-01-09 15:31
+from __future__ import unicode_literals
+
+import assets.models.asset
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0002_auto_20180105_1807'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='asset',
+            name='cluster',
+            field=models.ForeignKey(default=assets.models.asset.default_cluster, on_delete=django.db.models.deletion.SET_DEFAULT, related_name='assets', to='assets.Cluster', verbose_name='Cluster'),
+        ),
+    ]
--- a/apps/assets/migrations/0004_auto_20180125_1218.py
+++ b/apps/assets/migrations/0004_auto_20180125_1218.py
@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11 on 2018-01-25 04:18
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0003_auto_20180109_2331'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='assetgroup',
+            name='created_by',
+            field=models.CharField(blank=True, max_length=32, null=True, verbose_name='Created by'),
+        ),
+    ]
--- a/apps/assets/migrations/0005_auto_20180126_1637.py
+++ b/apps/assets/migrations/0005_auto_20180126_1637.py
@@ -0,0 +1,40 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11 on 2018-01-26 08:37
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0004_auto_20180125_1218'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Label',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=128, verbose_name='Name')),
+                ('value', models.CharField(max_length=128, verbose_name='Value')),
+                ('category', models.CharField(choices=[('S', 'System'), ('U', 'User')], default='U', max_length=128, verbose_name='Category')),
+                ('is_active', models.BooleanField(default=True, verbose_name='Is active')),
+                ('comment', models.TextField(blank=True, null=True, verbose_name='Comment')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+            ],
+            options={
+                'db_table': 'assets_label',
+            },
+        ),
+        migrations.AlterUniqueTogether(
+            name='label',
+            unique_together=set([('name', 'value')]),
+        ),
+        migrations.AddField(
+            model_name='asset',
+            name='labels',
+            field=models.ManyToManyField(blank=True, related_name='assets', to='assets.Label', verbose_name='Labels'),
+        ),
+    ]
--- a/apps/assets/migrations/0006_auto_20180130_1502.py
+++ b/apps/assets/migrations/0006_auto_20180130_1502.py
@@ -0,0 +1,39 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11 on 2018-01-30 07:02
+from __future__ import unicode_literals
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0005_auto_20180126_1637'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='asset',
+            name='cabinet_no',
+        ),
+        migrations.RemoveField(
+            model_name='asset',
+            name='cabinet_pos',
+        ),
+        migrations.RemoveField(
+            model_name='asset',
+            name='env',
+        ),
+        migrations.RemoveField(
+            model_name='asset',
+            name='remote_card_ip',
+        ),
+        migrations.RemoveField(
+            model_name='asset',
+            name='status',
+        ),
+        migrations.RemoveField(
+            model_name='asset',
+            name='type',
+        ),
+    ]
--- a/apps/assets/migrations/0007_auto_20180225_1815.py
+++ b/apps/assets/migrations/0007_auto_20180225_1815.py
@@ -0,0 +1,60 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11 on 2018-02-25 10:15
+from __future__ import unicode_literals
+
+import assets.models.asset
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0006_auto_20180130_1502'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Node',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('key', models.CharField(max_length=64, unique=True, verbose_name='Key')),
+                ('value', models.CharField(max_length=128, unique=True, verbose_name='Value')),
+                ('child_mark', models.IntegerField(default=0)),
+                ('date_create', models.DateTimeField(auto_now_add=True)),
+            ],
+        ),
+        migrations.RemoveField(
+            model_name='asset',
+            name='cluster',
+        ),
+        migrations.RemoveField(
+            model_name='asset',
+            name='groups',
+        ),
+        migrations.RemoveField(
+            model_name='systemuser',
+            name='cluster',
+        ),
+        migrations.AlterField(
+            model_name='asset',
+            name='admin_user',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.PROTECT, to='assets.AdminUser', verbose_name='Admin user'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='protocol',
+            field=models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp')], default='ssh', max_length=16, verbose_name='Protocol'),
+        ),
+        migrations.AddField(
+            model_name='asset',
+            name='nodes',
+            field=models.ManyToManyField(default=assets.models.asset.default_node, related_name='assets', to='assets.Node', verbose_name='Nodes'),
+        ),
+        migrations.AddField(
+            model_name='systemuser',
+            name='nodes',
+            field=models.ManyToManyField(blank=True, to='assets.Node', verbose_name='Nodes'),
+        ),
+    ]
--- a/apps/assets/migrations/0008_auto_20180306_1804.py
+++ b/apps/assets/migrations/0008_auto_20180306_1804.py
@@ -0,0 +1,40 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11 on 2018-03-06 10:04
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0007_auto_20180225_1815'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='adminuser',
+            name='created_by',
+            field=models.CharField(max_length=128, null=True, verbose_name='Created by'),
+        ),
+        migrations.AlterField(
+            model_name='adminuser',
+            name='username',
+            field=models.CharField(max_length=128, verbose_name='Username'),
+        ),
+        migrations.AlterField(
+            model_name='asset',
+            name='platform',
+            field=models.CharField(choices=[('Linux', 'Linux'), ('Unix', 'Unix'), ('MacOS', 'MacOS'), ('BSD', 'BSD'), ('Windows', 'Windows'), ('Other', 'Other')], default='Linux', max_length=128, verbose_name='Platform'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='created_by',
+            field=models.CharField(max_length=128, null=True, verbose_name='Created by'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='username',
+            field=models.CharField(max_length=128, verbose_name='Username'),
+        ),
+    ]
--- a/apps/assets/migrations/0009_auto_20180307_1212.py
+++ b/apps/assets/migrations/0009_auto_20180307_1212.py
@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11 on 2018-03-07 04:12
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0008_auto_20180306_1804'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='node',
+            name='value',
+            field=models.CharField(max_length=128, verbose_name='Value'),
+        ),
+    ]
--- a/apps/assets/migrations/0010_auto_20180307_1749.py
+++ b/apps/assets/migrations/0010_auto_20180307_1749.py
@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11 on 2018-03-07 09:49
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0009_auto_20180307_1212'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='node',
+            name='value',
+            field=models.CharField(max_length=128, unique=True, verbose_name='Value'),
+        ),
+    ]
--- a/apps/assets/migrations/0011_auto_20180326_0957.py
+++ b/apps/assets/migrations/0011_auto_20180326_0957.py
@@ -0,0 +1,55 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11 on 2018-03-26 01:57
+from __future__ import unicode_literals
+
+import assets.models.utils
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0010_auto_20180307_1749'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Domain',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=128, unique=True, verbose_name='Name')),
+                ('comment', models.TextField(blank=True, verbose_name='Comment')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+            ],
+        ),
+        migrations.CreateModel(
+            name='Gateway',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=128, unique=True, verbose_name='Name')),
+                ('username', models.CharField(max_length=128, verbose_name='Username')),
+                ('_password', models.CharField(blank=True, max_length=256, null=True, verbose_name='Password')),
+                ('_private_key', models.TextField(blank=True, max_length=4096, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key')),
+                ('_public_key', models.TextField(blank=True, max_length=4096, verbose_name='SSH public key')),
+                ('date_created', models.DateTimeField(auto_now_add=True)),
+                ('date_updated', models.DateTimeField(auto_now=True)),
+                ('created_by', models.CharField(max_length=128, null=True, verbose_name='Created by')),
+                ('ip', models.GenericIPAddressField(db_index=True, verbose_name='IP')),
+                ('port', models.IntegerField(default=22, verbose_name='Port')),
+                ('protocol', models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp')], default='ssh', max_length=16, verbose_name='Protocol')),
+                ('comment', models.CharField(blank=True, max_length=128, null=True, verbose_name='Comment')),
+                ('is_active', models.BooleanField(default=True, verbose_name='Is active')),
+                ('domain', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='assets.Domain', verbose_name='Domain')),
+            ],
+            options={
+                'abstract': False,
+            },
+        ),
+        migrations.AddField(
+            model_name='asset',
+            name='domain',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='assets', to='assets.Domain', verbose_name='Domain'),
+        ),
+    ]
--- a/apps/assets/migrations/0012_auto_20180404_1302.py
+++ b/apps/assets/migrations/0012_auto_20180404_1302.py
@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11 on 2018-04-04 05:02
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0011_auto_20180326_0957'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='asset',
+            name='domain',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='assets', to='assets.Domain', verbose_name='Domain'),
+        ),
+    ]
--- a/apps/assets/migrations/0013_auto_20180411_1135.py
+++ b/apps/assets/migrations/0013_auto_20180411_1135.py
@@ -0,0 +1,25 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11 on 2018-04-11 03:35
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0012_auto_20180404_1302'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='systemuser',
+            name='assets',
+            field=models.ManyToManyField(blank=True, to='assets.Asset', verbose_name='Assets'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='sudo',
+            field=models.TextField(default='/bin/whoami', verbose_name='Sudo'),
+        ),
+    ]
--- a/apps/assets/migrations/0014_auto_20180427_1245.py
+++ b/apps/assets/migrations/0014_auto_20180427_1245.py
@@ -0,0 +1,31 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11 on 2018-04-27 04:45
+from __future__ import unicode_literals
+
+import django.core.validators
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0013_auto_20180411_1135'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='adminuser',
+            name='username',
+            field=models.CharField(max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_-]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='username',
+            field=models.CharField(max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_-]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='username',
+            field=models.CharField(max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_-]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+    ]
--- a/apps/assets/migrations/0015_auto_20180510_1235.py
+++ b/apps/assets/migrations/0015_auto_20180510_1235.py
@@ -0,0 +1,31 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11 on 2018-05-10 04:35
+from __future__ import unicode_literals
+
+import django.core.validators
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0014_auto_20180427_1245'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='adminuser',
+            name='username',
+            field=models.CharField(max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='username',
+            field=models.CharField(max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='username',
+            field=models.CharField(max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+    ]
--- a/apps/assets/migrations/0016_auto_20180511_1203.py
+++ b/apps/assets/migrations/0016_auto_20180511_1203.py
@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11 on 2018-05-11 04:03
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0015_auto_20180510_1235'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='node',
+            name='value',
+            field=models.CharField(max_length=128, verbose_name='Value'),
+        ),
+    ]
--- a/apps/assets/migrations/0017_auto_20180702_1415.py
+++ b/apps/assets/migrations/0017_auto_20180702_1415.py
@@ -0,0 +1,58 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11 on 2018-07-02 06:15
+from __future__ import unicode_literals
+
+import django.core.validators
+from django.db import migrations, models
+
+
+def migrate_win_to_ssh_protocol(apps, schema_editor):
+    asset_model = apps.get_model("assets", "Asset")
+    db_alias = schema_editor.connection.alias
+    asset_model.objects.using(db_alias).filter(platform__startswith='Win').update(protocol='rdp')
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0016_auto_20180511_1203'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='asset',
+            name='protocol',
+            field=models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp'), ('telnet', 'telnet (beta)')], default='ssh', max_length=128, verbose_name='Protocol'),
+        ),
+        migrations.AddField(
+            model_name='systemuser',
+            name='login_mode',
+            field=models.CharField(choices=[('auto', 'Automatic login'), ('manual', 'Manually login')], default='auto', max_length=10, verbose_name='Login mode'),
+        ),
+        migrations.AlterField(
+            model_name='adminuser',
+            name='username',
+            field=models.CharField(blank=True, max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+        migrations.AlterField(
+            model_name='asset',
+            name='platform',
+            field=models.CharField(choices=[('Linux', 'Linux'), ('Unix', 'Unix'), ('MacOS', 'MacOS'), ('BSD', 'BSD'), ('Windows', 'Windows'), ('Windows2016', 'Windows(2016)'), ('Other', 'Other')], default='Linux', max_length=128, verbose_name='Platform'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='username',
+            field=models.CharField(blank=True, max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='protocol',
+            field=models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp'), ('telnet', 'telnet (beta)')], default='ssh', max_length=16, verbose_name='Protocol'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='username',
+            field=models.CharField(blank=True, max_length=32, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username'),
+        ),
+        migrations.RunPython(migrate_win_to_ssh_protocol),
+    ]
--- a/apps/assets/migrations/0018_auto_20180807_1116.py
+++ b/apps/assets/migrations/0018_auto_20180807_1116.py
@@ -0,0 +1,84 @@
+# Generated by Django 2.0.7 on 2018-08-07 03:16
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0017_auto_20180702_1415'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='adminuser',
+            name='org_id',
+            field=models.CharField(blank=True, default=None, max_length=36, null=True),
+        ),
+        migrations.AddField(
+            model_name='asset',
+            name='org_id',
+            field=models.CharField(blank=True, default=None, max_length=36, null=True),
+        ),
+        migrations.AddField(
+            model_name='domain',
+            name='org_id',
+            field=models.CharField(blank=True, default=None, max_length=36, null=True),
+        ),
+        migrations.AddField(
+            model_name='gateway',
+            name='org_id',
+            field=models.CharField(blank=True, default=None, max_length=36, null=True),
+        ),
+        migrations.AddField(
+            model_name='label',
+            name='org_id',
+            field=models.CharField(blank=True, default=None, max_length=36, null=True),
+        ),
+        migrations.AddField(
+            model_name='node',
+            name='org_id',
+            field=models.CharField(blank=True, default=None, max_length=36, null=True),
+        ),
+        migrations.AddField(
+            model_name='systemuser',
+            name='org_id',
+            field=models.CharField(blank=True, default=None, max_length=36, null=True),
+        ),
+        migrations.AlterField(
+            model_name='adminuser',
+            name='name',
+            field=models.CharField(max_length=128, verbose_name='Name'),
+        ),
+        migrations.AlterField(
+            model_name='asset',
+            name='hostname',
+            field=models.CharField(max_length=128, verbose_name='Hostname'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='name',
+            field=models.CharField(max_length=128, verbose_name='Name'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='name',
+            field=models.CharField(max_length=128, verbose_name='Name'),
+        ),
+        migrations.AlterUniqueTogether(
+            name='adminuser',
+            unique_together={('name', 'org_id')},
+        ),
+        migrations.AlterUniqueTogether(
+            name='asset',
+            unique_together={('org_id', 'hostname')},
+        ),
+        migrations.AlterUniqueTogether(
+            name='gateway',
+            unique_together={('name', 'org_id')},
+        ),
+        migrations.AlterUniqueTogether(
+            name='systemuser',
+            unique_together={('name', 'org_id')},
+        ),
+    ]
--- a/apps/assets/migrations/0019_auto_20180816_1320.py
+++ b/apps/assets/migrations/0019_auto_20180816_1320.py
@@ -0,0 +1,22 @@
+# Generated by Django 2.0.7 on 2018-08-16 05:20
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0018_auto_20180807_1116'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='asset',
+            name='cpu_vcpus',
+            field=models.IntegerField(null=True, verbose_name='CPU vcpus'),
+        ),
+        migrations.AlterUniqueTogether(
+            name='label',
+            unique_together={('name', 'value', 'org_id')},
+        ),
+    ]
--- a/apps/assets/migrations/0066_auto_20210208_1802.py
+++ b/apps/assets/migrations/0066_auto_20210208_1802.py
@@ -0,0 +1,17 @@
+# Generated by Django 3.1 on 2021-02-08 10:02
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0065_auto_20210121_1549'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='asset',
+            options={'ordering': ['hostname'], 'verbose_name': 'Asset'},
+        ),
+    ]
--- a/apps/assets/migrations/0067_auto_20210311_1113.py
+++ b/apps/assets/migrations/0067_auto_20210311_1113.py
@@ -0,0 +1,48 @@
+# Generated by Django 3.1 on 2021-03-11 03:13
+
+import django.core.validators
+from django.db import migrations, models
+
+
+def migrate_cmd_filter_priority(apps, schema_editor):
+    cmd_filter_rule_model = apps.get_model('assets', 'CommandFilterRule')
+    cmd_filter_rules = cmd_filter_rule_model.objects.all()
+    for cmd_filter_rule in cmd_filter_rules:
+        cmd_filter_rule.priority = 100 - cmd_filter_rule.priority + 1
+
+    cmd_filter_rule_model.objects.bulk_update(cmd_filter_rules, fields=['priority'])
+
+
+def migrate_system_user_priority(apps, schema_editor):
+    system_user_model = apps.get_model('assets', 'SystemUser')
+    system_users = system_user_model.objects.all()
+    for system_user in system_users:
+        system_user.priority = 100 - system_user.priority + 1
+
+    system_user_model.objects.bulk_update(system_users, fields=['priority'])
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0066_auto_20210208_1802'),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_cmd_filter_priority),
+        migrations.RunPython(migrate_system_user_priority),
+        migrations.AlterModelOptions(
+            name='commandfilterrule',
+            options={'ordering': ('priority', 'action'), 'verbose_name': 'Command filter rule'},
+        ),
+        migrations.AlterField(
+            model_name='commandfilterrule',
+            name='priority',
+            field=models.IntegerField(default=50, help_text='1-100, the lower the value will be match first', validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(100)], verbose_name='Priority'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='priority',
+            field=models.IntegerField(default=20, help_text='1-100, the lower the value will be match first', validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(100)], verbose_name='Priority'),
+        ),
+    ]
--- a/apps/assets/migrations/0068_auto_20210312_1455.py
+++ b/apps/assets/migrations/0068_auto_20210312_1455.py
@@ -0,0 +1,19 @@
+# Generated by Django 3.1 on 2021-03-12 06:55
+
+import django.core.validators
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0067_auto_20210311_1113'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='systemuser',
+            name='priority',
+            field=models.IntegerField(default=81, help_text='1-100, the lower the value will be match first', validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(100)], verbose_name='Priority'),
+        ),
+    ]
--- a/apps/assets/migrations/0069_change_node_key0_to_key1.py
+++ b/apps/assets/migrations/0069_change_node_key0_to_key1.py
@@ -0,0 +1,61 @@
+from django.db import migrations
+from django.db.transaction import atomic
+
+default_id = '00000000-0000-0000-0000-000000000002'
+
+
+def change_key0_to_key1(apps, schema_editor):
+    from orgs.utils import set_current_org
+
+    # https://stackoverflow.com/questions/28777338/django-migrations-runpython-not-able-to-call-model-methods
+    Organization = apps.get_model('orgs', 'Organization')
+    Node = apps.get_model('assets', 'Node')
+
+    print()
+    org = Organization.objects.get(id=default_id)
+    set_current_org(org)
+
+    exists_0 = Node.objects.filter(key__startswith='0').exists()
+    if not exists_0:
+        print(f'--> Not exist key=0 nodes, do nothing.')
+        return
+
+    key_1_count = Node.objects.filter(key__startswith='1').count()
+    if key_1_count > 1:
+        print(f'--> Node key=1 have children, can`t just delete it. Please contact JumpServer team')
+        return
+
+    root_node = Node.objects.filter(key='1').first()
+    if root_node and root_node.assets.exists():
+        print(f'--> Node key=1 has assets, do nothing.')
+        return
+
+    with atomic():
+        if root_node:
+            print(f'--> Delete node key=1')
+            root_node.delete()
+
+        nodes_0 = Node.objects.filter(key__startswith='0')
+
+        for n in nodes_0:
+            old_key = n.key
+            key_list = n.key.split(':')
+            key_list[0] = '1'
+            new_key = ':'.join(key_list)
+            new_parent_key = ':'.join(key_list[:-1])
+            n.key = new_key
+            n.parent_key = new_parent_key
+            n.save()
+            print('--> Modify key ( {} > {} )'.format(old_key, new_key))
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('orgs', '0010_auto_20210219_1241'),
+        ('assets', '0068_auto_20210312_1455'),
+    ]
+
+    operations = [
+        migrations.RunPython(change_key0_to_key1)
+    ]
--- a/apps/assets/migrations/0070_auto_20210426_1515.py
+++ b/apps/assets/migrations/0070_auto_20210426_1515.py
@@ -0,0 +1,25 @@
+# Generated by Django 3.1 on 2021-04-26 07:15
+
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('assets', '0069_change_node_key0_to_key1'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='commandfilterrule',
+            name='reviewers',
+            field=models.ManyToManyField(blank=True, related_name='review_cmd_filter_rules', to=settings.AUTH_USER_MODEL, verbose_name='Reviewers'),
+        ),
+        migrations.AlterField(
+            model_name='commandfilterrule',
+            name='action',
+            field=models.IntegerField(choices=[(0, 'Deny'), (1, 'Allow'), (2, 'Reconfirm')], default=0, verbose_name='Action'),
+        ),
+    ]
--- a/apps/assets/migrations/0071_systemuser_type.py
+++ b/apps/assets/migrations/0071_systemuser_type.py
@@ -0,0 +1,104 @@
+# Generated by Django 3.1.6 on 2021-06-04 16:46
+import uuid
+from django.db import migrations, models, transaction
+import django.db.models.deletion
+from django.db import IntegrityError
+from django.db.models import F
+
+
+def migrate_admin_user_to_system_user(apps, schema_editor):
+    admin_user_model = apps.get_model("assets", "AdminUser")
+    system_user_model = apps.get_model("assets", "SystemUser")
+    db_alias = schema_editor.connection.alias
+
+    admin_users = admin_user_model.objects.using(db_alias).all()
+    print()
+    for admin_user in admin_users:
+        kwargs = {}
+        for attr in [
+            'org_id', 'username', 'password', 'private_key', 'public_key',
+            'comment', 'date_created', 'date_updated', 'created_by',
+        ]:
+            value = getattr(admin_user, attr)
+            kwargs[attr] = value
+
+        name = admin_user.name
+        exist = system_user_model.objects.using(db_alias).filter(
+            name=admin_user.name, org_id=admin_user.org_id
+        ).exists()
+        if exist:
+            name = admin_user.name + '_' + str(admin_user.id)[:5]
+
+        i = admin_user.id
+        exist = system_user_model.objects.using(db_alias).filter(
+            id=i, org_id=admin_user.org_id
+        ).exists()
+        if exist:
+            i = uuid.uuid4()
+
+        kwargs.update({
+            'id': i,
+            'name': name,
+            'type': 'admin',
+            'protocol': 'ssh',
+            'auto_push': False,
+        })
+
+        with transaction.atomic():
+            s = system_user_model(**kwargs)
+            try:
+                s.save()
+            except IntegrityError:
+                s.id = None
+                s.save()
+            print("  Migrate admin user to system user: {} => {}".format(admin_user.name, s.name))
+            assets = admin_user.assets.all()
+            s.assets.set(assets)
+
+
+def migrate_assets_admin_user(apps, schema_editor):
+    asset_model = apps.get_model("assets", "Asset")
+    db_alias = schema_editor.connection.alias
+    assets = asset_model.objects.using(db_alias).all()
+    assets.update(admin_user=F('_admin_user'))
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0070_auto_20210426_1515'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='systemuser',
+            name='type',
+            field=models.CharField(choices=[('common', 'Common user'), ('admin', 'Admin user')], default='common', max_length=16, verbose_name='Type'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='login_mode',
+            field=models.CharField(choices=[('auto', 'Automatic managed'), ('manual', 'Manually input')], default='auto', max_length=10, verbose_name='Login mode'),
+        ),
+        migrations.AlterField(
+            model_name='systemuser',
+            name='protocol',
+            field=models.CharField(choices=[('ssh', 'SSH'), ('rdp', 'RDP'), ('telnet', 'Telnet'), ('vnc', 'VNC'), ('mysql', 'MySQL'), ('oracle', 'Oracle'), ('mariadb', 'MariaDB'), ('postgresql', 'PostgreSQL'), ('k8s', 'K8S')], default='ssh', max_length=16, verbose_name='Protocol'),
+        ),
+        migrations.RunPython(migrate_admin_user_to_system_user),
+        migrations.RenameField(
+            model_name='asset',
+            old_name='admin_user',
+            new_name='_admin_user',
+        ),
+        migrations.AddField(
+            model_name='asset',
+            name='admin_user',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='admin_assets', to='assets.systemuser', verbose_name='Admin user'),
+        ),
+        migrations.RunPython(migrate_assets_admin_user),
+        migrations.RemoveField(
+            model_name='asset',
+            name='_admin_user',
+        ),
+    ]
--- a/apps/assets/migrations/0072_historicalauthbook.py
+++ b/apps/assets/migrations/0072_historicalauthbook.py
@@ -0,0 +1,85 @@
+# Generated by Django 3.1.6 on 2021-06-05 16:10
+
+import common.fields.model
+from django.conf import settings
+import django.core.validators
+from django.db import migrations, models
+import django.db.models.deletion
+import simple_history.models
+import uuid
+from django.utils import timezone
+from django.db import migrations, transaction
+
+
+def migrate_old_authbook_to_history(apps, schema_editor):
+    authbook_model = apps.get_model("assets", "AuthBook")
+    history_model = apps.get_model("assets", "HistoricalAuthBook")
+    db_alias = schema_editor.connection.alias
+
+    print()
+    while True:
+        authbooks = authbook_model.objects.using(db_alias).filter(is_latest=False)[:1000]
+        if not authbooks:
+            break
+        historys = []
+        authbook_ids = []
+        # Todo: 或许能优化成更新那样
+        for authbook in authbooks:
+            authbook_ids.append(authbook.id)
+            history = history_model()
+
+            for attr in [
+                'id', 'username', 'password', 'private_key', 'public_key', 'version',
+                'comment', 'created_by', 'asset', 'date_created', 'date_updated'
+            ]:
+                setattr(history, attr, getattr(authbook, attr))
+            history.history_type = '-'
+            history.history_date = timezone.now()
+            historys.append(history)
+
+        with transaction.atomic():
+            print("  Migrate old auth book to history table: {} items".format(len(authbook_ids)))
+            history_model.objects.bulk_create(historys, ignore_conflicts=True)
+            authbook_model.objects.filter(id__in=authbook_ids).delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('assets', '0071_systemuser_type'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='HistoricalAuthBook',
+            fields=[
+                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('id', models.UUIDField(db_index=True, default=uuid.uuid4)),
+                ('name', models.CharField(max_length=128, verbose_name='Name')),
+                ('username', models.CharField(blank=True, db_index=True, max_length=128, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username')),
+                ('password', common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
+                ('private_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
+                ('public_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
+                ('comment', models.TextField(blank=True, verbose_name='Comment')),
+                ('date_created', models.DateTimeField(blank=True, editable=False, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(blank=True, editable=False, verbose_name='Date updated')),
+                ('created_by', models.CharField(max_length=128, null=True, verbose_name='Created by')),
+                ('version', models.IntegerField(default=1, verbose_name='Version')),
+                ('is_latest', models.BooleanField(default=False, verbose_name='Latest version')),
+                ('history_id', models.AutoField(primary_key=True, serialize=False)),
+                ('history_date', models.DateTimeField()),
+                ('history_change_reason', models.CharField(max_length=100, null=True)),
+                ('history_type', models.CharField(choices=[('+', 'Created'), ('~', 'Changed'), ('-', 'Deleted')], max_length=1)),
+                ('asset', models.ForeignKey(blank=True, db_constraint=False, null=True, on_delete=django.db.models.deletion.DO_NOTHING, related_name='+', to='assets.asset', verbose_name='Asset')),
+                ('history_user', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='+', to=settings.AUTH_USER_MODEL)),
+            ],
+            options={
+                'verbose_name': 'historical AuthBook',
+                'ordering': ('-history_date', '-history_id'),
+                'get_latest_by': 'history_date',
+            },
+            bases=(simple_history.models.HistoricalChanges, models.Model),
+        ),
+        migrations.RunPython(migrate_old_authbook_to_history)
+    ]
--- a/apps/assets/migrations/0073_auto_20210606_1142.py
+++ b/apps/assets/migrations/0073_auto_20210606_1142.py
@@ -0,0 +1,105 @@
+# Generated by Django 3.1.6 on 2021-06-06 03:42
+
+from django.utils import timezone
+from django.db import migrations, models, transaction
+import django.db.models.deletion
+
+
+def migrate_system_assets_to_authbook(apps, schema_editor):
+    system_user_model = apps.get_model("assets", "SystemUser")
+    system_user_asset_model = system_user_model.assets.through
+    authbook_model = apps.get_model('assets', 'AuthBook')
+    history_model = apps.get_model("assets", "HistoricalAuthBook")
+
+    print()
+    system_users = system_user_model.objects.all()
+    for s in system_users:
+        while True:
+            systemuser_asset_relations = system_user_asset_model.objects.filter(systemuser=s)[:1000]
+            if not systemuser_asset_relations:
+                break
+            authbooks = []
+            relations_ids = []
+            historys = []
+            for i in systemuser_asset_relations:
+                authbook = authbook_model(asset=i.asset, systemuser=i.systemuser, org_id=s.org_id)
+                authbooks.append(authbook)
+                relations_ids.append(i.id)
+
+                history = history_model(
+                    asset=i.asset, systemuser=i.systemuser,
+                    date_created=timezone.now(), date_updated=timezone.now(),
+                )
+                history.history_type = '-'
+                history.history_date = timezone.now()
+                historys.append(history)
+
+            with transaction.atomic():
+                print("  Migrate system user assets relations: {} items".format(len(relations_ids)))
+                authbook_model.objects.bulk_create(authbooks, ignore_conflicts=True)
+                history_model.objects.bulk_create(historys)
+                system_user_asset_model.objects.filter(id__in=relations_ids).delete()
+
+
+def migrate_authbook_secret_to_system_user(apps, schema_editor):
+    authbook_model = apps.get_model('assets', 'AuthBook')
+    history_model = apps.get_model('assets', 'HistoricalAuthBook')
+
+    print()
+    authbooks_without_systemuser = authbook_model.objects.filter(systemuser__isnull=True)
+    for authbook in authbooks_without_systemuser:
+        matched = authbook_model.objects.filter(
+            asset=authbook.asset, systemuser__username=authbook.username
+        )
+        if not matched:
+            continue
+        historys = []
+        for i in matched:
+            history = history_model(
+                asset=i.asset, systemuser=i.systemuser,
+                date_created=timezone.now(), date_updated=timezone.now(),
+                version=authbook.version
+            )
+            history.history_type = '-'
+            history.history_date = timezone.now()
+            historys.append(history)
+
+        with transaction.atomic():
+            print("  Migrate secret to system user assets account: {} items".format(len(historys)))
+            matched.update(password=authbook.password, private_key=authbook.private_key,
+                           public_key=authbook.public_key, version=authbook.version)
+            history_model.objects.bulk_create(historys)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0072_historicalauthbook'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='authbook',
+            name='systemuser',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='assets.systemuser', verbose_name='System user'),
+        ),
+        migrations.AddField(
+            model_name='historicalauthbook',
+            name='systemuser',
+            field=models.ForeignKey(blank=True, db_constraint=False, null=True, on_delete=django.db.models.deletion.DO_NOTHING, related_name='+', to='assets.systemuser', verbose_name='System user'),
+        ),
+        migrations.AlterUniqueTogether(
+            name='authbook',
+            unique_together={('username', 'asset', 'systemuser')},
+        ),
+        migrations.RunPython(migrate_system_assets_to_authbook),
+        migrations.RunPython(migrate_authbook_secret_to_system_user),
+        migrations.RemoveField(
+            model_name='authbook',
+            name='is_latest',
+        ),
+        migrations.RemoveField(
+            model_name='historicalauthbook',
+            name='is_latest',
+        ),
+    ]
--- a/apps/assets/migrations/0074_remove_systemuser_assets.py
+++ b/apps/assets/migrations/0074_remove_systemuser_assets.py
@@ -0,0 +1,24 @@
+# Generated by Django 3.1.6 on 2021-06-06 03:40
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0073_auto_20210606_1142'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='systemuser',
+            name='assets',
+        ),
+
+        migrations.AddField(
+            model_name='systemuser',
+            name='assets',
+            field=models.ManyToManyField(blank=True, related_name='system_users', through='assets.AuthBook', to='assets.Asset', verbose_name='Assets'),
+        ),
+    ]
--- a/apps/assets/migrations/0075_auto_20210705_1759.py
+++ b/apps/assets/migrations/0075_auto_20210705_1759.py
@@ -0,0 +1,53 @@
+# Generated by Django 3.1 on 2021-07-05 09:59
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0074_remove_systemuser_assets'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='asset',
+            name='connectivity',
+            field=models.CharField(choices=[('unknown', 'Unknown'), ('ok', 'Ok'), ('failed', 'Failed')], default='unknown', max_length=16, verbose_name='Connectivity'),
+        ),
+        migrations.AddField(
+            model_name='asset',
+            name='date_verified',
+            field=models.DateTimeField(null=True, verbose_name='Date verified'),
+        ),
+        migrations.AddField(
+            model_name='authbook',
+            name='connectivity',
+            field=models.CharField(choices=[('unknown', 'Unknown'), ('ok', 'Ok'), ('failed', 'Failed')], default='unknown', max_length=16, verbose_name='Connectivity'),
+        ),
+        migrations.AddField(
+            model_name='authbook',
+            name='date_verified',
+            field=models.DateTimeField(null=True, verbose_name='Date verified'),
+        ),
+        migrations.AddField(
+            model_name='historicalauthbook',
+            name='connectivity',
+            field=models.CharField(choices=[('unknown', 'Unknown'), ('ok', 'Ok'), ('failed', 'Failed')], default='unknown', max_length=16, verbose_name='Connectivity'),
+        ),
+        migrations.AddField(
+            model_name='historicalauthbook',
+            name='date_verified',
+            field=models.DateTimeField(null=True, verbose_name='Date verified'),
+        ),
+        migrations.AlterField(
+            model_name='asset',
+            name='protocol',
+            field=models.CharField(choices=[('ssh', 'SSH'), ('rdp', 'RDP'), ('telnet', 'Telnet'), ('vnc', 'VNC')], default='ssh', max_length=128, verbose_name='Protocol'),
+        ),
+        migrations.AlterField(
+            model_name='gateway',
+            name='protocol',
+            field=models.CharField(choices=[('ssh', 'SSH')], default='ssh', max_length=16, verbose_name='Protocol'),
+        ),
+    ]
--- a/apps/assets/migrations/0076_delete_assetuser.py
+++ b/apps/assets/migrations/0076_delete_assetuser.py
@@ -0,0 +1,16 @@
+# Generated by Django 3.1.6 on 2021-07-12 02:25
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0075_auto_20210705_1759'),
+    ]
+
+    operations = [
+        migrations.DeleteModel(
+            name='AssetUser',
+        ),
+    ]
--- a/apps/assets/migrations/0077_auto_20211012_1642.py
+++ b/apps/assets/migrations/0077_auto_20211012_1642.py
@@ -0,0 +1,24 @@
+# Generated by Django 3.1.12 on 2021-10-12 08:42
+
+from django.db import migrations
+
+
+def migrate_platform_win2016(apps, schema_editor):
+    platform_model = apps.get_model("assets", "Platform")
+    win2016 = platform_model.objects.filter(name='Windows2016').first()
+    if not win2016:
+        print("Error: Not found Windows2016 platform")
+        return
+    win2016.meta = {"security": "any"}
+    win2016.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0076_delete_assetuser'),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_platform_win2016)
+    ]
--- a/Show More
+++ b/Show More