perf: dockerfile 添加 freerdp2-dev 依赖 (#12387 )

Co-authored-by: feng <1304903146@qq.com>
perf: 优化 applet 账号选择
2025-12-15 16:42:34 +00:00 · 2023-12-20 18:49:01 +08:00 · 2023-12-05 16:19:19 +08:00 · 2023-12-05 14:01:26 +08:00 · 2023-11-28 15:19:00 +08:00 · 2023-11-28 12:53:32 +08:00
630 changed files with 23186 additions and 6866 deletions
--- a/.github/ISSUE_TEMPLATE/----.md
+++ b/.github/ISSUE_TEMPLATE/----.md
@@ -6,7 +6,6 @@ labels: 类型:需求
 assignees: 
  - ibuler
  - baijiangjie
-  - wojiushixiaobai
 ---

 **请描述您的需求或者改进建议.**
--- a/.github/ISSUE_TEMPLATE/bug---.md
+++ b/.github/ISSUE_TEMPLATE/bug---.md
@@ -2,11 +2,9 @@
 name: Bug 提交
 about: 提交产品缺陷帮助我们更好的改进
 title: "[Bug] "
-labels: 类型:bug
+labels: 类型:Bug
 assignees: 
-   - wojiushixiaobai
   - baijiangjie
-
 ---

 **JumpServer 版本( v2.28 之前的版本不再支持 )**
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@@ -4,9 +4,7 @@ about: 提出针对本项目安装部署、使用及其他方面的相关问题
 title: "[Question] "
 labels: 类型:提问
 assignees: 
-  - wojiushixiaobai
  - baijiangjie
-
 ---

 **请描述您的问题.**
--- a/.github/workflows/jms-build-test.yml
+++ b/.github/workflows/jms-build-test.yml
@@ -19,8 +19,8 @@ jobs:
      with:
        context: .
        push: false
-        tags: jumpserver/core:test
-        file: Dockerfile
+        tags: jumpserver/core-ce:test
+        file: Dockerfile-ce
        build-args: |
          APT_MIRROR=http://deb.debian.org
          PIP_MIRROR=https://pypi.org/simple
--- a/124
+++ b/124
@@ -1,4 +1,4 @@
-FROM jumpserver/python:3.9-slim-buster as stage-build
+FROM python:3.11-slim-bullseye as stage-1
 ARG TARGETARCH

 ARG VERSION
@@ -6,11 +6,11 @@ ENV VERSION=$VERSION

 WORKDIR /opt/jumpserver
 ADD . .
-RUN cd utils && bash -ixeu build.sh
+RUN echo > /opt/jumpserver/config.yml \
+    && cd utils && bash -ixeu build.sh

-FROM jumpserver/python:3.9-slim-buster
+FROM python:3.11-slim-bullseye as stage-2
 ARG TARGETARCH
-MAINTAINER JumpServer Team <ibuler@qq.com>

 ARG BUILD_DEPENDENCIES="              \
        g++                           \
@@ -22,6 +22,7 @@ ARG DEPENDENCIES="                    \
        libpq-dev                     \
        libffi-dev                    \
        libjpeg-dev                   \
+        libkrb5-dev                   \
        libldap2-dev                  \
        libsasl2-dev                  \
        libssl-dev                    \
@@ -36,19 +37,15 @@ ARG TOOLS="                           \
        curl                          \
        default-libmysqlclient-dev    \
        default-mysql-client          \
-        locales                       \
-        openssh-client                \
-        procps                        \
-        sshpass                       \
-        telnet                        \
-        unzip                         \
-        vim                           \
        git                           \
+        git-lfs                       \
+        unzip                         \
+        xz-utils                      \
        wget"

 ARG APT_MIRROR=http://mirrors.ustc.edu.cn
-
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core-apt \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=core-apt \
    sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
    && rm -f /etc/apt/apt.conf.d/docker-clean \
    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
@@ -56,59 +53,72 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
    && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
    && apt-get -y install --no-install-recommends ${TOOLS} \
+    && echo "no" | dpkg-reconfigure dash
+
+WORKDIR /opt/jumpserver
+
+ARG PIP_MIRROR=https://pypi.tuna.tsinghua.edu.cn/simple
+RUN --mount=type=cache,target=/root/.cache \
+    --mount=type=bind,source=poetry.lock,target=/opt/jumpserver/poetry.lock \
+    --mount=type=bind,source=pyproject.toml,target=/opt/jumpserver/pyproject.toml \
+    set -ex \
+    && python3 -m venv /opt/py3 \
+    && pip install poetry -i ${PIP_MIRROR} \
+    && poetry config virtualenvs.create false \
+    && . /opt/py3/bin/activate \
+    && poetry install
+
+FROM python:3.11-slim-bullseye
+ARG TARGETARCH
+ENV LANG=zh_CN.UTF-8 \
+    PATH=/opt/py3/bin:$PATH
+
+ARG DEPENDENCIES="                    \
+        libjpeg-dev                   \
+        libx11-dev                    \
+        freerdp2-dev                  \
+        libxmlsec1-openssl"
+
+ARG TOOLS="                           \
+        ca-certificates               \
+        curl                          \
+        default-libmysqlclient-dev    \
+        default-mysql-client          \
+        iputils-ping                  \
+        locales                       \
+        nmap                          \
+        openssh-client                \
+        patch                         \
+        sshpass                       \
+        telnet                        \
+        vim                           \
+        wget"
+
+ARG APT_MIRROR=http://mirrors.ustc.edu.cn
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core-apt \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=core-apt \
+    sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
+    && rm -f /etc/apt/apt.conf.d/docker-clean \
+    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
+    && apt-get update \
+    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
+    && apt-get -y install --no-install-recommends ${TOOLS} \
    && mkdir -p /root/.ssh/ \
    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null\n\tCiphers +aes128-cbc\n\tKexAlgorithms +diffie-hellman-group1-sha1\n\tHostKeyAlgorithms +ssh-rsa" > /root/.ssh/config \
-    && echo "set mouse-=a" > ~/.vimrc \
    && echo "no" | dpkg-reconfigure dash \
    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
    && sed -i "s@# export @export @g" ~/.bashrc \
-    && sed -i "s@# alias @alias @g" ~/.bashrc \
-    && rm -rf /var/lib/apt/lists/*
+    && sed -i "s@# alias @alias @g" ~/.bashrc

-ARG DOWNLOAD_URL=https://download.jumpserver.org
-
-RUN set -ex \
-    && \
-    if [ "${TARGETARCH}" == "amd64" ] || [ "${TARGETARCH}" == "arm64" ]; then \
-        mkdir -p /opt/oracle; \
-        cd /opt/oracle; \
-        wget ${DOWNLOAD_URL}/public/instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip; \
-        unzip instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip; \
-        echo "/opt/oracle/instantclient_19_10" > /etc/ld.so.conf.d/oracle-instantclient.conf; \
-        ldconfig; \
-        rm -f instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip; \
-    fi
-
-WORKDIR /tmp/build
-COPY ./requirements ./requirements
-
-ARG PIP_MIRROR=https://pypi.douban.com/simple
-ARG PIP_JMS_MIRROR=https://pypi.douban.com/simple
-
-RUN --mount=type=cache,target=/root/.cache/pip \
-    set -ex \
-    && pip config set global.index-url ${PIP_MIRROR} \
-    && pip install --upgrade pip \
-    && pip install --upgrade setuptools wheel \
-    && \
-    if [ "${TARGETARCH}" == "loong64" ]; then \
-        pip install https://download.jumpserver.org/pypi/simple/cryptography/cryptography-38.0.4-cp39-cp39-linux_loongarch64.whl; \
-        pip install https://download.jumpserver.org/pypi/simple/greenlet/greenlet-1.1.2-cp39-cp39-linux_loongarch64.whl; \
-        pip install https://download.jumpserver.org/pypi/simple/PyNaCl/PyNaCl-1.5.0-cp39-cp39-linux_loongarch64.whl; \
-        pip install https://download.jumpserver.org/pypi/simple/grpcio/grpcio-1.54.2-cp39-cp39-linux_loongarch64.whl; \
-    fi \
-    && pip install $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
-    && pip install -r requirements/requirements.txt
-
-COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
-RUN echo > /opt/jumpserver/config.yml \
-    && rm -rf /tmp/build
+COPY --from=stage-2 /opt/py3 /opt/py3
+COPY --from=stage-1 /opt/jumpserver/release/jumpserver /opt/jumpserver

 WORKDIR /opt/jumpserver
-VOLUME /opt/jumpserver/data
-VOLUME /opt/jumpserver/logs

-ENV LANG=zh_CN.UTF-8
+ARG VERSION
+ENV VERSION=$VERSION
+
+VOLUME /opt/jumpserver/data

 EXPOSE 8080

--- a/9
+++ b/9
@@ -1,10 +1,5 @@
 ARG VERSION
 FROM registry.fit2cloud.com/jumpserver/xpack:${VERSION} as build-xpack
-FROM jumpserver/core:${VERSION}
-COPY --from=build-xpack /opt/xpack /opt/jumpserver/apps/xpack
+FROM registry.fit2cloud.com/jumpserver/core-ce:${VERSION}

-WORKDIR /opt/jumpserver
-
-RUN --mount=type=cache,target=/root/.cache/pip \
-    set -ex \
-    && pip install -r requirements/requirements_xpack.txt
+COPY --from=build-xpack /opt/xpack /opt/jumpserver/apps/xpack
--- a/README.md
+++ b/README.md
@@ -12,11 +12,10 @@


 <p align="center">
-    JumpServer <a href="https://github.com/jumpserver/jumpserver/releases/tag/v3.0.0">v3.0</a> 正式发布。
-    <br>
    9 年时间，倾情投入，用心做好一款开源堡垒机。
 </p>

+------------------------------
 JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运维安全审计系统。

 JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型的资产，包括：
@@ -62,6 +61,7 @@ JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型

 ## 案例研究

+- [腾讯音乐娱乐集团：基于JumpServer的安全运维审计解决方案](https://blog.fit2cloud.com/?p=a04cdf0d-6704-4d18-9b40-9180baecd0e2)
 - [腾讯海外游戏：基于JumpServer构建游戏安全运营能力](https://blog.fit2cloud.com/?p=3704)
 - [万华化学：通过JumpServer管理全球化分布式IT资产，并且实现与云管平台的联动](https://blog.fit2cloud.com/?p=3504)
 - [雪花啤酒：JumpServer堡垒机使用体会](https://blog.fit2cloud.com/?p=3412)
@@ -83,9 +83,7 @@ JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型

 ### 参与贡献

-欢迎提交 PR 参与贡献。感谢以下贡献者，他们让 JumpServer 变的越来越好。
-
-<a href="https://github.com/jumpserver/jumpserver/graphs/contributors"><img src="https://opencollective.com/jumpserver/contributors.svg?width=890&button=false" /></a>
+欢迎提交 PR 参与贡献。 参考 [CONTRIBUTING.md](https://github.com/jumpserver/jumpserver/blob/dev/CONTRIBUTING.md)

 ## 组件项目

@@ -100,7 +98,7 @@ JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型
 | [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库代理 Connector 项目                                                     |
 | [Chen](https://github.com/jumpserver/chen-release)     | <a href="https://github.com/jumpserver/chen-release/releases"><img alt="Chen release" src="https://img.shields.io/github/release/jumpserver/chen-release.svg" />       | JumpServer Web DB 项目，替代原来的 OmniDB                                                 |
 | [Kael](https://github.com/jumpserver/kael)             | <a href="https://github.com/jumpserver/kael/releases"><img alt="Kael release" src="https://img.shields.io/github/release/jumpserver/kael.svg" />                       | JumpServer 连接 GPT 资产的组件项目                                                         |
-| [Wisp](https://github.com/jumpserver/wisp)             | <a href="https://github.com/jumpserver/wisp/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/wisp.svg" />                     | JumpServer 各系统终端组件和 Core Api 通信的组件项目                                              |
+| [Wisp](https://github.com/jumpserver/wisp)             | <a href="https://github.com/jumpserver/wisp/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/wisp.svg" />                     | JumpServer 各系统终端组件和 Core API 通信的组件项目                                              |
 | [Clients](https://github.com/jumpserver/clients)       | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" />              | JumpServer 客户端 项目                                                                 |
 | [Installer](https://github.com/jumpserver/installer)   | <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" />        | JumpServer 安装包 项目                                                                 |

--- a/apps/accounts/api/account/init.py
+++ b/apps/accounts/api/account/init.py
@@ -1,3 +1,4 @@
 from .account import *
 from .task import *
 from .template import *
+from .virtual import *
--- a/apps/accounts/api/account/account.py
+++ b/apps/accounts/api/account/account.py
@@ -6,11 +6,12 @@ from rest_framework.status import HTTP_200_OK

 from accounts import serializers
 from accounts.filters import AccountFilterSet
+from accounts.mixins import AccountRecordViewLogMixin
 from accounts.models import Account
 from assets.models import Asset, Node
-from common.api import ExtraFilterFieldsMixin
-from common.permissions import UserConfirmation, ConfirmType, IsValidUser
-from common.views.mixins import RecordViewLogMixin
+from authentication.permissions import UserConfirmation, ConfirmType
+from common.api.mixin import ExtraFilterFieldsMixin
+from common.permissions import IsValidUser
 from orgs.mixins.api import OrgBulkModelViewSet
 from rbac.permissions import RBACPermission

@@ -22,10 +23,11 @@ __all__ = [

 class AccountViewSet(OrgBulkModelViewSet):
    model = Account
-    search_fields = ('username', 'name', 'asset__name', 'asset__address')
+    search_fields = ('username', 'name', 'asset__name', 'asset__address', 'comment')
    filterset_class = AccountFilterSet
    serializer_classes = {
        'default': serializers.AccountSerializer,
+        'retrieve': serializers.AccountDetailSerializer,
    }
    rbac_perms = {
        'partial_update': ['accounts.change_account'],
@@ -52,22 +54,23 @@ class AccountViewSet(OrgBulkModelViewSet):
        return Response(data=serializer.data)

    @action(
-        methods=['get'], detail=False, url_path='username-suggestions',
+        methods=['post'], detail=False, url_path='username-suggestions',
        permission_classes=[IsValidUser]
    )
    def username_suggestions(self, request, *args, **kwargs):
-        asset_ids = request.query_params.get('assets')
-        node_keys = request.query_params.get('keys')
-        username = request.query_params.get('username')
+        asset_ids = request.data.get('assets', [])
+        node_ids = request.data.get('nodes', [])
+        username = request.data.get('username', '')
+
+        accounts = Account.objects.all()
+        if node_ids:
+            nodes = Node.objects.filter(id__in=node_ids)
+            node_asset_ids = Node.get_nodes_all_assets(*nodes).values_list('id', flat=True)
+            asset_ids.extend(node_asset_ids)

-        assets = Asset.objects.all()
        if asset_ids:
-            assets = assets.filter(id__in=asset_ids.split(','))
-        if node_keys:
-            patten = Node.get_node_all_children_key_pattern(node_keys.split(','))
-            assets = assets.filter(nodes__key__regex=patten)
+            accounts = accounts.filter(asset_id__in=list(set(asset_ids)))

-        accounts = Account.objects.filter(asset__in=assets)
        if username:
            accounts = accounts.filter(username__icontains=username)
        usernames = list(accounts.values_list('username', flat=True).distinct()[:10])
@@ -84,7 +87,7 @@ class AccountViewSet(OrgBulkModelViewSet):
        return Response(status=HTTP_200_OK)


-class AccountSecretsViewSet(RecordViewLogMixin, AccountViewSet):
+class AccountSecretsViewSet(AccountRecordViewLogMixin, AccountViewSet):
    """
    因为可能要导出所有账号，所以单独建立了一个 viewset
    """
@@ -113,7 +116,7 @@ class AssetAccountBulkCreateApi(CreateAPIView):
        return Response(data=serializer.data, status=HTTP_200_OK)


-class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, RecordViewLogMixin, ListAPIView):
+class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, AccountRecordViewLogMixin, ListAPIView):
    model = Account.history.model
    serializer_class = serializers.AccountHistorySerializer
    http_method_names = ['get', 'options']
@@ -132,11 +135,12 @@ class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, RecordViewLogMixin, List
    def get_queryset(self):
        account = self.get_object()
        histories = account.history.all()
-        last_history = account.history.first()
-        if not last_history:
+        latest_history = account.history.first()
+        if not latest_history:
            return histories
-
-        if account.secret == last_history.secret \
-                and account.secret_type == last_history.secret_type:
-            histories = histories.exclude(history_id=last_history.history_id)
+        if account.secret != latest_history.secret:
+            return histories
+        if account.secret_type != latest_history.secret_type:
+            return histories
+        histories = histories.exclude(history_id=latest_history.history_id)
        return histories
--- a/apps/accounts/api/account/task.py
+++ b/apps/accounts/api/account/task.py
@@ -19,7 +19,9 @@ class AccountsTaskCreateAPI(CreateAPIView):
            code = 'accounts.push_account'
        else:
            code = 'accounts.verify_account'
-        return request.user.has_perm(code)
+        has = request.user.has_perm(code)
+        if not has:
+            self.permission_denied(request)

    def perform_create(self, serializer):
        data = serializer.validated_data
@@ -44,6 +46,6 @@ class AccountsTaskCreateAPI(CreateAPIView):

    def get_exception_handler(self):
        def handler(e, context):
-            return Response({"error": str(e)}, status=400)
+            return Response({"error": str(e)}, status=401)

        return handler
--- a/apps/accounts/api/account/template.py
+++ b/apps/accounts/api/account/template.py
@@ -1,13 +1,15 @@
 from django_filters import rest_framework as drf_filters
+from rest_framework import status
 from rest_framework.decorators import action
 from rest_framework.response import Response

 from accounts import serializers
+from accounts.mixins import AccountRecordViewLogMixin
 from accounts.models import AccountTemplate
+from accounts.tasks import template_sync_related_accounts
 from assets.const import Protocol
+from authentication.permissions import UserConfirmation, ConfirmType
 from common.drf.filters import BaseFilterSet
-from common.permissions import UserConfirmation, ConfirmType
-from common.views.mixins import RecordViewLogMixin
 from orgs.mixins.api import OrgBulkModelViewSet
 from rbac.permissions import RBACPermission

@@ -44,6 +46,7 @@ class AccountTemplateViewSet(OrgBulkModelViewSet):
    }
    rbac_perms = {
        'su_from_account_templates': 'accounts.view_accounttemplate',
+        'sync_related_accounts': 'accounts.change_account',
    }

    @action(methods=['get'], detail=False, url_path='su-from-account-templates')
@@ -54,8 +57,15 @@ class AccountTemplateViewSet(OrgBulkModelViewSet):
        serializer = self.get_serializer(templates, many=True)
        return Response(data=serializer.data)

+    @action(methods=['patch'], detail=True, url_path='sync-related-accounts')
+    def sync_related_accounts(self, request, *args, **kwargs):
+        instance = self.get_object()
+        user_id = str(request.user.id)
+        task = template_sync_related_accounts.delay(str(instance.id), user_id)
+        return Response({'task': task.id}, status=status.HTTP_200_OK)

-class AccountTemplateSecretsViewSet(RecordViewLogMixin, AccountTemplateViewSet):
+
+class AccountTemplateSecretsViewSet(AccountRecordViewLogMixin, AccountTemplateViewSet):
    serializer_classes = {
        'default': serializers.AccountTemplateSecretSerializer,
    }
--- a/apps/accounts/api/account/virtual.py
+++ b/apps/accounts/api/account/virtual.py
@@ -0,0 +1,20 @@
+from django.shortcuts import get_object_or_404
+
+from accounts.models import VirtualAccount
+from accounts.serializers import VirtualAccountSerializer
+from common.utils import is_uuid
+from orgs.mixins.api import OrgBulkModelViewSet
+
+
+class VirtualAccountViewSet(OrgBulkModelViewSet):
+    serializer_class = VirtualAccountSerializer
+    search_fields = ('alias',)
+    filterset_fields = ('alias',)
+
+    def get_queryset(self):
+        return VirtualAccount.get_or_init_queryset()
+
+    def get_object(self, ):
+        pk = self.kwargs.get('pk')
+        kwargs = {'pk': pk} if is_uuid(pk) else {'alias': pk}
+        return get_object_or_404(VirtualAccount, **kwargs)
--- a/apps/accounts/api/automations/backup.py
+++ b/apps/accounts/api/automations/backup.py
@@ -26,8 +26,8 @@ class AccountBackupPlanViewSet(OrgBulkModelViewSet):

 class AccountBackupPlanExecutionViewSet(viewsets.ModelViewSet):
    serializer_class = serializers.AccountBackupPlanExecutionSerializer
-    search_fields = ('trigger',)
-    filterset_fields = ('trigger', 'plan_id')
+    search_fields = ('trigger', 'plan__name')
+    filterset_fields = ('trigger', 'plan_id', 'plan__name')
    http_method_names = ['get', 'post', 'options']

    def get_queryset(self):
--- a/apps/accounts/api/automations/base.py
+++ b/apps/accounts/api/automations/base.py
@@ -1,5 +1,5 @@
 from django.shortcuts import get_object_or_404
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _
 from rest_framework import status, mixins, viewsets
 from rest_framework.response import Response

@@ -95,8 +95,8 @@ class AutomationExecutionViewSet(
    mixins.CreateModelMixin, mixins.ListModelMixin,
    mixins.RetrieveModelMixin, viewsets.GenericViewSet
 ):
-    search_fields = ('trigger',)
-    filterset_fields = ('trigger', 'automation_id')
+    search_fields = ('trigger', 'automation__name')
+    filterset_fields = ('trigger', 'automation_id', 'automation__name')
    serializer_class = serializers.AutomationExecutionSerializer

    tp: str
--- a/apps/accounts/api/automations/change_secret.py
+++ b/apps/accounts/api/automations/change_secret.py
@@ -1,12 +1,13 @@
 # -*- coding: utf-8 -*-
 #
-
-from rest_framework import mixins
+from rest_framework import status, mixins
+from rest_framework.decorators import action
+from rest_framework.response import Response

 from accounts import serializers
 from accounts.const import AutomationTypes
-from accounts.models import ChangeSecretAutomation, ChangeSecretRecord, AutomationExecution
-from common.utils import get_object_or_none
+from accounts.models import ChangeSecretAutomation, ChangeSecretRecord
+from accounts.tasks import execute_automation_record_task
 from orgs.mixins.api import OrgBulkModelViewSet, OrgGenericViewSet
 from .base import (
    AutomationAssetsListApi, AutomationRemoveAssetApi, AutomationAddAssetApi,
@@ -30,21 +31,27 @@ class ChangeSecretAutomationViewSet(OrgBulkModelViewSet):

 class ChangeSecretRecordViewSet(mixins.ListModelMixin, OrgGenericViewSet):
    serializer_class = serializers.ChangeSecretRecordSerializer
-    filter_fields = ['asset', 'execution_id']
-    search_fields = ['asset__hostname']
+    filterset_fields = ('asset_id', 'execution_id')
+    search_fields = ('asset__address',)
+    tp = AutomationTypes.change_secret
+    rbac_perms = {
+        'execute': 'accounts.add_changesecretexecution',
+    }

    def get_queryset(self):
-        return ChangeSecretRecord.objects.filter(
-            execution__automation__type=AutomationTypes.change_secret
-        )
+        return ChangeSecretRecord.objects.all()

-    def filter_queryset(self, queryset):
-        queryset = super().filter_queryset(queryset)
-        eid = self.request.query_params.get('execution_id')
-        execution = get_object_or_none(AutomationExecution, pk=eid)
-        if execution:
-            queryset = queryset.filter(execution=execution)
-        return queryset
+    @action(methods=['post'], detail=False, url_path='execute')
+    def execute(self, request, *args, **kwargs):
+        record_id = request.data.get('record_id')
+        record = self.get_queryset().filter(pk=record_id)
+        if not record:
+            return Response(
+                {'detail': 'record not found'},
+                status=status.HTTP_404_NOT_FOUND
+            )
+        task = execute_automation_record_task.delay(record_id, self.tp)
+        return Response({'task': task.id}, status=status.HTTP_200_OK)


 class ChangSecretExecutionViewSet(AutomationExecutionViewSet):
--- a/apps/accounts/api/automations/push_account.py
+++ b/apps/accounts/api/automations/push_account.py
@@ -42,6 +42,7 @@ class PushAccountExecutionViewSet(AutomationExecutionViewSet):

 class PushAccountRecordViewSet(ChangeSecretRecordViewSet):
    serializer_class = serializers.ChangeSecretRecordSerializer
+    tp = AutomationTypes.push_account

    def get_queryset(self):
        return ChangeSecretRecord.objects.filter(
--- a/apps/accounts/apps.py
+++ b/apps/accounts/apps.py
@@ -6,6 +6,5 @@ class AccountsConfig(AppConfig):
    name = 'accounts'

    def ready(self):
-        from . import signal_handlers
-        from . import tasks
-        __all__ = signal_handlers
+        from . import signal_handlers  # noqa
+        from . import tasks  # noqa
--- a/apps/accounts/automations/backup_account/handlers.py
+++ b/apps/accounts/automations/backup_account/handlers.py
@@ -1,26 +1,28 @@
 import os
 import time
-from openpyxl import Workbook
 from collections import defaultdict, OrderedDict

 from django.conf import settings
-from django.db.models import F
+from openpyxl import Workbook
 from rest_framework import serializers

-from accounts.models import Account
-from assets.const import AllTypes
+from accounts.const.automation import AccountBackupType
+from accounts.notifications import AccountBackupExecutionTaskMsg, AccountBackupByObjStorageExecutionTaskMsg
 from accounts.serializers import AccountSecretSerializer
-from accounts.notifications import AccountBackupExecutionTaskMsg
+from accounts.models.automations.backup_account import AccountBackupAutomation
+from assets.const import AllTypes
+from common.utils.file import encrypt_and_compress_zip_file, zip_files
+from common.utils.timezone import local_now_filename, local_now_display
+from terminal.models.component.storage import ReplayStorage
 from users.models import User
-from common.utils import get_logger
-from common.utils.timezone import local_now_display
-from common.utils.file import encrypt_and_compress_zip_file
-
-logger = get_logger(__file__)

 PATH = os.path.join(os.path.dirname(settings.BASE_DIR), 'tmp')


+class RecipientsNotFound(Exception):
+    pass
+
+
 class BaseAccountHandler:
    @classmethod
    def unpack_data(cls, serializer_data, data=None):
@@ -72,12 +74,26 @@ class AssetAccountHandler(BaseAccountHandler):
    @staticmethod
    def get_filename(plan_name):
        filename = os.path.join(
-            PATH, f'{plan_name}-{local_now_display()}-{time.time()}.xlsx'
+            PATH, f'{plan_name}-{local_now_filename()}-{time.time()}.xlsx'
        )
        return filename

+    @staticmethod
+    def handler_secret(data, section):
+        for account_data in data:
+            secret = account_data.get('secret')
+            if not secret:
+                continue
+            length = len(secret)
+            index = length // 2
+            if section == "front":
+                secret = secret[:index] + '*' * (length - index)
+            elif section == "back":
+                secret = '*' * (length - index) + secret[index:]
+            account_data['secret'] = secret
+
    @classmethod
-    def create_data_map(cls, accounts):
+    def create_data_map(cls, accounts, section):
        data_map = defaultdict(list)

        if not accounts.exists():
@@ -97,9 +113,10 @@ class AssetAccountHandler(BaseAccountHandler):
        for tp, _accounts in account_type_map.items():
            sheet_name = type_dict.get(tp, tp)
            data = AccountSecretSerializer(_accounts, many=True).data
+            cls.handler_secret(data, section)
            data_map.update(cls.add_rows(data, header_fields, sheet_name))

-        logger.info('\n\033[33m- 共备份 {} 条账号\033[0m'.format(accounts.count()))
+        print('\n\033[33m- 共备份 {} 条账号\033[0m'.format(accounts.count()))
        return data_map


@@ -109,8 +126,8 @@ class AccountBackupHandler:
        self.plan_name = self.execution.plan.name
        self.is_frozen = False  # 任务状态冻结标志

-    def create_excel(self):
-        logger.info(
+    def create_excel(self, section='complete'):
+        print(
            '\n'
            '\033[32m>>> 正在生成资产或应用相关备份信息文件\033[0m'
            ''
@@ -119,7 +136,7 @@ class AccountBackupHandler:
        time_start = time.time()
        files = []
        accounts = self.execution.backup_accounts
-        data_map = AssetAccountHandler.create_data_map(accounts)
+        data_map = AssetAccountHandler.create_data_map(accounts, section)
        if not data_map:
            return files

@@ -133,16 +150,16 @@ class AccountBackupHandler:
        wb.save(filename)
        files.append(filename)
        timedelta = round((time.time() - time_start), 2)
-        logger.info('步骤完成: 用时 {}s'.format(timedelta))
+        print('创建备份文件完成: 用时 {}s'.format(timedelta))
        return files

    def send_backup_mail(self, files, recipients):
        if not files:
            return
        recipients = User.objects.filter(id__in=list(recipients))
-        logger.info(
+        print(
            '\n'
-            '\033[32m>>> 发送备份邮件\033[0m'
+            '\033[32m>>> 开始发送备份邮件\033[0m'
            ''
        )
        plan_name = self.plan_name
@@ -151,11 +168,35 @@ class AccountBackupHandler:
                attachment_list = []
            else:
                password = user.secret_key.encode('utf8')
-                attachment = os.path.join(PATH, f'{plan_name}-{local_now_display()}-{time.time()}.zip')
+                attachment = os.path.join(PATH, f'{plan_name}-{local_now_filename()}-{time.time()}.zip')
                encrypt_and_compress_zip_file(attachment, password, files)
                attachment_list = [attachment, ]
            AccountBackupExecutionTaskMsg(plan_name, user).publish(attachment_list)
-            logger.info('邮件已发送至{}({})'.format(user, user.email))
+            print('邮件已发送至{}({})'.format(user, user.email))
+        for file in files:
+            os.remove(file)
+
+    def send_backup_obj_storage(self, files, recipients, password):
+        if not files:
+            return
+        recipients = ReplayStorage.objects.filter(id__in=list(recipients))
+        print(
+            '\n'
+            '\033[32m>>> 开始发送备份文件到sftp服务器\033[0m'
+            ''
+        )
+        plan_name = self.plan_name
+        for rec in recipients:
+            attachment = os.path.join(PATH, f'{plan_name}-{local_now_filename()}-{time.time()}.zip')
+            if password:
+                print('\033[32m>>> 使用加密密码对文件进行加密中\033[0m')
+                password = password.encode('utf8')
+                encrypt_and_compress_zip_file(attachment, password, files)
+            else:
+                zip_files(attachment, files)
+            attachment_list = attachment
+            AccountBackupByObjStorageExecutionTaskMsg(plan_name, rec).publish(attachment_list)
+            print('备份文件将发送至{}({})'.format(rec.name, rec.id))
        for file in files:
            os.remove(file)

@@ -163,33 +204,29 @@ class AccountBackupHandler:
        self.execution.reason = reason[:1024]
        self.execution.is_success = is_success
        self.execution.save()
-        logger.info('已完成对任务状态的更新')
+        print('\n已完成对任务状态的更新\n')

-    def step_finished(self, is_success):
+    @staticmethod
+    def step_finished(is_success):
        if is_success:
-            logger.info('任务执行成功')
+            print('任务执行成功')
        else:
-            logger.error('任务执行失败')
+            print('任务执行失败')

    def _run(self):
        is_success = False
        error = '-'
        try:
-            recipients = self.execution.plan_snapshot.get('recipients')
-            if not recipients:
-                logger.info(
-                    '\n'
-                    '\033[32m>>> 该备份任务未分配收件人\033[0m'
-                    ''
-                )
-            else:
-                files = self.create_excel()
-                self.send_backup_mail(files, recipients)
+            backup_type = self.execution.snapshot.get('backup_type', AccountBackupType.email.value)
+            if backup_type == AccountBackupType.email.value:
+                self.backup_by_email()
+            elif backup_type == AccountBackupType.object_storage.value:
+                self.backup_by_obj_storage()
        except Exception as e:
            self.is_frozen = True
-            logger.error('任务执行被异常中断')
-            logger.info('下面打印发生异常的 Traceback 信息 : ')
-            logger.error(e, exc_info=True)
+            print('任务执行被异常中断')
+            print('下面打印发生异常的 Traceback 信息 : ')
+            print(e)
            error = str(e)
        else:
            is_success = True
@@ -198,16 +235,62 @@ class AccountBackupHandler:
            self.step_perform_task_update(is_success, reason)
            self.step_finished(is_success)

+    def backup_by_obj_storage(self):
+        object_id = self.execution.snapshot.get('id')
+        zip_encrypt_password = AccountBackupAutomation.objects.get(id=object_id).zip_encrypt_password
+        obj_recipients_part_one = self.execution.snapshot.get('obj_recipients_part_one', [])
+        obj_recipients_part_two = self.execution.snapshot.get('obj_recipients_part_two', [])
+        if not obj_recipients_part_one and not obj_recipients_part_two:
+            print(
+                '\n'
+                '\033[31m>>> 该备份任务未分配sftp服务器\033[0m'
+                ''
+            )
+            raise RecipientsNotFound('Not Found Recipients')
+        if obj_recipients_part_one and obj_recipients_part_two:
+            print('\033[32m>>> 账号的密钥将被拆分成前后两部分发送\033[0m')
+            files = self.create_excel(section='front')
+            self.send_backup_obj_storage(files, obj_recipients_part_one, zip_encrypt_password)
+
+            files = self.create_excel(section='back')
+            self.send_backup_obj_storage(files, obj_recipients_part_two, zip_encrypt_password)
+        else:
+            recipients = obj_recipients_part_one or obj_recipients_part_two
+            files = self.create_excel()
+            self.send_backup_obj_storage(files, recipients, zip_encrypt_password)
+
+    def backup_by_email(self):
+        recipients_part_one = self.execution.snapshot.get('recipients_part_one', [])
+        recipients_part_two = self.execution.snapshot.get('recipients_part_two', [])
+        if not recipients_part_one and not recipients_part_two:
+            print(
+                '\n'
+                '\033[31m>>> 该备份任务未分配收件人\033[0m'
+                ''
+            )
+            raise RecipientsNotFound('Not Found Recipients')
+        if recipients_part_one and recipients_part_two:
+            print('\033[32m>>> 账号的密钥将被拆分成前后两部分发送\033[0m')
+            files = self.create_excel(section='front')
+            self.send_backup_mail(files, recipients_part_one)
+
+            files = self.create_excel(section='back')
+            self.send_backup_mail(files, recipients_part_two)
+        else:
+            recipients = recipients_part_one or recipients_part_two
+            files = self.create_excel()
+            self.send_backup_mail(files, recipients)
+
    def run(self):
-        logger.info('任务开始: {}'.format(local_now_display()))
+        print('任务开始: {}'.format(local_now_display()))
        time_start = time.time()
        try:
            self._run()
        except Exception as e:
-            logger.error('任务运行出现异常')
-            logger.error('下面显示异常 Traceback 信息: ')
-            logger.error(e, exc_info=True)
+            print('任务运行出现异常')
+            print('下面显示异常 Traceback 信息: ')
+            print(e)
        finally:
-            logger.info('\n任务结束: {}'.format(local_now_display()))
+            print('\n任务结束: {}'.format(local_now_display()))
            timedelta = round((time.time() - time_start), 2)
-            logger.info('用时: {}'.format(timedelta))
+            print('用时: {}s'.format(timedelta))
--- a/apps/accounts/automations/backup_account/manager.py
+++ b/apps/accounts/automations/backup_account/manager.py
@@ -4,13 +4,9 @@ import time

 from django.utils import timezone

-from common.utils import get_logger
 from common.utils.timezone import local_now_display
-
 from .handlers import AccountBackupHandler

-logger = get_logger(__name__)
-

 class AccountBackupManager:
    def __init__(self, execution):
@@ -23,7 +19,7 @@ class AccountBackupManager:

    def do_run(self):
        execution = self.execution
-        logger.info('\n\033[33m# 账号备份计划正在执行\033[0m')
+        print('\n\033[33m# 账号备份计划正在执行\033[0m')
        handler = AccountBackupHandler(execution)
        handler.run()

@@ -35,10 +31,10 @@ class AccountBackupManager:
        self.time_end = time.time()
        self.date_end = timezone.now()

-        logger.info('\n\n' + '-' * 80)
-        logger.info('计划执行结束 {}\n'.format(local_now_display()))
+        print('\n\n' + '-' * 80)
+        print('计划执行结束 {}\n'.format(local_now_display()))
        self.timedelta = self.time_end - self.time_start
-        logger.info('用时: {}s'.format(self.timedelta))
+        print('用时: {}s'.format(self.timedelta))
        self.execution.timedelta = self.timedelta
        self.execution.save()

--- a/apps/accounts/automations/change_secret/custom/ssh/main.yml
+++ b/apps/accounts/automations/change_secret/custom/ssh/main.yml
@@ -1,27 +1,40 @@
 - hosts: custom
  gather_facts: no
  vars:
+    asset_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'ssh') | map(attribute='port') | first }}"
    ansible_connection: local
+    ansible_become: false

  tasks:
-    - name: Test privileged account
+    - name: Test privileged account (paramiko)
      ssh_ping:
        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
+        login_port: "{{ asset_port }}"
        login_user: "{{ jms_account.username }}"
        login_password: "{{ jms_account.secret }}"
        login_secret_type: "{{ jms_account.secret_type }}"
        login_private_key_path: "{{ jms_account.private_key_path }}"
+        become: "{{ custom_become | default(False) }}"
+        become_method: "{{ custom_become_method | default('su') }}"
+        become_user: "{{ custom_become_user | default('') }}"
+        become_password: "{{ custom_become_password | default('') }}"
+        become_private_key_path: "{{ custom_become_private_key_path | default(None) }}"
      register: ping_info
+      delegate_to: localhost

-    - name: Change asset password
+    - name: Change asset password (paramiko)
      custom_command:
        login_user: "{{ jms_account.username }}"
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
+        login_port: "{{ asset_port }}"
        login_secret_type: "{{ jms_account.secret_type }}"
        login_private_key_path: "{{ jms_account.private_key_path }}"
+        become: "{{ custom_become | default(False) }}"
+        become_method: "{{ custom_become_method | default('su') }}"
+        become_user: "{{ custom_become_user | default('') }}"
+        become_password: "{{ custom_become_password | default('') }}"
+        become_private_key_path: "{{ custom_become_private_key_path | default(None) }}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
        commands: "{{ params.commands }}"
@@ -29,10 +42,17 @@
      ignore_errors: true
      when: ping_info is succeeded
      register: change_info
+      delegate_to: localhost

-    - name: Verify password
+    - name: Verify password (paramiko)
      ssh_ping:
        login_user: "{{ account.username }}"
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
+        login_port: "{{ asset_port }}"
+        become: "{{ account.become.ansible_become | default(False) }}"
+        become_method: su
+        become_user: "{{ account.become.ansible_user | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
+      delegate_to: localhost
--- a/apps/accounts/automations/change_secret/database/mongodb/main.yml
+++ b/apps/accounts/automations/change_secret/database/mongodb/main.yml
@@ -1,7 +1,7 @@
 - hosts: mongodb
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python

  tasks:
    - name: Test MongoDB connection
@@ -11,9 +11,9 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl: "{{ jms_asset.spec_info.use_ssl | default('') }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
      register: db_info
@@ -31,8 +31,8 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
        db: "{{ jms_asset.spec_info.db_name }}"
@@ -49,7 +49,7 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
--- a/apps/accounts/automations/change_secret/database/mysql/main.yml
+++ b/apps/accounts/automations/change_secret/database/mysql/main.yml
@@ -1,8 +1,9 @@
 - hosts: mysql
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
    db_name: "{{ jms_asset.spec_info.db_name }}"
+    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"

  tasks:
    - name: Test MySQL connection
@@ -11,6 +12,10 @@
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
        filter: version
      register: db_info

@@ -24,6 +29,10 @@
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
        host: "%"
@@ -37,4 +46,8 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
        filter: version
--- a/apps/accounts/automations/change_secret/database/oracle/main.yml
+++ b/apps/accounts/automations/change_secret/database/oracle/main.yml
@@ -1,7 +1,7 @@
 - hosts: oracle
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python

  tasks:
    - name: Test Oracle connection
--- a/apps/accounts/automations/change_secret/database/postgresql/main.yml
+++ b/apps/accounts/automations/change_secret/database/postgresql/main.yml
@@ -1,7 +1,7 @@
 - hosts: postgre
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python

  tasks:
    - name: Test PostgreSQL connection
--- a/apps/accounts/automations/change_secret/database/sqlserver/main.yml
+++ b/apps/accounts/automations/change_secret/database/sqlserver/main.yml
@@ -1,7 +1,7 @@
 - hosts: sqlserver
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python

  tasks:
    - name: Test SQLServer connection
@@ -40,7 +40,7 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; select @@version"
      ignore_errors: true
      when: user_exist.query_results[0] | length != 0

@@ -51,7 +51,7 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; CREATE USER {{ account.username }} FOR LOGIN {{ account.username }}; select @@version"
      ignore_errors: true
      when: user_exist.query_results[0] | length == 0

--- a/apps/accounts/automations/change_secret/host/aix/main.yml
+++ b/apps/accounts/automations/change_secret/host/aix/main.yml
@@ -1,10 +1,41 @@
 - hosts: demo
  gather_facts: no
  tasks:
-    - name: Test privileged account
+    - name: "Test privileged {{ jms_account.username }} account"
      ansible.builtin.ping:

-    - name: Change password
+    - name: "Check if {{ account.username }} user exists"
+      getent:
+        database: passwd
+        key: "{{ account.username }}"
+      register: user_info
+      ignore_errors: yes  # 忽略错误，如果用户不存在时不会导致playbook失败
+
+    - name: "Add {{ account.username }} user"
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        shell: "{{ params.shell }}"
+        home: "{{ params.home | default('/home/' + account.username, true) }}"
+        groups: "{{ params.groups }}"
+        expires: -1
+        state: present
+      when: user_info.failed
+
+    - name: "Add {{ account.username }} group"
+      ansible.builtin.group:
+        name: "{{ account.username }}"
+        state: present
+      when: user_info.failed
+
+    - name: "Add {{ account.username }} user to group"
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        groups: "{{ params.groups }}"
+      when:
+        - user_info.failed
+        - params.groups
+
+    - name: "Change {{ account.username }} password"
      ansible.builtin.user:
        name: "{{ account.username }}"
        password: "{{ account.secret | password_hash('des') }}"
@@ -12,44 +43,57 @@
      ignore_errors: true
      when: account.secret_type == "password"

-    - name: create user If it already exists, no operation will be performed
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-      when: account.secret_type == "ssh_key"
-
    - name: remove jumpserver ssh key
      ansible.builtin.lineinfile:
        dest: "{{ ssh_params.dest }}"
        regexp: "{{ ssh_params.regexp }}"
        state: absent
      when:
-      - account.secret_type == "ssh_key"
-      - ssh_params.strategy == "set_jms"
+        - account.secret_type == "ssh_key"
+        - ssh_params.strategy == "set_jms"

-    - name: Change SSH key
+    - name: "Change {{ account.username }} SSH key"
      ansible.builtin.authorized_key:
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
      when: account.secret_type == "ssh_key"

+    - name: "Set {{ account.username }} sudo setting"
+      ansible.builtin.lineinfile:
+        dest: /etc/sudoers
+        state: present
+        regexp: "^{{ account.username }} ALL="
+        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
+        validate: visudo -cf %s
+      when:
+        - user_info.failed
+        - params.sudo
+
    - name: Refresh connection
      ansible.builtin.meta: reset_connection

-    - name: Verify password
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_password: "{{ account.secret }}"
-        ansible_become: no
+    - name: "Verify {{ account.username }} password (paramiko)"
+      ssh_ping:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        become: "{{ account.become.ansible_become | default(False) }}"
+        become_method: su
+        become_user: "{{ account.become.ansible_user | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
      when: account.secret_type == "password"
+      delegate_to: localhost

-    - name: Verify SSH key
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
-        ansible_become: no
+    - name: "Verify {{ account.username }} SSH KEY (paramiko)"
+      ssh_ping:
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_user: "{{ account.username }}"
+        login_private_key_path: "{{ account.private_key_path  }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
      when: account.secret_type == "ssh_key"
+      delegate_to: localhost
--- a/apps/accounts/automations/change_secret/host/posix/main.yml
+++ b/apps/accounts/automations/change_secret/host/posix/main.yml
@@ -1,10 +1,17 @@
 - hosts: demo
  gather_facts: no
  tasks:
-    - name: Test privileged account
+    - name: "Test privileged {{ jms_account.username }} account"
      ansible.builtin.ping:

-    - name: Check user
+    - name: "Check if {{ account.username }} user exists"
+      getent:
+        database: passwd
+        key: "{{ account.username }}"
+      register: user_info
+      ignore_errors: yes  # 忽略错误，如果用户不存在时不会导致playbook失败
+
+    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
        shell: "{{ params.shell }}"
@@ -12,19 +19,23 @@
        groups: "{{ params.groups }}"
        expires: -1
        state: present
+      when: user_info.failed

    - name: "Add {{ account.username }} group"
      ansible.builtin.group:
        name: "{{ account.username }}"
        state: present
+      when: user_info.failed

-    - name: Add user groups
+    - name: "Add {{ account.username }} user to group"
      ansible.builtin.user:
        name: "{{ account.username }}"
        groups: "{{ params.groups }}"
-      when: params.groups
+      when:
+        - user_info.failed
+        - params.groups

-    - name: Change password
+    - name: "Change {{ account.username }} password"
      ansible.builtin.user:
        name: "{{ account.username }}"
        password: "{{ account.secret | password_hash('sha512') }}"
@@ -32,11 +43,6 @@
      ignore_errors: true
      when: account.secret_type == "password"

-    - name: create user If it already exists, no operation will be performed
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-      when: account.secret_type == "ssh_key"
-
    - name: remove jumpserver ssh key
      ansible.builtin.lineinfile:
        dest: "{{ ssh_params.dest }}"
@@ -46,14 +52,14 @@
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"

-    - name: Change SSH key
+    - name: "Change {{ account.username }} SSH key"
      ansible.builtin.authorized_key:
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
      when: account.secret_type == "ssh_key"

-    - name: Set sudo setting
+    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
        state: present
@@ -61,25 +67,33 @@
        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
        validate: visudo -cf %s
      when:
+        - user_info.failed
        - params.sudo

    - name: Refresh connection
      ansible.builtin.meta: reset_connection

-    - name: Verify password
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_password: "{{ account.secret }}"
-        ansible_become: no
+    - name: "Verify {{ account.username }} password (paramiko)"
+      ssh_ping:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        become: "{{ account.become.ansible_become | default(False) }}"
+        become_method: su
+        become_user: "{{ account.become.ansible_user | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
      when: account.secret_type == "password"
+      delegate_to: localhost

-    - name: Verify SSH key
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
-        ansible_become: no
+    - name: "Verify {{ account.username }} SSH KEY (paramiko)"
+      ssh_ping:
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_user: "{{ account.username }}"
+        login_private_key_path: "{{ account.private_key_path  }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
      when: account.secret_type == "ssh_key"
+      delegate_to: localhost
--- a/apps/accounts/automations/change_secret/host/windows_rdp_verify/main.yml
+++ b/apps/accounts/automations/change_secret/host/windows_rdp_verify/main.yml
@@ -0,0 +1,35 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Test privileged account
+      ansible.windows.win_ping:
+
+#    - name: Print variables
+#      debug:
+#        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
+
+    - name: Change password
+      ansible.windows.win_user:
+        fullname: "{{ account.username}}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+        password_never_expires: yes
+        groups: "{{ params.groups }}"
+        groups_action: add
+        update_password: always
+      ignore_errors: true
+      when: account.secret_type == "password"
+
+    - name: Refresh connection
+      ansible.builtin.meta: reset_connection
+
+    - name: Verify password (pyfreerdp)
+      rdp_ping:
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'rdp') | map(attribute='port') | first }}"
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_secret_type: "{{ account.secret_type }}"
+        login_private_key_path: "{{ account.private_key_path }}"
+      when: account.secret_type == "password"
+      delegate_to: localhost
--- a/apps/accounts/automations/change_secret/host/windows_rdp_verify/manifest.yml
+++ b/apps/accounts/automations/change_secret/host/windows_rdp_verify/manifest.yml
@@ -0,0 +1,26 @@
+id: change_secret_windows_rdp_verify
+name: "{{ 'Windows account change secret rdp verify' | trans }}"
+version: 1
+method: change_secret
+category: host
+type:
+  - windows
+params:
+  - name: groups
+    type: str
+    label: '用户组'
+    default: 'Users,Remote Desktop Users'
+    help_text: "{{ 'Params groups help text' | trans }}"
+
+
+i18n:
+  Windows account change secret rdp verify:
+    zh: '使用 Ansible 模块 win_user 执行 Windows 账号改密 RDP 协议测试最后的可连接性'
+    ja: 'Ansibleモジュールwin_userはWindowsアカウントの改密RDPプロトコルテストの最後の接続性を実行する'
+    en: 'Using the Ansible module win_user performs Windows account encryption RDP protocol testing for final connectivity'
+
+  Params groups help text:
+    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
+    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
+    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
+
--- a/apps/accounts/automations/change_secret/manager.py
+++ b/apps/accounts/automations/change_secret/manager.py
@@ -1,6 +1,5 @@
 import os
 import time
-from collections import defaultdict
 from copy import deepcopy

 from django.conf import settings
@@ -14,7 +13,7 @@ from accounts.serializers import ChangeSecretRecordBackUpSerializer
 from assets.const import HostTypes
 from common.utils import get_logger
 from common.utils.file import encrypt_and_compress_zip_file
-from common.utils.timezone import local_now_display
+from common.utils.timezone import local_now_filename
 from users.models import User
 from ..base.manager import AccountBasePlaybookManager
 from ...utils import SecretGenerator
@@ -27,7 +26,7 @@ class ChangeSecretManager(AccountBasePlaybookManager):

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
-        self.method_hosts_mapper = defaultdict(list)
+        self.record_id = self.execution.snapshot.get('record_id')
        self.secret_type = self.execution.snapshot.get('secret_type')
        self.secret_strategy = self.execution.snapshot.get(
            'secret_strategy', SecretStrategy.custom
@@ -50,7 +49,9 @@ class ChangeSecretManager(AccountBasePlaybookManager):
        kwargs['exclusive'] = 'yes' if kwargs['strategy'] == SSHKeyStrategy.set else 'no'

        if kwargs['strategy'] == SSHKeyStrategy.set_jms:
-            kwargs['dest'] = '/home/{}/.ssh/authorized_keys'.format(account.username)
+            username = account.username
+            path = f'/{username}' if username == "root" else f'/home/{username}'
+            kwargs['dest'] = f'{path}/.ssh/authorized_keys'
            kwargs['regexp'] = '.*{}$'.format(secret.split()[2].strip())
        return kwargs

@@ -96,17 +97,13 @@ class ChangeSecretManager(AccountBasePlaybookManager):

        accounts = self.get_accounts(account)
        if not accounts:
-            print('没有发现待改密账号: %s 用户ID: %s 类型: %s' % (
+            print('没有发现待处理的账号: %s 用户ID: %s 类型: %s' % (
                asset.name, self.account_ids, self.secret_type
            ))
            return []

-        method_attr = getattr(automation, self.method_type() + '_method')
-        method_hosts = self.method_hosts_mapper[method_attr]
-        method_hosts = [h for h in method_hosts if h != host['name']]
-        inventory_hosts = []
        records = []
-
+        inventory_hosts = []
        if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
            print(f'Windows {asset} does not support ssh key push')
            return inventory_hosts
@@ -116,13 +113,20 @@ class ChangeSecretManager(AccountBasePlaybookManager):
            h = deepcopy(host)
            secret_type = account.secret_type
            h['name'] += '(' + account.username + ')'
-            new_secret = self.get_secret(secret_type)
+            if self.secret_type is None:
+                new_secret = account.secret
+            else:
+                new_secret = self.get_secret(secret_type)
+
+            if self.record_id is None:
+                recorder = ChangeSecretRecord(
+                    asset=asset, account=account, execution=self.execution,
+                    old_secret=account.secret, new_secret=new_secret,
+                )
+                records.append(recorder)
+            else:
+                recorder = ChangeSecretRecord.objects.get(id=self.record_id)

-            recorder = ChangeSecretRecord(
-                asset=asset, account=account, execution=self.execution,
-                old_secret=account.secret, new_secret=new_secret,
-            )
-            records.append(recorder)
            self.name_recorder_mapper[h['name']] = recorder

            private_key_path = None
@@ -136,13 +140,12 @@ class ChangeSecretManager(AccountBasePlaybookManager):
                'username': account.username,
                'secret_type': secret_type,
                'secret': new_secret,
-                'private_key_path': private_key_path
+                'private_key_path': private_key_path,
+                'become': account.get_ansible_become_auth(),
            }
            if asset.platform.type == 'oracle':
                h['account']['mode'] = 'sysdba' if account.privileged else None
            inventory_hosts.append(h)
-            method_hosts.append(h['name'])
-        self.method_hosts_mapper[method_attr] = method_hosts
        ChangeSecretRecord.objects.bulk_create(records)
        return inventory_hosts

@@ -170,7 +173,7 @@ class ChangeSecretManager(AccountBasePlaybookManager):
        recorder.save()

    def on_runner_failed(self, runner, e):
-        logger.error("Change secret error: ", e)
+        logger.error("Account error: ", e)

    def check_secret(self):
        if self.secret_strategy == SecretStrategy.custom \
@@ -180,9 +183,11 @@ class ChangeSecretManager(AccountBasePlaybookManager):
        return True

    def run(self, *args, **kwargs):
-        if not self.check_secret():
+        if self.secret_type and not self.check_secret():
            return
        super().run(*args, **kwargs)
+        if self.record_id:
+            return
        recorders = self.name_recorder_mapper.values()
        recorders = list(recorders)
        self.send_recorder_mail(recorders)
@@ -196,7 +201,7 @@ class ChangeSecretManager(AccountBasePlaybookManager):

        name = self.execution.snapshot['name']
        path = os.path.join(os.path.dirname(settings.BASE_DIR), 'tmp')
-        filename = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.xlsx')
+        filename = os.path.join(path, f'{name}-{local_now_filename()}-{time.time()}.xlsx')
        if not self.create_file(recorders, filename):
            return

@@ -204,7 +209,7 @@ class ChangeSecretManager(AccountBasePlaybookManager):
            attachments = []
            if user.secret_key:
                password = user.secret_key.encode('utf8')
-                attachment = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.zip')
+                attachment = os.path.join(path, f'{name}-{local_now_filename()}-{time.time()}.zip')
                encrypt_and_compress_zip_file(attachment, password, [filename])
                attachments = [attachment]
            ChangeSecretExecutionTaskMsg(name, user).publish(attachments)
--- a/apps/accounts/automations/gather_accounts/database/mongodb/main.yml
+++ b/apps/accounts/automations/gather_accounts/database/mongodb/main.yml
@@ -1,7 +1,7 @@
 - hosts: mongodb
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python

  tasks:
    - name: Get info
@@ -12,8 +12,8 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
        filter: users
--- a/apps/accounts/automations/gather_accounts/database/mysql/main.yml
+++ b/apps/accounts/automations/gather_accounts/database/mysql/main.yml
@@ -1,7 +1,8 @@
 - hosts: mysql
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
+    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"

  tasks:
    - name: Get info
@@ -10,6 +11,10 @@
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
        filter: users
      register: db_info

--- a/apps/accounts/automations/gather_accounts/database/oracle/main.yml
+++ b/apps/accounts/automations/gather_accounts/database/oracle/main.yml
@@ -1,7 +1,7 @@
 - hosts: oralce
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python

  tasks:
    - name: Get info
--- a/apps/accounts/automations/gather_accounts/database/postgresql/main.yml
+++ b/apps/accounts/automations/gather_accounts/database/postgresql/main.yml
@@ -1,7 +1,7 @@
 - hosts: postgresql
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python

  tasks:
    - name: Get info
--- a/apps/accounts/automations/gather_accounts/manager.py
+++ b/apps/accounts/automations/gather_accounts/manager.py
@@ -1,9 +1,14 @@
+from collections import defaultdict
+
 from accounts.const import AutomationTypes
 from accounts.models import GatheredAccount
+from assets.models import Asset
 from common.utils import get_logger
 from orgs.utils import tmp_to_org
+from users.models import User
 from .filter import GatherAccountsFilter
 from ..base.manager import AccountBasePlaybookManager
+from ...notifications import GatherAccountChangeMsg

 logger = get_logger(__name__)

@@ -12,6 +17,9 @@ class GatherAccountsManager(AccountBasePlaybookManager):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.host_asset_mapper = {}
+        self.asset_account_info = {}
+
+        self.asset_username_mapper = defaultdict(set)
        self.is_sync_account = self.execution.snapshot.get('is_sync_account')

    @classmethod
@@ -26,10 +34,11 @@ class GatherAccountsManager(AccountBasePlaybookManager):
    def filter_success_result(self, tp, result):
        result = GatherAccountsFilter(tp).run(self.method_id_meta_mapper, result)
        return result
-    @staticmethod
-    def generate_data(asset, result):
+
+    def generate_data(self, asset, result):
        data = []
        for username, info in result.items():
+            self.asset_username_mapper[str(asset.id)].add(username)
            d = {'asset': asset, 'username': username, 'present': True}
            if info.get('date'):
                d['date_last_login'] = info['date']
@@ -38,26 +47,85 @@ class GatherAccountsManager(AccountBasePlaybookManager):
            data.append(d)
        return data

-    def update_or_create_accounts(self, asset, result):
+    def collect_asset_account_info(self, asset, result):
        data = self.generate_data(asset, result)
-        with tmp_to_org(asset.org_id):
-            gathered_accounts = []
-            GatheredAccount.objects.filter(asset=asset, present=True).update(present=False)
-            for d in data:
-                username = d['username']
-                gathered_account, __ = GatheredAccount.objects.update_or_create(
-                    defaults=d, asset=asset, username=username,
-                )
-                gathered_accounts.append(gathered_account)
-            if not self.is_sync_account:
-                return
-            GatheredAccount.sync_accounts(gathered_accounts)
+        self.asset_account_info[asset] = data

    def on_host_success(self, host, result):
        info = result.get('debug', {}).get('res', {}).get('info', {})
        asset = self.host_asset_mapper.get(host)
        if asset and info:
            result = self.filter_success_result(asset.type, info)
-            self.update_or_create_accounts(asset, result)
+            self.collect_asset_account_info(asset, result)
        else:
-            logger.error("Not found info".format(host))
+            logger.error(f'Not found {host} info')
+
+    def update_or_create_accounts(self):
+        for asset, data in self.asset_account_info.items():
+            with tmp_to_org(asset.org_id):
+                gathered_accounts = []
+                GatheredAccount.objects.filter(asset=asset, present=True).update(present=False)
+                for d in data:
+                    username = d['username']
+                    gathered_account, __ = GatheredAccount.objects.update_or_create(
+                        defaults=d, asset=asset, username=username,
+                    )
+                    gathered_accounts.append(gathered_account)
+                if not self.is_sync_account:
+                    return
+                GatheredAccount.sync_accounts(gathered_accounts)
+
+    def run(self, *args, **kwargs):
+        super().run(*args, **kwargs)
+        users, change_info = self.generate_send_users_and_change_info()
+        self.update_or_create_accounts()
+        self.send_email_if_need(users, change_info)
+
+    def generate_send_users_and_change_info(self):
+        recipients = self.execution.recipients
+        if not self.asset_username_mapper or not recipients:
+            return None, None
+
+        users = User.objects.filter(id__in=recipients)
+        if not users:
+            return users, None
+
+        asset_ids = self.asset_username_mapper.keys()
+        assets = Asset.objects.filter(id__in=asset_ids)
+        gather_accounts = GatheredAccount.objects.filter(asset_id__in=asset_ids, present=True)
+        asset_id_map = {str(asset.id): asset for asset in assets}
+        asset_id_username = list(assets.values_list('id', 'accounts__username'))
+        asset_id_username.extend(list(gather_accounts.values_list('asset_id', 'username')))
+
+        system_asset_username_mapper = defaultdict(set)
+        for asset_id, username in asset_id_username:
+            system_asset_username_mapper[str(asset_id)].add(username)
+
+        change_info = {}
+        for asset_id, usernames in self.asset_username_mapper.items():
+            system_usernames = system_asset_username_mapper.get(asset_id)
+
+            if not system_usernames:
+                continue
+
+            add_usernames = usernames - system_usernames
+            remove_usernames = system_usernames - usernames
+            k = f'{asset_id_map[asset_id]}[{asset_id}]'
+
+            if not add_usernames and not remove_usernames:
+                continue
+
+            change_info[k] = {
+                'add_usernames': ', '.join(add_usernames),
+                'remove_usernames': ', '.join(remove_usernames),
+            }
+
+        return users, change_info
+
+    @staticmethod
+    def send_email_if_need(users, change_info):
+        if not users or not change_info:
+            return
+
+        for user in users:
+            GatherAccountChangeMsg(user, change_info).publish_async()
--- a/apps/accounts/automations/push_account/database/mongodb/main.yml
+++ b/apps/accounts/automations/push_account/database/mongodb/main.yml
@@ -1,7 +1,7 @@
 - hosts: mongodb
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python

  tasks:
    - name: Test MongoDB connection
@@ -12,8 +12,8 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
      register: db_info
@@ -31,8 +31,8 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
        db: "{{ jms_asset.spec_info.db_name }}"
@@ -49,7 +49,7 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
--- a/apps/accounts/automations/push_account/database/mysql/main.yml
+++ b/apps/accounts/automations/push_account/database/mysql/main.yml
@@ -1,8 +1,9 @@
 - hosts: mysql
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
    db_name: "{{ jms_asset.spec_info.db_name }}"
+    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"

  tasks:
    - name: Test MySQL connection
@@ -11,6 +12,10 @@
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
        filter: version
      register: db_info

@@ -24,6 +29,10 @@
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
        host: "%"
@@ -37,4 +46,8 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
        filter: version
--- a/apps/accounts/automations/push_account/database/oracle/main.yml
+++ b/apps/accounts/automations/push_account/database/oracle/main.yml
@@ -1,7 +1,7 @@
 - hosts: oracle
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python

  tasks:
    - name: Test Oracle connection
--- a/apps/accounts/automations/push_account/database/postgresql/main.yml
+++ b/apps/accounts/automations/push_account/database/postgresql/main.yml
@@ -1,7 +1,7 @@
 - hosts: postgre
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python

  tasks:
    - name: Test PostgreSQL connection
@@ -31,6 +31,7 @@
        role_attr_flags: LOGIN
      ignore_errors: true
      when: result is succeeded
+      register: change_info

    - name: Verify password
      community.postgresql.postgresql_ping:
@@ -42,3 +43,5 @@
      when:
        - result is succeeded
        - change_info is succeeded
+      register: result
+      failed_when: not result.is_available
--- a/apps/accounts/automations/push_account/database/sqlserver/main.yml
+++ b/apps/accounts/automations/push_account/database/sqlserver/main.yml
@@ -1,7 +1,7 @@
 - hosts: sqlserver
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python

  tasks:
    - name: Test SQLServer connection
@@ -40,7 +40,7 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; select @@version"
      ignore_errors: true
      when: user_exist.query_results[0] | length != 0
      register: change_info
@@ -52,7 +52,7 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+        script: "CREATE LOGIN [{{ account.username }}] WITH PASSWORD = '{{ account.secret }}'; CREATE USER [{{ account.username }}] FOR LOGIN [{{ account.username }}]; select @@version"
      ignore_errors: true
      when: user_exist.query_results[0] | length == 0
      register: change_info
--- a/apps/accounts/automations/push_account/host/aix/main.yml
+++ b/apps/accounts/automations/push_account/host/aix/main.yml
@@ -1,10 +1,17 @@
 - hosts: demo
  gather_facts: no
  tasks:
-    - name: Test privileged account
+    - name: "Test privileged {{ jms_account.username }} account"
      ansible.builtin.ping:

-    - name: Push user
+    - name: "Check if {{ account.username }} user exists"
+      getent:
+        database: passwd
+        key: "{{ account.username }}"
+      register: user_info
+      ignore_errors: yes  # 忽略错误，如果用户不存在时不会导致playbook失败
+
+    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
        shell: "{{ params.shell }}"
@@ -12,22 +19,26 @@
        groups: "{{ params.groups }}"
        expires: -1
        state: present
+      when: user_info.failed

    - name: "Add {{ account.username }} group"
      ansible.builtin.group:
        name: "{{ account.username }}"
        state: present
+      when: user_info.failed

-    - name: Add user groups
+    - name: "Add {{ account.username }} user to group"
      ansible.builtin.user:
        name: "{{ account.username }}"
        groups: "{{ params.groups }}"
-      when: params.groups
+      when:
+        - user_info.failed
+        - params.groups

-    - name: Push user password
+    - name: "Change {{ account.username }} password"
      ansible.builtin.user:
        name: "{{ account.username }}"
-        password: "{{ account.secret | password_hash('sha512') }}"
+        password: "{{ account.secret | password_hash('des') }}"
        update_password: always
      ignore_errors: true
      when: account.secret_type == "password"
@@ -41,14 +52,14 @@
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"

-    - name: Push SSH key
+    - name: "Change {{ account.username }} SSH key"
      ansible.builtin.authorized_key:
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
      when: account.secret_type == "ssh_key"

-    - name: Set sudo setting
+    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
        state: present
@@ -56,25 +67,34 @@
        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
        validate: visudo -cf %s
      when:
+        - user_info.failed
        - params.sudo

    - name: Refresh connection
      ansible.builtin.meta: reset_connection

-    - name: Verify password
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_password: "{{ account.secret }}"
-        ansible_become: no
+    - name: "Verify {{ account.username }} password (paramiko)"
+      ssh_ping:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        become: "{{ account.become.ansible_become | default(False) }}"
+        become_method: su
+        become_user: "{{ account.become.ansible_user | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
      when: account.secret_type == "password"
+      delegate_to: localhost

-    - name: Verify SSH key
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
-        ansible_become: no
+    - name: "Verify {{ account.username }} SSH KEY (paramiko)"
+      ssh_ping:
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_user: "{{ account.username }}"
+        login_private_key_path: "{{ account.private_key_path  }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
      when: account.secret_type == "ssh_key"
+      delegate_to: localhost
+
--- a/apps/accounts/automations/push_account/host/posix/main.yml
+++ b/apps/accounts/automations/push_account/host/posix/main.yml
@@ -1,10 +1,17 @@
 - hosts: demo
  gather_facts: no
  tasks:
-    - name: Test privileged account
+    - name: "Test privileged {{ jms_account.username }} account"
      ansible.builtin.ping:

-    - name: Push user
+    - name: "Check if {{ account.username }} user exists"
+      getent:
+        database: passwd
+        key: "{{ account.username }}"
+      register: user_info
+      ignore_errors: yes  # 忽略错误，如果用户不存在时不会导致playbook失败
+
+    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
        shell: "{{ params.shell }}"
@@ -12,19 +19,23 @@
        groups: "{{ params.groups }}"
        expires: -1
        state: present
+      when: user_info.failed

    - name: "Add {{ account.username }} group"
      ansible.builtin.group:
        name: "{{ account.username }}"
        state: present
+      when: user_info.failed

-    - name: Add user groups
+    - name: "Add {{ account.username }} user to group"
      ansible.builtin.user:
        name: "{{ account.username }}"
        groups: "{{ params.groups }}"
-      when: params.groups
+      when:
+        - user_info.failed
+        - params.groups

-    - name: Push user password
+    - name: "Change {{ account.username }} password"
      ansible.builtin.user:
        name: "{{ account.username }}"
        password: "{{ account.secret | password_hash('sha512') }}"
@@ -41,14 +52,14 @@
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"

-    - name: Push SSH key
+    - name: "Change {{ account.username }} SSH key"
      ansible.builtin.authorized_key:
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
      when: account.secret_type == "ssh_key"

-    - name: Set sudo setting
+    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
        state: present
@@ -56,25 +67,34 @@
        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
        validate: visudo -cf %s
      when:
+        - user_info.failed
        - params.sudo

    - name: Refresh connection
      ansible.builtin.meta: reset_connection

-    - name: Verify password
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_password: "{{ account.secret }}"
-        ansible_become: no
+    - name: "Verify {{ account.username }} password (paramiko)"
+      ssh_ping:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        become: "{{ account.become.ansible_become | default(False) }}"
+        become_method: su
+        become_user: "{{ account.become.ansible_user | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
      when: account.secret_type == "password"
+      delegate_to: localhost

-    - name: Verify SSH key
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
-        ansible_become: no
+    - name: "Verify {{ account.username }} SSH KEY (paramiko)"
+      ssh_ping:
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_user: "{{ account.username }}"
+        login_private_key_path: "{{ account.private_key_path  }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
      when: account.secret_type == "ssh_key"
+      delegate_to: localhost
+
--- a/apps/accounts/automations/push_account/host/windows_rdp_verify/main.yml
+++ b/apps/accounts/automations/push_account/host/windows_rdp_verify/main.yml
@@ -0,0 +1,35 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Test privileged account
+      ansible.windows.win_ping:
+
+#    - name: Print variables
+#      debug:
+#        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
+
+    - name: Push user password
+      ansible.windows.win_user:
+        fullname: "{{ account.username}}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+        password_never_expires: yes
+        groups: "{{ params.groups }}"
+        groups_action: add
+        update_password: always
+      ignore_errors: true
+      when: account.secret_type == "password"
+
+    - name: Refresh connection
+      ansible.builtin.meta: reset_connection
+
+    - name: Verify password (pyfreerdp)
+      rdp_ping:
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'rdp') | map(attribute='port') | first }}"
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_secret_type: "{{ account.secret_type }}"
+        login_private_key_path: "{{ account.private_key_path }}"
+      when: account.secret_type == "password"
+      delegate_to: localhost
--- a/apps/accounts/automations/push_account/host/windows_rdp_verify/manifest.yml
+++ b/apps/accounts/automations/push_account/host/windows_rdp_verify/manifest.yml
@@ -0,0 +1,19 @@
+id: push_account_windows_rdp_verify
+name: "{{ 'Windows account push rdp verify' | trans }}"
+version: 1
+method: push_account
+category: host
+type:
+  - windows
+params:
+  - name: groups
+    type: str
+    label: '用户组'
+    default: 'Users,Remote Desktop Users'
+    help_text: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
+
+i18n:
+  Windows account push rdp verify:
+    zh: 使用 Ansible 模块 win_user 执行 Windows 账号推送 RDP 协议测试最后的可连接性
+    ja: Ansibleモジュールwin_userがWindowsアカウントプッシュRDPプロトコルテストを実行する最後の接続性
+    en: Using the Ansible module win_user performs Windows account push RDP protocol testing for final connectivity
--- a/apps/accounts/automations/push_account/manager.py
+++ b/apps/accounts/automations/push_account/manager.py
@@ -1,7 +1,4 @@
-from copy import deepcopy
-
-from accounts.const import AutomationTypes, SecretType, Connectivity
-from assets.const import HostTypes
+from accounts.const import AutomationTypes
 from common.utils import get_logger
 from ..base.manager import AccountBasePlaybookManager
 from ..change_secret.manager import ChangeSecretManager
@@ -10,83 +7,11 @@ logger = get_logger(__name__)


 class PushAccountManager(ChangeSecretManager, AccountBasePlaybookManager):
-    ansible_account_prefer = ''

    @classmethod
    def method_type(cls):
        return AutomationTypes.push_account

-    def host_callback(self, host, asset=None, account=None, automation=None, path_dir=None, **kwargs):
-        host = super(ChangeSecretManager, self).host_callback(
-            host, asset=asset, account=account, automation=automation,
-            path_dir=path_dir, **kwargs
-        )
-        if host.get('error'):
-            return host
-
-        accounts = self.get_accounts(account)
-        inventory_hosts = []
-        if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
-            msg = f'Windows {asset} does not support ssh key push'
-            print(msg)
-            return inventory_hosts
-
-        host['ssh_params'] = {}
-        for account in accounts:
-            h = deepcopy(host)
-            secret_type = account.secret_type
-            h['name'] += '(' + account.username + ')'
-            if self.secret_type is None:
-                new_secret = account.secret
-            else:
-                new_secret = self.get_secret(secret_type)
-
-            self.name_recorder_mapper[h['name']] = {
-                'account': account, 'new_secret': new_secret,
-            }
-
-            private_key_path = None
-            if secret_type == SecretType.SSH_KEY:
-                private_key_path = self.generate_private_key_path(new_secret, path_dir)
-                new_secret = self.generate_public_key(new_secret)
-
-            h['ssh_params'].update(self.get_ssh_params(account, new_secret, secret_type))
-            h['account'] = {
-                'name': account.name,
-                'username': account.username,
-                'secret_type': secret_type,
-                'secret': new_secret,
-                'private_key_path': private_key_path
-            }
-            if asset.platform.type == 'oracle':
-                h['account']['mode'] = 'sysdba' if account.privileged else None
-            inventory_hosts.append(h)
-        return inventory_hosts
-
-    def on_host_success(self, host, result):
-        account_info = self.name_recorder_mapper.get(host)
-        if not account_info:
-            return
-
-        account = account_info['account']
-        new_secret = account_info['new_secret']
-        if not account:
-            return
-        account.secret = new_secret
-        account.save(update_fields=['secret'])
-        account.set_connectivity(Connectivity.OK)
-
-    def on_host_error(self, host, error, result):
-        pass
-
-    def on_runner_failed(self, runner, e):
-        logger.error("Pust account error: ", e)
-
-    def run(self, *args, **kwargs):
-        if self.secret_type and not self.check_secret():
-            return
-        super(ChangeSecretManager, self).run(*args, **kwargs)
-
    # @classmethod
    # def trigger_by_asset_create(cls, asset):
    #     automations = PushAccountAutomation.objects.filter(
--- a/apps/accounts/automations/verify_account/custom/rdp/main.yml
+++ b/apps/accounts/automations/verify_account/custom/rdp/main.yml
@@ -8,7 +8,7 @@
    - name: Verify account (pyfreerdp)
      rdp_ping:
        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
+        login_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'rdp') | map(attribute='port') | first }}"
        login_user: "{{ account.username }}"
        login_password: "{{ account.secret }}"
        login_secret_type: "{{ account.secret_type }}"
--- a/apps/accounts/automations/verify_account/custom/ssh/main.yml
+++ b/apps/accounts/automations/verify_account/custom/ssh/main.yml
@@ -2,13 +2,20 @@
  gather_facts: no
  vars:
    ansible_connection: local
+    ansible_shell_type: sh
+    ansible_become: false

  tasks:
    - name: Verify account (paramiko)
      ssh_ping:
        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
+        login_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'ssh') | map(attribute='port') | first }}"
        login_user: "{{ account.username }}"
        login_password: "{{ account.secret }}"
        login_secret_type: "{{ account.secret_type }}"
        login_private_key_path: "{{ account.private_key_path }}"
+        become: "{{ account.become.ansible_become | default(False) }}"
+        become_method: "{{ account.become.ansible_become_method | default('su') }}"
+        become_user: "{{ account.become.ansible_user | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
--- a/apps/accounts/automations/verify_account/database/mongodb/main.yml
+++ b/apps/accounts/automations/verify_account/database/mongodb/main.yml
@@ -1,7 +1,7 @@
 - hosts: mongdb
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python

  tasks:
    - name: Verify account
@@ -12,7 +12,7 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
+          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert }}"
--- a/apps/accounts/automations/verify_account/database/mysql/main.yml
+++ b/apps/accounts/automations/verify_account/database/mysql/main.yml
@@ -1,7 +1,8 @@
 - hosts: mysql
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
+    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"

  tasks:
    - name: Verify account
@@ -10,4 +11,8 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
        filter: version
--- a/apps/accounts/automations/verify_account/database/oracle/main.yml
+++ b/apps/accounts/automations/verify_account/database/oracle/main.yml
@@ -1,7 +1,7 @@
 - hosts: oracle
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python

  tasks:
    - name: Verify account
--- a/apps/accounts/automations/verify_account/database/postgresql/main.yml
+++ b/apps/accounts/automations/verify_account/database/postgresql/main.yml
@@ -1,8 +1,7 @@
 - hosts: postgresql
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
+    ansible_python_interpreter: /opt/py3/bin/python

  tasks:
    - name: Verify account
--- a/apps/accounts/automations/verify_account/database/sqlserver/main.yml
+++ b/apps/accounts/automations/verify_account/database/sqlserver/main.yml
@@ -1,7 +1,7 @@
 - hosts: sqlserver
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python

  tasks:
    - name: Verify account
--- a/apps/accounts/automations/verify_account/host/posix/main.yml
+++ b/apps/accounts/automations/verify_account/host/posix/main.yml
@@ -1,11 +1,23 @@
 - hosts: demo
  gather_facts: no
  tasks:
-    - name: Verify account connectivity
-      become: no
+    - name: Verify account connectivity(Do not switch)
      ansible.builtin.ping:
      vars:
        ansible_become: no
        ansible_user: "{{ account.username }}"
        ansible_password: "{{ account.secret }}"
        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
+      when: not account.become.ansible_become
+
+    - name: Verify account connectivity(Switch)
+      ansible.builtin.ping:
+      vars:
+        ansible_become: yes
+        ansible_user: "{{ account.become.ansible_user }}"
+        ansible_password: "{{ account.become.ansible_password }}"
+        ansible_ssh_private_key_file: "{{ account.become.ansible_ssh_private_key_file }}"
+        ansible_become_method: "{{ account.become.ansible_become_method }}"
+        ansible_become_user: "{{ account.become.ansible_become_user }}"
+        ansible_become_password: "{{ account.become.ansible_become_password }}"
+      when: account.become.ansible_become
--- a/apps/accounts/automations/verify_account/manager.py
+++ b/apps/accounts/automations/verify_account/manager.py
@@ -42,7 +42,6 @@ class VerifyAccountManager(AccountBasePlaybookManager):
        if host.get('error'):
            return host

-        # host['ssh_args'] = '-o ControlMaster=no -o ControlPersist=no'
        accounts = asset.accounts.all()
        accounts = self.get_accounts(account, accounts)
        inventory_hosts = []
@@ -64,7 +63,8 @@ class VerifyAccountManager(AccountBasePlaybookManager):
                'username': account.username,
                'secret_type': account.secret_type,
                'secret': secret,
-                'private_key_path': private_key_path
+                'private_key_path': private_key_path,
+                'become': account.get_ansible_become_auth(),
            }
            if account.platform.type == 'oracle':
                h['account']['mode'] = 'sysdba' if account.privileged else None
--- a/apps/accounts/backends/init.py
+++ b/apps/accounts/backends/init.py
@@ -0,0 +1,41 @@
+from importlib import import_module
+
+from django.utils.functional import LazyObject
+
+from common.utils import get_logger
+from ..const import VaultTypeChoices
+
+__all__ = ['vault_client', 'get_vault_client']
+
+
+logger = get_logger(__file__)
+
+
+def get_vault_client(raise_exception=False, **kwargs):
+    enabled = kwargs.get('VAULT_ENABLED')
+    tp = 'hcp' if enabled else 'local'
+    try:
+        module_path = f'apps.accounts.backends.{tp}.main'
+        client = import_module(module_path).Vault(**kwargs)
+    except Exception as e:
+        logger.error(f'Init vault client failed: {e}')
+        if raise_exception:
+            raise
+        tp = VaultTypeChoices.local
+        module_path = f'apps.accounts.backends.{tp}.main'
+        client = import_module(module_path).Vault(**kwargs)
+    return client
+
+
+class VaultClient(LazyObject):
+
+    def _setup(self):
+        from jumpserver import settings as js_settings
+        from django.conf import settings
+        vault_config_names = [k for k in js_settings.__dict__.keys() if k.startswith('VAULT_')]
+        vault_configs = {name: getattr(settings, name, None) for name in vault_config_names}
+        self._wrapped = get_vault_client(**vault_configs)
+
+
+""" 为了安全, 页面修改配置, 重启服务后才会重新初始化 vault_client """
+vault_client = VaultClient()
--- a/apps/accounts/backends/base.py
+++ b/apps/accounts/backends/base.py
@@ -0,0 +1,74 @@
+from abc import ABC, abstractmethod
+
+from django.forms.models import model_to_dict
+
+__all__ = ['BaseVault']
+
+
+class BaseVault(ABC):
+
+    def __init__(self, *args, **kwargs):
+        self.enabled = kwargs.get('VAULT_ENABLED')
+
+    def get(self, instance):
+        """ 返回 secret 值 """
+        return self._get(instance)
+
+    def create(self, instance):
+        if not instance.secret_has_save_to_vault:
+            self._create(instance)
+            self._clean_db_secret(instance)
+            self.save_metadata(instance)
+
+        if instance.is_sync_metadata:
+            self.save_metadata(instance)
+
+    def update(self, instance):
+        if not instance.secret_has_save_to_vault:
+            self._update(instance)
+            self._clean_db_secret(instance)
+            self.save_metadata(instance)
+
+        if instance.is_sync_metadata:
+            self.save_metadata(instance)
+
+    def delete(self, instance):
+        self._delete(instance)
+
+    def save_metadata(self, instance):
+        metadata = model_to_dict(instance, fields=[
+            'name', 'username', 'secret_type',
+            'connectivity', 'su_from', 'privileged'
+        ])
+        metadata = {k: str(v)[:500] for k, v in metadata.items() if v}
+        return self._save_metadata(instance, metadata)
+
+    # -------- abstractmethod -------- #
+
+    @abstractmethod
+    def _get(self, instance):
+        raise NotImplementedError
+
+    @abstractmethod
+    def _create(self, instance):
+        raise NotImplementedError
+
+    @abstractmethod
+    def _update(self, instance):
+        raise NotImplementedError
+
+    @abstractmethod
+    def _delete(self, instance):
+        raise NotImplementedError
+
+    @abstractmethod
+    def _clean_db_secret(self, instance):
+        raise NotImplementedError
+
+    @abstractmethod
+    def _save_metadata(self, instance, metadata):
+        raise NotImplementedError
+
+    @abstractmethod
+    def is_active(self, *args, **kwargs) -> (bool, str):
+        raise NotImplementedError
--- a/apps/accounts/backends/hcp/init.py
+++ b/apps/accounts/backends/hcp/init.py
@@ -0,0 +1 @@
+from .main import *
--- a/apps/accounts/backends/hcp/entries.py
+++ b/apps/accounts/backends/hcp/entries.py
@@ -0,0 +1,84 @@
+import sys
+from abc import ABC
+
+from common.db.utils import Encryptor
+from common.utils import lazyproperty
+
+current_module = sys.modules[__name__]
+
+__all__ = ['build_entry']
+
+
+class BaseEntry(ABC):
+
+    def __init__(self, instance):
+        self.instance = instance
+
+    @lazyproperty
+    def full_path(self):
+        path_base = self.path_base
+        path_spec = self.path_spec
+        path = f'{path_base}/{path_spec}'
+        return path
+
+    @property
+    def path_base(self):
+        path = f'orgs/{self.instance.org_id}'
+        return path
+
+    @property
+    def path_spec(self):
+        raise NotImplementedError
+
+    def to_internal_data(self):
+        secret = getattr(self.instance, '_secret', None)
+        if secret is not None:
+            secret = Encryptor(secret).encrypt()
+        data = {'secret': secret}
+        return data
+
+    @staticmethod
+    def to_external_data(data):
+        secret = data.pop('secret', None)
+        if secret is not None:
+            secret = Encryptor(secret).decrypt()
+        return secret
+
+
+class AccountEntry(BaseEntry):
+
+    @property
+    def path_spec(self):
+        path = f'assets/{self.instance.asset_id}/accounts/{self.instance.id}'
+        return path
+
+
+class AccountTemplateEntry(BaseEntry):
+
+    @property
+    def path_spec(self):
+        path = f'account-templates/{self.instance.id}'
+        return path
+
+
+class HistoricalAccountEntry(BaseEntry):
+
+    @property
+    def path_base(self):
+        account = self.instance.instance
+        path = f'accounts/{account.id}/'
+        return path
+
+    @property
+    def path_spec(self):
+        path = f'histories/{self.instance.history_id}'
+        return path
+
+
+def build_entry(instance) -> BaseEntry:
+    class_name = instance.__class__.__name__
+    entry_class_name = f'{class_name}Entry'
+    entry_class = getattr(current_module, entry_class_name, None)
+    if not entry_class:
+        raise Exception(f'Entry class {entry_class_name} is not found')
+    return entry_class(instance)
--- a/apps/accounts/backends/hcp/main.py
+++ b/apps/accounts/backends/hcp/main.py
@@ -0,0 +1,53 @@
+from common.db.utils import get_logger
+from .entries import build_entry
+from .service import VaultKVClient
+from ..base import BaseVault
+
+__all__ = ['Vault']
+
+logger = get_logger(__name__)
+
+
+class Vault(BaseVault):
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.client = VaultKVClient(
+            url=kwargs.get('VAULT_HCP_HOST'),
+            token=kwargs.get('VAULT_HCP_TOKEN'),
+            mount_point=kwargs.get('VAULT_HCP_MOUNT_POINT')
+        )
+
+    def is_active(self):
+        return self.client.is_active()
+
+    def _get(self, instance):
+        entry = build_entry(instance)
+        # TODO: get data 是不是层数太多了
+        data = self.client.get(path=entry.full_path).get('data', {})
+        data = entry.to_external_data(data)
+        return data
+
+    def _create(self, instance):
+        entry = build_entry(instance)
+        data = entry.to_internal_data()
+        self.client.create(path=entry.full_path, data=data)
+
+    def _update(self, instance):
+        entry = build_entry(instance)
+        data = entry.to_internal_data()
+        self.client.patch(path=entry.full_path, data=data)
+
+    def _delete(self, instance):
+        entry = build_entry(instance)
+        self.client.delete(path=entry.full_path)
+
+    def _clean_db_secret(self, instance):
+        instance.is_sync_metadata = False
+        instance.mark_secret_save_to_vault()
+
+    def _save_metadata(self, instance, metadata):
+        try:
+            entry = build_entry(instance)
+            self.client.update_metadata(path=entry.full_path, metadata=metadata)
+        except Exception as e:
+            logger.error(f'save metadata error: {e}')
--- a/apps/accounts/backends/hcp/service.py
+++ b/apps/accounts/backends/hcp/service.py
@@ -0,0 +1,102 @@
+# -*- coding: utf-8 -*-
+#
+import hvac
+from hvac import exceptions
+from requests.exceptions import ConnectionError
+
+from common.utils import get_logger
+
+logger = get_logger(__name__)
+
+__all__ = ['VaultKVClient']
+
+
+class VaultKVClient(object):
+    max_versions = 20
+
+    def __init__(self, url, token, mount_point):
+        assert isinstance(self.max_versions, int) and self.max_versions >= 3, (
+            'max_versions must to be an integer that is greater than or equal to 3'
+        )
+        self.client = hvac.Client(url=url, token=token)
+        self.mount_point = mount_point
+        self.enable_secrets_engine_if_need()
+
+    def is_active(self):
+        try:
+            if not self.client.sys.is_initialized():
+                return False, 'Vault is not initialized'
+            if self.client.sys.is_sealed():
+                return False, 'Vault is sealed'
+            if not self.client.is_authenticated():
+                return False, 'Vault is not authenticated'
+        except ConnectionError as e:
+            logger.error(str(e))
+            return False, f'Vault is not reachable: {e}'
+        else:
+            return True, ''
+
+    def enable_secrets_engine_if_need(self):
+        secrets_engines = self.client.sys.list_mounted_secrets_engines()
+        mount_points = secrets_engines.keys()
+        if f'{self.mount_point}/' in mount_points:
+            return
+        self.client.sys.enable_secrets_engine(
+            backend_type='kv',
+            path=self.mount_point,
+            options={'version': 2}  # TODO: version 是否从配置中读取?
+        )
+        self.client.secrets.kv.v2.configure(
+            max_versions=self.max_versions,
+            mount_point=self.mount_point
+        )
+
+    def get(self, path, version=None):
+        try:
+            response = self.client.secrets.kv.v2.read_secret_version(
+                path=path,
+                version=version,
+                mount_point=self.mount_point
+            )
+        except exceptions.InvalidPath as e:
+            return {}
+        data = response.get('data', {})
+        return data
+
+    def create(self, path, data: dict):
+        self._update_or_create(path=path, data=data)
+
+    def update(self, path, data: dict):
+        """ 未更新的数据会被删除 """
+        self._update_or_create(path=path, data=data)
+
+    def patch(self, path, data: dict):
+        """ 未更新的数据不会被删除 """
+        self.client.secrets.kv.v2.patch(
+            path=path,
+            secret=data,
+            mount_point=self.mount_point
+        )
+
+    def delete(self, path):
+        self.client.secrets.kv.v2.delete_metadata_and_all_versions(
+            path=path,
+            mount_point=self.mount_point,
+        )
+
+    def _update_or_create(self, path, data: dict):
+        self.client.secrets.kv.v2.create_or_update_secret(
+            path=path,
+            secret=data,
+            mount_point=self.mount_point
+        )
+
+    def update_metadata(self, path, metadata: dict):
+        try:
+            self.client.secrets.kv.v2.update_metadata(
+                path=path,
+                mount_point=self.mount_point,
+                custom_metadata=metadata
+            )
+        except exceptions.InvalidPath as e:
+            logger.error('Update metadata error: {}'.format(e))
--- a/apps/accounts/backends/local/init.py
+++ b/apps/accounts/backends/local/init.py
@@ -0,0 +1 @@
+from .main import *
--- a/apps/accounts/backends/local/main.py
+++ b/apps/accounts/backends/local/main.py
@@ -0,0 +1,36 @@
+from common.utils import get_logger
+from ..base import BaseVault
+
+logger = get_logger(__name__)
+
+__all__ = ['Vault']
+
+
+class Vault(BaseVault):
+
+    def is_active(self):
+        return True, ''
+
+    def _get(self, instance):
+        secret = getattr(instance, '_secret', None)
+        return secret
+
+    def _create(self, instance):
+        """ Ignore """
+        pass
+
+    def _update(self, instance):
+        """ Ignore """
+        pass
+
+    def _delete(self, instance):
+        """ Ignore """
+        pass
+
+    def _save_metadata(self, instance, metadata):
+        """ Ignore """
+        pass
+
+    def _clean_db_secret(self, instance):
+        """ Ignore *重要* 不能删除本地 secret """
+        pass
--- a/apps/accounts/const/init.py
+++ b/apps/accounts/const/init.py
@@ -1,2 +1,3 @@
 from .account import *
 from .automation import *
+from .vault import *
--- a/apps/accounts/const/account.py
+++ b/apps/accounts/const/account.py
@@ -1,5 +1,5 @@
 from django.db.models import TextChoices
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _


 class SecretType(TextChoices):
@@ -16,6 +16,10 @@ class AliasAccount(TextChoices):
    USER = '@USER', _('Dynamic user')
    ANON = '@ANON', _('Anonymous account')

+    @classmethod
+    def virtual_choices(cls):
+        return [(k, v) for k, v in cls.choices if k not in (cls.ALL,)]
+

 class Source(TextChoices):
    LOCAL = 'local', _('Local')
--- a/apps/accounts/const/automation.py
+++ b/apps/accounts/const/automation.py
@@ -1,20 +1,22 @@
 from django.db import models
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _

 from assets.const import Connectivity
 from common.db.fields import TreeChoices

-string_punctuation = '!#$%&()*+,-.:;<=>?@[]^_~'
 DEFAULT_PASSWORD_LENGTH = 30
 DEFAULT_PASSWORD_RULES = {
    'length': DEFAULT_PASSWORD_LENGTH,
-    'symbol_set': string_punctuation
+    'uppercase': True,
+    'lowercase': True,
+    'digit': True,
+    'symbol': True,
 }

 __all__ = [
    'AutomationTypes', 'SecretStrategy', 'SSHKeyStrategy', 'Connectivity',
    'DEFAULT_PASSWORD_LENGTH', 'DEFAULT_PASSWORD_RULES', 'TriggerChoice',
-    'PushAccountActionChoice',
+    'PushAccountActionChoice', 'AccountBackupType'
 ]


@@ -41,8 +43,8 @@ class AutomationTypes(models.TextChoices):


 class SecretStrategy(models.TextChoices):
-    custom = 'specific', _('Specific password')
-    random = 'random', _('Random')
+    custom = 'specific', _('Specific secret')
+    random = 'random', _('Random generate')


 class SSHKeyStrategy(models.TextChoices):
@@ -93,3 +95,10 @@ class TriggerChoice(models.TextChoices, TreeChoices):
 class PushAccountActionChoice(models.TextChoices):
    create_and_push = 'create_and_push', _('Create and push')
    only_create = 'only_create', _('Only create')
+
+
+class AccountBackupType(models.TextChoices):
+    """Backup type"""
+    email = 'email', _('Email')
+    # 目前只支持sftp方式
+    object_storage = 'object_storage', _('SFTP')
--- a/apps/accounts/const/vault.py
+++ b/apps/accounts/const/vault.py
@@ -0,0 +1,9 @@
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+__all__ = ['VaultTypeChoices']
+
+
+class VaultTypeChoices(models.TextChoices):
+    local = 'local', _('Database')
+    hcp = 'hcp', _('HCP Vault')
--- a/apps/accounts/filters.py
+++ b/apps/accounts/filters.py
@@ -13,7 +13,8 @@ class AccountFilterSet(BaseFilterSet):
    hostname = drf_filters.CharFilter(field_name='name', lookup_expr='exact')
    username = drf_filters.CharFilter(field_name="username", lookup_expr='exact')
    address = drf_filters.CharFilter(field_name="asset__address", lookup_expr='exact')
-    asset = drf_filters.CharFilter(field_name="asset_id", lookup_expr='exact')
+    asset_id = drf_filters.CharFilter(field_name="asset", lookup_expr='exact')
+    asset = drf_filters.CharFilter(field_name='asset', lookup_expr='exact')
    assets = drf_filters.CharFilter(field_name='asset_id', lookup_expr='exact')
    nodes = drf_filters.CharFilter(method='filter_nodes')
    node_id = drf_filters.CharFilter(method='filter_nodes')
@@ -45,7 +46,7 @@ class AccountFilterSet(BaseFilterSet):

    class Meta:
        model = Account
-        fields = ['id', 'asset_id', 'source_id', 'secret_type']
+        fields = ['id', 'asset', 'source_id', 'secret_type']


 class GatheredAccountFilterSet(BaseFilterSet):
--- a/apps/accounts/migrations/0003_automation.py
+++ b/apps/accounts/migrations/0003_automation.py
@@ -38,7 +38,7 @@ class Migration(migrations.Migration):
                'verbose_name': 'Automation execution',
                'verbose_name_plural': 'Automation executions',
                'permissions': [('view_changesecretexecution', 'Can view change secret execution'),
-                                ('add_changesecretexection', 'Can add change secret execution'),
+                                ('add_changesecretexecution', 'Can add change secret execution'),
                                ('view_gatheraccountsexecution', 'Can view gather accounts execution'),
                                ('add_gatheraccountsexecution', 'Can add gather accounts execution')],
                'proxy': True,
@@ -113,10 +113,10 @@ class Migration(migrations.Migration):
                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
                ('old_secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Old secret')),
-                ('new_secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
+                ('new_secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='New secret')),
                ('date_started', models.DateTimeField(blank=True, null=True, verbose_name='Date started')),
                ('date_finished', models.DateTimeField(blank=True, null=True, verbose_name='Date finished')),
-                ('status', models.CharField(default='pending', max_length=16)),
+                ('status', models.CharField(default='pending', max_length=16, verbose_name='Status')),
                ('error', models.TextField(blank=True, null=True, verbose_name='Error')),
                ('account',
                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='accounts.account')),
@@ -184,7 +184,7 @@ class Migration(migrations.Migration):
        migrations.AlterModelOptions(
            name='automationexecution',
            options={'permissions': [('view_changesecretexecution', 'Can view change secret execution'),
-                                     ('add_changesecretexection', 'Can add change secret execution'),
+                                     ('add_changesecretexecution', 'Can add change secret execution'),
                                     ('view_gatheraccountsexecution', 'Can view gather accounts execution'),
                                     ('add_gatheraccountsexecution', 'Can add gather accounts execution'),
                                     ('view_pushaccountexecution', 'Can view push account execution'),
--- a/apps/accounts/migrations/0004_auto_20230106_1507.py
+++ b/apps/accounts/migrations/0004_auto_20230106_1507.py
@@ -13,11 +13,11 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='changesecretautomation',
            name='secret_strategy',
-            field=models.CharField(choices=[('specific', 'Specific password'), ('random', 'Random')], default='specific', max_length=16, verbose_name='Secret strategy'),
+            field=models.CharField(choices=[('specific', 'Specific secret'), ('random', 'Random generate')], default='specific', max_length=16, verbose_name='Secret strategy'),
        ),
        migrations.AlterField(
            model_name='pushaccountautomation',
            name='secret_strategy',
-            field=models.CharField(choices=[('specific', 'Specific password'), ('random', 'Random')], default='specific', max_length=16, verbose_name='Secret strategy'),
+            field=models.CharField(choices=[('specific', 'Specific secret'), ('random', 'Random generate')], default='specific', max_length=16, verbose_name='Secret strategy'),
        ),
    ]
--- a/apps/accounts/migrations/0012_auto_20230621_1456.py
+++ b/apps/accounts/migrations/0012_auto_20230621_1456.py
@@ -0,0 +1,28 @@
+# Generated by Django 3.2.19 on 2023-06-21 06:56
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0011_auto_20230506_1443'),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name='account',
+            old_name='secret',
+            new_name='_secret',
+        ),
+        migrations.RenameField(
+            model_name='accounttemplate',
+            old_name='secret',
+            new_name='_secret',
+        ),
+        migrations.RenameField(
+            model_name='historicalaccount',
+            old_name='secret',
+            new_name='_secret',
+        ),
+    ]
--- a/apps/accounts/migrations/0013_account_backup_recipients.py
+++ b/apps/accounts/migrations/0013_account_backup_recipients.py
@@ -0,0 +1,77 @@
+# Generated by Django 4.1.10 on 2023-08-03 08:28
+from django.conf import settings
+from django.db import migrations, models
+
+import common.db.encoder
+
+
+def migrate_recipients(apps, schema_editor):
+    account_backup_model = apps.get_model('accounts', 'AccountBackupAutomation')
+    execution_model = apps.get_model('accounts', 'AccountBackupExecution')
+    for account_backup in account_backup_model.objects.all():
+        recipients = list(account_backup.recipients.all())
+        if not recipients:
+            continue
+        account_backup.recipients_part_one.set(recipients)
+
+    objs = []
+    for execution in execution_model.objects.all():
+        snapshot = execution.snapshot
+        recipients = snapshot.pop('recipients', {})
+        snapshot.update({'recipients_part_one': recipients, 'recipients_part_two': {}})
+        objs.append(execution)
+    execution_model.objects.bulk_update(objs, ['snapshot'])
+
+
+def migrate_snapshot(apps, schema_editor):
+    model = apps.get_model('accounts', 'AccountBackupExecution')
+    objs = []
+    for execution in model.objects.all():
+        execution.snapshot = execution.plan_snapshot
+        objs.append(execution)
+    model.objects.bulk_update(objs, ['snapshot'])
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('accounts', '0012_auto_20230621_1456'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='recipients_part_one',
+            field=models.ManyToManyField(
+                blank=True, related_name='recipient_part_one_plans',
+                to=settings.AUTH_USER_MODEL, verbose_name='Recipient part one'
+            ),
+        ),
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='recipients_part_two',
+            field=models.ManyToManyField(
+                blank=True, related_name='recipient_part_two_plans',
+                to=settings.AUTH_USER_MODEL, verbose_name='Recipient part two'
+            ),
+        ),
+        migrations.AddField(
+            model_name='accountbackupexecution',
+            name='snapshot',
+            field=models.JSONField(
+                default=dict, encoder=common.db.encoder.ModelJSONFieldEncoder,
+                null=True, blank=True, verbose_name='Account backup snapshot'
+            ),
+        ),
+        migrations.RunPython(migrate_snapshot),
+        migrations.RunPython(migrate_recipients),
+        migrations.RemoveField(
+            model_name='accountbackupexecution',
+            name='plan_snapshot',
+        ),
+        migrations.RemoveField(
+            model_name='accountbackupautomation',
+            name='recipients',
+        ),
+
+    ]
--- a/apps/accounts/migrations/0014_virtualaccount.py
+++ b/apps/accounts/migrations/0014_virtualaccount.py
@@ -0,0 +1,30 @@
+# Generated by Django 4.1.10 on 2023-08-01 09:12
+
+from django.db import migrations, models
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0013_account_backup_recipients'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='VirtualAccount',
+            fields=[
+                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
+                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('alias', models.CharField(choices=[('@INPUT', 'Manual input'), ('@USER', 'Dynamic user'), ('@ANON', 'Anonymous account')], max_length=128, verbose_name='Alias')),
+                ('secret_from_login', models.BooleanField(default=None, null=True, verbose_name='Secret from login')),
+            ],
+            options={
+                'unique_together': {('alias', 'org_id')},
+            },
+        ),
+    ]
--- a/apps/accounts/migrations/0015_auto_20230825_1120.py
+++ b/apps/accounts/migrations/0015_auto_20230825_1120.py
@@ -0,0 +1,34 @@
+# Generated by Django 4.1.10 on 2023-08-25 03:19
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0122_auto_20230803_1553'),
+        ('accounts', '0014_virtualaccount'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='accounttemplate',
+            name='auto_push',
+            field=models.BooleanField(default=False, verbose_name='Auto push'),
+        ),
+        migrations.AddField(
+            model_name='accounttemplate',
+            name='platforms',
+            field=models.ManyToManyField(related_name='account_templates', to='assets.platform', verbose_name='Platforms', blank=True),
+        ),
+        migrations.AddField(
+            model_name='accounttemplate',
+            name='push_params',
+            field=models.JSONField(default=dict, verbose_name='Push params'),
+        ),
+        migrations.AddField(
+            model_name='accounttemplate',
+            name='secret_strategy',
+            field=models.CharField(choices=[('specific', 'Specific secret'), ('random', 'Random generate')], default='specific', max_length=16, verbose_name='Secret strategy'),
+        ),
+    ]
--- a/apps/accounts/migrations/0016_accounttemplate_password_rules.py
+++ b/apps/accounts/migrations/0016_accounttemplate_password_rules.py
@@ -0,0 +1,18 @@
+# Generated by Django 4.1.10 on 2023-09-18 08:09
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0015_auto_20230825_1120'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='accounttemplate',
+            name='password_rules',
+            field=models.JSONField(default=dict, verbose_name='Password rules'),
+        ),
+    ]
--- a/apps/accounts/migrations/0017_alter_automationexecution_options.py
+++ b/apps/accounts/migrations/0017_alter_automationexecution_options.py
@@ -0,0 +1,25 @@
+# Generated by Django 4.1.10 on 2023-10-24 05:59
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('accounts', '0016_accounttemplate_password_rules'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='automationexecution',
+            options={
+                'permissions': [
+                    ('view_changesecretexecution', 'Can view change secret execution'),
+                    ('add_changesecretexecution', 'Can add change secret execution'),
+                    ('view_gatheraccountsexecution', 'Can view gather accounts execution'),
+                    ('add_gatheraccountsexecution', 'Can add gather accounts execution'),
+                    ('view_pushaccountexecution', 'Can view push account execution'),
+                    ('add_pushaccountexecution', 'Can add push account execution')
+                ],
+                'verbose_name': 'Automation execution', 'verbose_name_plural': 'Automation executions'},
+        ),
+    ]
--- a/apps/accounts/migrations/0018_accountbackupautomation_backup_type_and_more.py
+++ b/apps/accounts/migrations/0018_accountbackupautomation_backup_type_and_more.py
@@ -0,0 +1,45 @@
+# Generated by Django 4.1.10 on 2023-11-03 07:10
+
+import common.db.fields
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('terminal', '0067_alter_replaystorage_type'),
+        ('accounts', '0017_alter_automationexecution_options'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='backup_type',
+            field=models.CharField(choices=[('email', 'Email'), ('object_storage', 'Object Storage')], default='email', max_length=128),
+        ),
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='is_password_divided_by_email',
+            field=models.BooleanField(default=True),
+        ),
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='is_password_divided_by_obj_storage',
+            field=models.BooleanField(default=True),
+        ),
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='obj_recipients_part_one',
+            field=models.ManyToManyField(blank=True, related_name='obj_recipient_part_one_plans', to='terminal.replaystorage', verbose_name='Object Storage Recipient part one'),
+        ),
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='obj_recipients_part_two',
+            field=models.ManyToManyField(blank=True, related_name='obj_recipient_part_two_plans', to='terminal.replaystorage', verbose_name='Object Storage Recipient part two'),
+        ),
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='zip_encrypt_password',
+            field=common.db.fields.EncryptCharField(blank=True, max_length=4096, null=True, verbose_name='Zip Encrypt Password'),
+        ),
+    ]
--- a/apps/accounts/migrations/0019_gatheraccountsautomation_recipients.py
+++ b/apps/accounts/migrations/0019_gatheraccountsautomation_recipients.py
@@ -0,0 +1,20 @@
+# Generated by Django 4.1.10 on 2023-10-31 06:12
+
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('accounts', '0018_accountbackupautomation_backup_type_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='gatheraccountsautomation',
+            name='recipients',
+            field=models.ManyToManyField(blank=True, to=settings.AUTH_USER_MODEL, verbose_name='Recipient'),
+        ),
+    ]
--- a/apps/accounts/migrations/0020_alter_accountbackupautomation_backup_type_and_more.py
+++ b/apps/accounts/migrations/0020_alter_accountbackupautomation_backup_type_and_more.py
@@ -0,0 +1,28 @@
+# Generated by Django 4.1.10 on 2023-11-16 02:13
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0019_gatheraccountsautomation_recipients'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='accountbackupautomation',
+            name='backup_type',
+            field=models.CharField(choices=[('email', 'Email'), ('object_storage', 'SFTP')], default='email', max_length=128, verbose_name='Backup Type'),
+        ),
+        migrations.AlterField(
+            model_name='accountbackupautomation',
+            name='is_password_divided_by_email',
+            field=models.BooleanField(default=True, verbose_name='Is Password Divided'),
+        ),
+        migrations.AlterField(
+            model_name='accountbackupautomation',
+            name='is_password_divided_by_obj_storage',
+            field=models.BooleanField(default=True, verbose_name='Is Password Divided'),
+        ),
+    ]
--- a/apps/accounts/mixins.py
+++ b/apps/accounts/mixins.py
@@ -0,0 +1,75 @@
+from rest_framework.response import Response
+from rest_framework import status
+from django.utils import translation
+from django.utils.translation import gettext_noop
+
+from audits.const import ActionChoices
+from common.views.mixins import RecordViewLogMixin
+from common.utils import i18n_fmt
+
+
+class AccountRecordViewLogMixin(RecordViewLogMixin):
+    get_object: callable
+    get_queryset: callable
+
+    @staticmethod
+    def _filter_params(params):
+        new_params = {}
+        need_pop_params = ('format', 'order')
+        for key, value in params.items():
+            if key in need_pop_params:
+                continue
+            if isinstance(value, list):
+                value = list(filter(None, value))
+            if value:
+                new_params[key] = value
+        return new_params
+
+    def get_resource_display(self, request):
+        query_params = dict(request.query_params)
+        params = self._filter_params(query_params)
+
+        spm_filter = params.pop("spm", None)
+
+        if not params and not spm_filter:
+            display_message = gettext_noop("Export all")
+        elif spm_filter:
+            display_message = gettext_noop("Export only selected items")
+        else:
+            query = ",".join(
+                ["%s=%s" % (key, value) for key, value in params.items()]
+            )
+            display_message = i18n_fmt(gettext_noop("Export filtered: %s"), query)
+        return display_message
+
+    @property
+    def detail_msg(self):
+        return i18n_fmt(
+            gettext_noop('User %s view/export secret'), self.request.user
+        )
+
+    def list(self, request, *args, **kwargs):
+        list_func = getattr(super(), 'list')
+        if not callable(list_func):
+            return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
+        response = list_func(request, *args, **kwargs)
+        with translation.override('en'):
+            resource_display = self.get_resource_display(request)
+            ids = [q.id for q in self.get_queryset()]
+            self.record_logs(
+                ids, ActionChoices.view, self.detail_msg, resource_display=resource_display
+            )
+        return response
+
+    def retrieve(self, request, *args, **kwargs):
+        retrieve_func = getattr(super(), 'retrieve')
+        if not callable(retrieve_func):
+            return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
+        response = retrieve_func(request, *args, **kwargs)
+        with translation.override('en'):
+            resource = self.get_object()
+            self.record_logs(
+                [resource.id], ActionChoices.view, self.detail_msg, resource=resource
+            )
+        return response
+
--- a/apps/accounts/models/init.py
+++ b/apps/accounts/models/init.py
@@ -1,3 +1,5 @@
-from .account import *
-from .automations import *
-from .base import *
+from .account import *  # noqa
+from .base import *  # noqa
+from .automations import *  # noqa
+from .template import *  # noqa
+from .virtual import *  # noqa
--- a/apps/accounts/models/account.py
+++ b/apps/accounts/models/account.py
@@ -1,15 +1,14 @@
 from django.db import models
-from django.db.models import Count, Q
-from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 from simple_history.models import HistoricalRecords

 from assets.models.base import AbsConnectivity
 from common.utils import lazyproperty
 from .base import BaseAccount
-from ..const import AliasAccount, Source
+from .mixins import VaultModelMixin
+from ..const import Source

-__all__ = ['Account', 'AccountTemplate']
+__all__ = ['Account', 'AccountHistoricalRecords']


 class AccountHistoricalRecords(HistoricalRecords):
@@ -32,7 +31,7 @@ class AccountHistoricalRecords(HistoricalRecords):
        diff = attrs - history_attrs
        if not diff:
            return
-        super().post_save(instance, created, using=using, **kwargs)
+        return super().post_save(instance, created, using=using, **kwargs)

    def create_history_model(self, model, inherited):
        if self.included_fields and not self.excluded_fields:
@@ -53,7 +52,7 @@ class Account(AbsConnectivity, BaseAccount):
        on_delete=models.SET_NULL, verbose_name=_("Su from")
    )
    version = models.IntegerField(default=0, verbose_name=_('Version'))
-    history = AccountHistoricalRecords(included_fields=['id', 'secret', 'secret_type', 'version'])
+    history = AccountHistoricalRecords(included_fields=['id', '_secret', 'secret_type', 'version'])
    source = models.CharField(max_length=30, default=Source.LOCAL, verbose_name=_('Source'))
    source_id = models.CharField(max_length=128, null=True, blank=True, verbose_name=_('Source ID'))

@@ -88,29 +87,6 @@ class Account(AbsConnectivity, BaseAccount):
    def has_secret(self):
        return bool(self.secret)

-    @classmethod
-    def get_special_account(cls, name):
-        if name == AliasAccount.INPUT.value:
-            return cls.get_manual_account()
-        elif name == AliasAccount.ANON.value:
-            return cls.get_anonymous_account()
-        else:
-            return cls(name=name, username=name, secret=None)
-
-    @classmethod
-    def get_manual_account(cls):
-        """ @INPUT 手动登录的账号(any) """
-        return cls(name=AliasAccount.INPUT.label, username=AliasAccount.INPUT.value, secret=None)
-
-    @classmethod
-    def get_anonymous_account(cls):
-        return cls(name=AliasAccount.ANON.label, username=AliasAccount.ANON.value, secret=None)
-
-    @classmethod
-    def get_user_account(cls):
-        """ @USER 动态用户的账号(self) """
-        return cls(name=AliasAccount.USER.label, username=AliasAccount.USER.value, secret=None)
-
    @lazyproperty
    def versions(self):
        return self.history.count()
@@ -119,82 +95,47 @@ class Account(AbsConnectivity, BaseAccount):
        """ 排除自己和以自己为 su-from 的账号 """
        return self.asset.accounts.exclude(id=self.id).exclude(su_from=self)

-
-class AccountTemplate(BaseAccount):
-    su_from = models.ForeignKey(
-        'self', related_name='su_to', null=True,
-        on_delete=models.SET_NULL, verbose_name=_("Su from")
-    )
-
-    class Meta:
-        verbose_name = _('Account template')
-        unique_together = (
-            ('name', 'org_id'),
-        )
-        permissions = [
-            ('view_accounttemplatesecret', _('Can view asset account template secret')),
-            ('change_accounttemplatesecret', _('Can change asset account template secret')),
-        ]
-
-    @classmethod
-    def get_su_from_account_templates(cls, pk=None):
-        if pk is None:
-            return cls.objects.all()
-        return cls.objects.exclude(Q(id=pk) | Q(su_from_id=pk))
-
-    def __str__(self):
-        return f'{self.name}({self.username})'
-
-    def get_su_from_account(self, asset):
-        su_from = self.su_from
-        if su_from and asset.platform.su_enabled:
-            account = asset.accounts.filter(
-                username=su_from.username,
-                secret_type=su_from.secret_type
-            ).first()
-            return account
-
-    def __str__(self):
-        return self.username
-
    @staticmethod
-    def bulk_update_accounts(accounts, data):
-        history_model = Account.history.model
-        account_ids = accounts.values_list('id', flat=True)
-        history_accounts = history_model.objects.filter(id__in=account_ids)
-        account_id_count_map = {
-            str(i['id']): i['count']
-            for i in history_accounts.values('id').order_by('id')
-            .annotate(count=Count(1)).values('id', 'count')
+    def make_account_ansible_vars(su_from):
+        var = {
+            'ansible_user': su_from.username,
        }
+        if not su_from.secret:
+            return var
+        var['ansible_password'] = su_from.secret
+        var['ansible_ssh_private_key_file'] = su_from.private_key_path
+        return var

-        for account in accounts:
-            account_id = str(account.id)
-            account.version = account_id_count_map.get(account_id) + 1
-            for k, v in data.items():
-                setattr(account, k, v)
-        Account.objects.bulk_update(accounts, ['version', 'secret'])
+    def get_ansible_become_auth(self):
+        su_from = self.su_from
+        platform = self.platform
+        auth = {'ansible_become': False}
+        if not (platform.su_enabled and su_from):
+            return auth

-    @staticmethod
-    def bulk_create_history_accounts(accounts, user_id):
-        history_model = Account.history.model
-        history_account_objs = []
-        for account in accounts:
-            history_account_objs.append(
-                history_model(
-                    id=account.id,
-                    version=account.version,
-                    secret=account.secret,
-                    secret_type=account.secret_type,
-                    history_user_id=user_id,
-                    history_date=timezone.now()
-                )
-            )
-        history_model.objects.bulk_create(history_account_objs)
+        auth.update(self.make_account_ansible_vars(su_from))
+        become_method = platform.su_method if platform.su_method else 'sudo'
+        password = su_from.secret if become_method == 'sudo' else self.secret
+        auth['ansible_become'] = True
+        auth['ansible_become_method'] = become_method
+        auth['ansible_become_user'] = self.username
+        auth['ansible_become_password'] = password
+        return auth

-    def bulk_sync_account_secret(self, accounts, user_id):
-        """ 批量同步账号密码 """
-        if not accounts:
-            return
-        self.bulk_update_accounts(accounts, {'secret': self.secret})
-        self.bulk_create_history_accounts(accounts, user_id)
+
+def replace_history_model_with_mixin():
+    """
+    替换历史模型中的父类为指定的Mixin类。
+
+    Parameters:
+        model (class): 历史模型类，例如 Account.history.model
+        mixin_class (class): 要替换为的Mixin类
+
+    Returns:
+        None
+    """
+    model = Account.history.model
+    model.__bases__ = (VaultModelMixin,) + model.__bases__
+
+
+replace_history_model_with_mixin()
--- a/apps/accounts/models/automations/backup_account.py
+++ b/apps/accounts/models/automations/backup_account.py
@@ -6,12 +6,13 @@ import uuid
 from celery import current_task
 from django.db import models
 from django.db.models import F
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _

+from accounts.const.automation import AccountBackupType
 from common.const.choices import Trigger
+from common.db import fields
 from common.db.encoder import ModelJSONFieldEncoder
-from common.utils import get_logger
-from common.utils import lazyproperty
+from common.utils import get_logger, lazyproperty
 from ops.mixin import PeriodTaskModelMixin
 from orgs.mixins.models import OrgModelMixin, JMSOrgBaseModel

@@ -22,10 +23,28 @@ logger = get_logger(__file__)

 class AccountBackupAutomation(PeriodTaskModelMixin, JMSOrgBaseModel):
    types = models.JSONField(default=list)
-    recipients = models.ManyToManyField(
-        'users.User', related_name='recipient_escape_route_plans', blank=True,
-        verbose_name=_("Recipient")
+    backup_type = models.CharField(max_length=128, choices=AccountBackupType.choices,
+                                   default=AccountBackupType.email.value, verbose_name=_('Backup Type'))
+    is_password_divided_by_email = models.BooleanField(default=True, verbose_name=_('Is Password Divided'))
+    is_password_divided_by_obj_storage = models.BooleanField(default=True, verbose_name=_('Is Password Divided'))
+    recipients_part_one = models.ManyToManyField(
+        'users.User', related_name='recipient_part_one_plans', blank=True,
+        verbose_name=_("Recipient part one")
    )
+    recipients_part_two = models.ManyToManyField(
+        'users.User', related_name='recipient_part_two_plans', blank=True,
+        verbose_name=_("Recipient part two")
+    )
+    obj_recipients_part_one = models.ManyToManyField(
+        'terminal.ReplayStorage', related_name='obj_recipient_part_one_plans', blank=True,
+        verbose_name=_("Object Storage Recipient part one")
+    )
+    obj_recipients_part_two = models.ManyToManyField(
+        'terminal.ReplayStorage', related_name='obj_recipient_part_two_plans', blank=True,
+        verbose_name=_("Object Storage Recipient part two")
+    )
+    zip_encrypt_password = fields.EncryptCharField(max_length=4096, blank=True, null=True,
+                                                   verbose_name=_('Zip Encrypt Password'))

    def __str__(self):
        return f'{self.name}({self.org_id})'
@@ -45,6 +64,7 @@ class AccountBackupAutomation(PeriodTaskModelMixin, JMSOrgBaseModel):

    def to_attr_json(self):
        return {
+            'id': self.id,
            'name': self.name,
            'is_periodic': self.is_periodic,
            'interval': self.interval,
@@ -52,10 +72,26 @@ class AccountBackupAutomation(PeriodTaskModelMixin, JMSOrgBaseModel):
            'org_id': self.org_id,
            'created_by': self.created_by,
            'types': self.types,
-            'recipients': {
-                str(recipient.id): (str(recipient), bool(recipient.secret_key))
-                for recipient in self.recipients.all()
-            }
+            'backup_type': self.backup_type,
+            'is_password_divided_by_email': self.is_password_divided_by_email,
+            'is_password_divided_by_obj_storage': self.is_password_divided_by_obj_storage,
+            'zip_encrypt_password': self.zip_encrypt_password,
+            'recipients_part_one': {
+                str(user.id): (str(user), bool(user.secret_key))
+                for user in self.recipients_part_one.all()
+            },
+            'recipients_part_two': {
+                str(user.id): (str(user), bool(user.secret_key))
+                for user in self.recipients_part_two.all()
+            },
+            'obj_recipients_part_one': {
+                str(obj_storage.id): (str(obj_storage.name), str(obj_storage.type))
+                for obj_storage in self.obj_recipients_part_one.all()
+            },
+            'obj_recipients_part_two': {
+                str(obj_storage.id): (str(obj_storage.name), str(obj_storage.type))
+                for obj_storage in self.obj_recipients_part_two.all()
+            },
        }

    @property
@@ -68,7 +104,7 @@ class AccountBackupAutomation(PeriodTaskModelMixin, JMSOrgBaseModel):
        except AttributeError:
            hid = str(uuid.uuid4())
        execution = AccountBackupExecution.objects.create(
-            id=hid, plan=self, plan_snapshot=self.to_attr_json(), trigger=trigger
+            id=hid, plan=self, snapshot=self.to_attr_json(), trigger=trigger
        )
        return execution.start()

@@ -85,7 +121,7 @@ class AccountBackupExecution(OrgModelMixin):
    timedelta = models.FloatField(
        default=0.0, verbose_name=_('Time'), null=True
    )
-    plan_snapshot = models.JSONField(
+    snapshot = models.JSONField(
        encoder=ModelJSONFieldEncoder, default=dict,
        blank=True, null=True, verbose_name=_('Account backup snapshot')
    )
@@ -108,16 +144,9 @@ class AccountBackupExecution(OrgModelMixin):

    @property
    def types(self):
-        types = self.plan_snapshot.get('types')
+        types = self.snapshot.get('types')
        return types

-    @property
-    def recipients(self):
-        recipients = self.plan_snapshot.get('recipients')
-        if not recipients:
-            return []
-        return recipients.values()
-
    @lazyproperty
    def backup_accounts(self):
        from accounts.models import Account
--- a/apps/accounts/models/automations/base.py
+++ b/apps/accounts/models/automations/base.py
@@ -1,12 +1,15 @@
+from django.db import models
 from django.utils.translation import gettext_lazy as _

+from accounts.const import SSHKeyStrategy
+from accounts.models import Account, SecretWithRandomMixin
 from accounts.tasks import execute_account_automation_task
 from assets.models.automations import (
    BaseAutomation as AssetBaseAutomation,
    AutomationExecution as AssetAutomationExecution
 )

-__all__ = ['AccountBaseAutomation', 'AutomationExecution']
+__all__ = ['AccountBaseAutomation', 'AutomationExecution', 'ChangeSecretMixin']


 class AccountBaseAutomation(AssetBaseAutomation):
@@ -30,7 +33,7 @@ class AutomationExecution(AssetAutomationExecution):
        verbose_name_plural = _("Automation executions")
        permissions = [
            ('view_changesecretexecution', _('Can view change secret execution')),
-            ('add_changesecretexection', _('Can add change secret execution')),
+            ('add_changesecretexecution', _('Can add change secret execution')),

            ('view_gatheraccountsexecution', _('Can view gather accounts execution')),
            ('add_gatheraccountsexecution', _('Can add gather accounts execution')),
@@ -43,3 +46,40 @@ class AutomationExecution(AssetAutomationExecution):
        from accounts.automations.endpoint import ExecutionManager
        manager = ExecutionManager(execution=self)
        return manager.run()
+
+
+class ChangeSecretMixin(SecretWithRandomMixin):
+    ssh_key_change_strategy = models.CharField(
+        choices=SSHKeyStrategy.choices, max_length=16,
+        default=SSHKeyStrategy.add, verbose_name=_('SSH key change strategy')
+    )
+    get_all_assets: callable  # get all assets
+
+    class Meta:
+        abstract = True
+
+    def create_nonlocal_accounts(self, usernames, asset):
+        pass
+
+    def get_account_ids(self):
+        usernames = self.accounts
+        accounts = Account.objects.none()
+        for asset in self.get_all_assets():
+            self.create_nonlocal_accounts(usernames, asset)
+            accounts = accounts | asset.accounts.all()
+        account_ids = accounts.filter(
+            username__in=usernames, secret_type=self.secret_type
+        ).values_list('id', flat=True)
+        return [str(_id) for _id in account_ids]
+
+    def to_attr_json(self):
+        attr_json = super().to_attr_json()
+        attr_json.update({
+            'secret': self.secret,
+            'secret_type': self.secret_type,
+            'accounts': self.get_account_ids(),
+            'password_rules': self.password_rules,
+            'secret_strategy': self.secret_strategy,
+            'ssh_key_change_strategy': self.ssh_key_change_strategy,
+        })
+        return attr_json
--- a/apps/accounts/models/automations/change_secret.py
+++ b/apps/accounts/models/automations/change_secret.py
@@ -1,63 +1,14 @@
 from django.db import models
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _

 from accounts.const import (
-    AutomationTypes, SecretType, SecretStrategy, SSHKeyStrategy
+    AutomationTypes
 )
-from accounts.models import Account
 from common.db import fields
 from common.db.models import JMSBaseModel
-from .base import AccountBaseAutomation
+from .base import AccountBaseAutomation, ChangeSecretMixin

-__all__ = ['ChangeSecretAutomation', 'ChangeSecretRecord', 'ChangeSecretMixin']
-
-
-class ChangeSecretMixin(models.Model):
-    secret_type = models.CharField(
-        choices=SecretType.choices, max_length=16,
-        default=SecretType.PASSWORD, verbose_name=_('Secret type')
-    )
-    secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('Secret'))
-    secret_strategy = models.CharField(
-        choices=SecretStrategy.choices, max_length=16,
-        default=SecretStrategy.custom, verbose_name=_('Secret strategy')
-    )
-    password_rules = models.JSONField(default=dict, verbose_name=_('Password rules'))
-    ssh_key_change_strategy = models.CharField(
-        choices=SSHKeyStrategy.choices, max_length=16,
-        default=SSHKeyStrategy.add, verbose_name=_('SSH key change strategy')
-    )
-
-    get_all_assets: callable  # get all assets
-
-    class Meta:
-        abstract = True
-
-    def create_nonlocal_accounts(self, usernames, asset):
-        pass
-
-    def get_account_ids(self):
-        usernames = self.accounts
-        accounts = Account.objects.none()
-        for asset in self.get_all_assets():
-            self.create_nonlocal_accounts(usernames, asset)
-            accounts = accounts | asset.accounts.all()
-        account_ids = accounts.filter(
-            username__in=usernames, secret_type=self.secret_type
-        ).values_list('id', flat=True)
-        return [str(_id) for _id in account_ids]
-
-    def to_attr_json(self):
-        attr_json = super().to_attr_json()
-        attr_json.update({
-            'secret': self.secret,
-            'secret_type': self.secret_type,
-            'accounts': self.get_account_ids(),
-            'password_rules': self.password_rules,
-            'secret_strategy': self.secret_strategy,
-            'ssh_key_change_strategy': self.ssh_key_change_strategy,
-        })
-        return attr_json
+__all__ = ['ChangeSecretAutomation', 'ChangeSecretRecord', ]


 class ChangeSecretAutomation(ChangeSecretMixin, AccountBaseAutomation):
@@ -86,10 +37,10 @@ class ChangeSecretRecord(JMSBaseModel):
    asset = models.ForeignKey('assets.Asset', on_delete=models.CASCADE, null=True)
    account = models.ForeignKey('accounts.Account', on_delete=models.CASCADE, null=True)
    old_secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('Old secret'))
-    new_secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('Secret'))
+    new_secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('New secret'))
    date_started = models.DateTimeField(blank=True, null=True, verbose_name=_('Date started'))
    date_finished = models.DateTimeField(blank=True, null=True, verbose_name=_('Date finished'))
-    status = models.CharField(max_length=16, default='pending')
+    status = models.CharField(max_length=16, default='pending', verbose_name=_('Status'))
    error = models.TextField(blank=True, null=True, verbose_name=_('Error'))

    class Meta:
@@ -98,9 +49,3 @@ class ChangeSecretRecord(JMSBaseModel):

    def __str__(self):
        return self.account.__str__()
-
-    @property
-    def timedelta(self):
-        if self.date_started and self.date_finished:
-            return self.date_finished - self.date_started
-        return None
--- a/apps/accounts/models/automations/gather_account.py
+++ b/apps/accounts/models/automations/gather_account.py
@@ -1,6 +1,6 @@
 from django.db import models
 from django.db.models import Q
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _

 from accounts.const import AutomationTypes, Source
 from accounts.models import Account
@@ -55,11 +55,15 @@ class GatherAccountsAutomation(AccountBaseAutomation):
    is_sync_account = models.BooleanField(
        default=False, blank=True, verbose_name=_("Is sync account")
    )
+    recipients = models.ManyToManyField('users.User', verbose_name=_("Recipient"), blank=True)

    def to_attr_json(self):
        attr_json = super().to_attr_json()
        attr_json.update({
            'is_sync_account': self.is_sync_account,
+            'recipients': [
+                str(recipient.id) for recipient in self.recipients.all()
+            ]
        })
        return attr_json

--- a/apps/accounts/models/automations/push_account.py
+++ b/apps/accounts/models/automations/push_account.py
@@ -1,9 +1,9 @@
+from django.conf import settings
 from django.db import models
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _

 from accounts.const import AutomationTypes
 from accounts.models import Account
-from jumpserver.utils import has_valid_xpack_license
 from .base import AccountBaseAutomation
 from .change_secret import ChangeSecretMixin

@@ -17,9 +17,9 @@ class PushAccountAutomation(ChangeSecretMixin, AccountBaseAutomation):

    def create_nonlocal_accounts(self, usernames, asset):
        secret_type = self.secret_type
-        account_usernames = asset.accounts.filter(secret_type=self.secret_type).values_list(
-            'username', flat=True
-        )
+        account_usernames = asset.accounts \
+            .filter(secret_type=self.secret_type) \
+            .values_list('username', flat=True)
        create_usernames = set(usernames) - set(account_usernames)
        create_account_objs = [
            Account(
@@ -30,9 +30,6 @@ class PushAccountAutomation(ChangeSecretMixin, AccountBaseAutomation):
        ]
        Account.objects.bulk_create(create_account_objs)

-    def set_period_schedule(self):
-        pass
-
    @property
    def dynamic_username(self):
        return self.username == '@USER'
@@ -44,7 +41,7 @@ class PushAccountAutomation(ChangeSecretMixin, AccountBaseAutomation):

    def save(self, *args, **kwargs):
        self.type = AutomationTypes.push_account
-        if not has_valid_xpack_license():
+        if not settings.XPACK_LICENSE_IS_VALID:
            self.is_periodic = False
        super().save(*args, **kwargs)

--- a/apps/accounts/models/automations/verify_account.py
+++ b/apps/accounts/models/automations/verify_account.py
@@ -1,4 +1,4 @@
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _

 from accounts.const import AutomationTypes
 from .base import AccountBaseAutomation
--- a/apps/accounts/models/base.py
+++ b/apps/accounts/models/base.py
@@ -6,9 +6,11 @@ from hashlib import md5
 import sshpubkeys
 from django.conf import settings
 from django.db import models
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _

-from accounts.const import SecretType
+from accounts.const import SecretType, SecretStrategy
+from accounts.models.mixins import VaultModelMixin, VaultManagerMixin, VaultQuerySetMixin
+from accounts.utils import SecretGenerator
 from common.db import fields
 from common.utils import (
    ssh_key_string_to_obj, ssh_key_gen, get_logger,
@@ -19,23 +21,51 @@ from orgs.mixins.models import JMSOrgBaseModel, OrgManager
 logger = get_logger(__file__)


-class BaseAccountQuerySet(models.QuerySet):
+class BaseAccountQuerySet(VaultQuerySetMixin, models.QuerySet):
    def active(self):
        return self.filter(is_active=True)


-class BaseAccountManager(OrgManager):
+class BaseAccountManager(VaultManagerMixin, OrgManager):
    def active(self):
        return self.get_queryset().active()


-class BaseAccount(JMSOrgBaseModel):
+class SecretWithRandomMixin(models.Model):
+    secret_type = models.CharField(
+        choices=SecretType.choices, max_length=16,
+        default=SecretType.PASSWORD, verbose_name=_('Secret type')
+    )
+    secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('Secret'))
+    secret_strategy = models.CharField(
+        choices=SecretStrategy.choices, max_length=16,
+        default=SecretStrategy.custom, verbose_name=_('Secret strategy')
+    )
+    password_rules = models.JSONField(default=dict, verbose_name=_('Password rules'))
+
+    class Meta:
+        abstract = True
+
+    @lazyproperty
+    def secret_generator(self):
+        return SecretGenerator(
+            self.secret_strategy, self.secret_type,
+            self.password_rules,
+        )
+
+    def get_secret(self):
+        if self.secret_strategy == 'random':
+            return self.secret_generator.get_secret()
+        else:
+            return self.secret
+
+
+class BaseAccount(VaultModelMixin, JMSOrgBaseModel):
    name = models.CharField(max_length=128, verbose_name=_("Name"))
    username = models.CharField(max_length=128, blank=True, verbose_name=_('Username'), db_index=True)
    secret_type = models.CharField(
        max_length=16, choices=SecretType.choices, default=SecretType.PASSWORD, verbose_name=_('Secret type')
    )
-    secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('Secret'))
    privileged = models.BooleanField(verbose_name=_("Privileged"), default=False)
    is_active = models.BooleanField(default=True, verbose_name=_("Is active"))

--- a/apps/accounts/models/mixins/init.py
+++ b/apps/accounts/models/mixins/init.py
@@ -0,0 +1 @@
+from .vault import *
--- a/apps/accounts/models/mixins/vault.py
+++ b/apps/accounts/models/mixins/vault.py
@@ -0,0 +1,95 @@
+from django.db import models
+from django.db.models.signals import post_save
+from django.utils.translation import gettext_lazy as _
+
+from common.db import fields
+
+__all__ = ['VaultQuerySetMixin', 'VaultManagerMixin', 'VaultModelMixin']
+
+
+class VaultQuerySetMixin(models.QuerySet):
+
+    def update(self, **kwargs):
+        """
+           1. 替换 secret 为 _secret
+           2. 触发 post_save 信号
+        """
+        if 'secret' in kwargs:
+            kwargs.update({
+                '_secret': kwargs.pop('secret')
+            })
+        rows = super().update(**kwargs)
+
+        # 为了获取更新后的对象所以单独查询一次
+        ids = self.values_list('id', flat=True)
+        objs = self.model.objects.filter(id__in=ids)
+        for obj in objs:
+            post_save.send(obj.__class__, instance=obj, created=False)
+        return rows
+
+
+class VaultManagerMixin(models.Manager):
+    """ 触发 bulk_create 和 bulk_update 操作下的 post_save 信号 """
+
+    def bulk_create(self, objs, batch_size=None, ignore_conflicts=False):
+        objs = super().bulk_create(objs, batch_size=batch_size, ignore_conflicts=ignore_conflicts)
+        for obj in objs:
+            post_save.send(obj.__class__, instance=obj, created=True)
+        return objs
+
+    def bulk_update(self, objs, fields, batch_size=None):
+        fields = ["_secret" if field == "secret" else field for field in fields]
+        super().bulk_update(objs, fields, batch_size=batch_size)
+        for obj in objs:
+            post_save.send(obj.__class__, instance=obj, created=False)
+        return objs
+
+
+class VaultModelMixin(models.Model):
+    _secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('Secret'))
+    is_sync_metadata = True
+
+    class Meta:
+        abstract = True
+
+    # 缓存 secret 值, lazy-property 不能用
+    __secret = None
+
+    @property
+    def secret(self):
+        if self.__secret:
+            return self.__secret
+        from accounts.backends import vault_client
+        secret = vault_client.get(self)
+        if not secret and not self.secret_has_save_to_vault:
+            # vault_client 获取不到, 并且 secret 没有保存到 vault, 就从 self._secret 获取
+            secret = self._secret
+        self.__secret = secret
+        return self.__secret
+
+    @secret.setter
+    def secret(self, value):
+        """
+        保存的时候通过 post_save 信号监听进行处理,
+        先保存到 db, 再保存到 vault 同时删除本地 db _secret 值
+        """
+        self._secret = value
+        self.__secret = value
+
+    _secret_save_to_vault_mark = '# Secret-has-been-saved-to-vault #'
+
+    def mark_secret_save_to_vault(self):
+        self._secret = self._secret_save_to_vault_mark
+        self.save()
+
+    @property
+    def secret_has_save_to_vault(self):
+        return self._secret == self._secret_save_to_vault_mark
+
+    def save(self, *args, **kwargs):
+        """ 通过 post_save signal 处理 _secret 数据 """
+        update_fields = kwargs.get('update_fields')
+        if update_fields and 'secret' in update_fields:
+            update_fields.remove('secret')
+            update_fields.append('_secret')
+        return super().save(*args, **kwargs)
--- a/apps/accounts/models/template.py
+++ b/apps/accounts/models/template.py
@@ -0,0 +1,88 @@
+from django.db import models
+from django.db.models import Count, Q
+from django.utils import timezone
+from django.utils.translation import gettext_lazy as _
+
+from .account import Account
+from .base import BaseAccount, SecretWithRandomMixin
+
+__all__ = ['AccountTemplate', ]
+
+
+class AccountTemplate(BaseAccount, SecretWithRandomMixin):
+    su_from = models.ForeignKey(
+        'self', related_name='su_to', null=True,
+        on_delete=models.SET_NULL, verbose_name=_("Su from")
+    )
+    auto_push = models.BooleanField(default=False, verbose_name=_('Auto push'))
+    platforms = models.ManyToManyField(
+        'assets.Platform', related_name='account_templates',
+        verbose_name=_('Platforms'), blank=True,
+    )
+    push_params = models.JSONField(default=dict, verbose_name=_('Push params'))
+
+    class Meta:
+        verbose_name = _('Account template')
+        unique_together = (
+            ('name', 'org_id'),
+        )
+        permissions = [
+            ('view_accounttemplatesecret', _('Can view asset account template secret')),
+            ('change_accounttemplatesecret', _('Can change asset account template secret')),
+        ]
+
+    def __str__(self):
+        return f'{self.name}({self.username})'
+
+    @classmethod
+    def get_su_from_account_templates(cls, pk=None):
+        if pk is None:
+            return cls.objects.all()
+        return cls.objects.exclude(Q(id=pk) | Q(su_from_id=pk))
+
+    def get_su_from_account(self, asset):
+        su_from = self.su_from
+        if su_from and asset.platform.su_enabled:
+            account = asset.accounts.filter(
+                username=su_from.username,
+                secret_type=su_from.secret_type
+            ).first()
+            return account
+
+    def bulk_update_accounts(self, accounts):
+        history_model = Account.history.model
+        account_ids = accounts.values_list('id', flat=True)
+        history_accounts = history_model.objects.filter(id__in=account_ids)
+        account_id_count_map = {
+            str(i['id']): i['count']
+            for i in history_accounts.values('id').order_by('id')
+            .annotate(count=Count(1)).values('id', 'count')
+        }
+
+        for account in accounts:
+            account_id = str(account.id)
+            account.version = account_id_count_map.get(account_id) + 1
+            account.secret = self.get_secret()
+        Account.objects.bulk_update(accounts, ['version', 'secret'])
+
+    @staticmethod
+    def bulk_create_history_accounts(accounts, user_id):
+        history_model = Account.history.model
+        history_account_objs = []
+        for account in accounts:
+            history_account_objs.append(
+                history_model(
+                    id=account.id,
+                    version=account.version,
+                    secret=account.secret,
+                    secret_type=account.secret_type,
+                    history_user_id=user_id,
+                    history_date=timezone.now()
+                )
+            )
+        history_model.objects.bulk_create(history_account_objs)
+
+    def bulk_sync_account_secret(self, accounts, user_id):
+        """ 批量同步账号密码 """
+        self.bulk_update_accounts(accounts)
+        self.bulk_create_history_accounts(accounts, user_id)
--- a/apps/accounts/models/virtual.py
+++ b/apps/accounts/models/virtual.py
@@ -0,0 +1,103 @@
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+from accounts.const import AliasAccount
+from orgs.mixins.models import JMSOrgBaseModel
+
+__all__ = ['VirtualAccount']
+
+from orgs.utils import tmp_to_org
+
+
+class VirtualAccount(JMSOrgBaseModel):
+    alias = models.CharField(max_length=128, choices=AliasAccount.virtual_choices(), verbose_name=_('Alias'), )
+    secret_from_login = models.BooleanField(default=None, null=True, verbose_name=_("Secret from login"), )
+
+    class Meta:
+        unique_together = [('alias', 'org_id')]
+
+    @property
+    def name(self):
+        return self.get_alias_display()
+
+    @property
+    def username(self):
+        usernames_map = {
+            AliasAccount.INPUT: _("Manual input"),
+            AliasAccount.USER: _("Same with user"),
+            AliasAccount.ANON: ''
+        }
+        usernames_map = {str(k): v for k, v in usernames_map.items()}
+        return usernames_map.get(self.alias, '')
+
+    @property
+    def comment(self):
+        comments_map = {
+            AliasAccount.INPUT: _('Non-asset account, Input username/password on connect'),
+            AliasAccount.USER: _('The account username name same with user on connect'),
+            AliasAccount.ANON: _('Connect asset without using a username and password, '
+                                 'and it only supports web-based and custom-type assets'),
+        }
+        comments_map = {str(k): v for k, v in comments_map.items()}
+        return comments_map.get(self.alias, '')
+
+    @classmethod
+    def get_or_init_queryset(cls):
+        aliases = [i[0] for i in AliasAccount.virtual_choices()]
+        alias_created = cls.objects.all().values_list('alias', flat=True)
+        need_created = set(aliases) - set(alias_created)
+
+        if need_created:
+            accounts = [cls(alias=alias) for alias in need_created]
+            cls.objects.bulk_create(accounts, ignore_conflicts=True)
+        return cls.objects.all()
+
+    @classmethod
+    def get_special_account(cls, alias, user, asset, input_username='', input_secret='', from_permed=True):
+        if alias == AliasAccount.INPUT.value:
+            account = cls.get_manual_account(input_username, input_secret, from_permed)
+        elif alias == AliasAccount.ANON.value:
+            account = cls.get_anonymous_account()
+        elif alias == AliasAccount.USER.value:
+            account = cls.get_same_account(user, asset, input_secret=input_secret, from_permed=from_permed)
+        else:
+            account = cls(name=alias, username=alias, secret=None)
+        account.alias = alias
+        if asset:
+            account.asset = asset
+            account.org_id = asset.org_id
+        return account
+
+    @classmethod
+    def get_manual_account(cls, input_username='', input_secret='', from_permed=True):
+        """ @INPUT 手动登录的账号(any) """
+        from .account import Account
+        if from_permed:
+            username = AliasAccount.INPUT.value
+            secret = ''
+        else:
+            username = input_username
+            secret = input_secret
+        return Account(name=AliasAccount.INPUT.label, username=username, secret=secret)
+
+    @classmethod
+    def get_anonymous_account(cls):
+        from .account import Account
+        return Account(name=AliasAccount.ANON.label, username=AliasAccount.ANON.value, secret=None)
+
+    @classmethod
+    def get_same_account(cls, user, asset, input_secret='', from_permed=True):
+        """ @USER 动态用户的账号(self) """
+        from .account import Account
+        username = user.username
+
+        with tmp_to_org(asset.org):
+            same_account = cls.objects.filter(alias='@USER').first()
+
+        secret = ''
+        if same_account and same_account.secret_from_login:
+            secret = user.get_cached_password_if_has()
+
+        if not secret and not from_permed:
+            secret = input_secret
+        return Account(name=AliasAccount.USER.label, username=username, secret=secret)
--- a/apps/accounts/notifications.py
+++ b/apps/accounts/notifications.py
@@ -1,7 +1,10 @@
-from django.utils.translation import ugettext_lazy as _
+from django.template.loader import render_to_string
+from django.utils.translation import gettext_lazy as _

-from common.tasks import send_mail_attachment_async
+from common.tasks import send_mail_attachment, upload_backup_to_obj_storage
+from notifications.notifications import UserMessage
 from users.models import User
+from terminal.models.component.storage import ReplayStorage


 class AccountBackupExecutionTaskMsg(object):
@@ -24,11 +27,30 @@ class AccountBackupExecutionTaskMsg(object):
                     "to set the encryption password").format(name)

    def publish(self, attachment_list=None):
-        send_mail_attachment_async(
+        send_mail_attachment(
            self.subject, self.message, [self.user.email], attachment_list
        )


+class AccountBackupByObjStorageExecutionTaskMsg(object):
+    subject = _('Notification of account backup route task results')
+
+    def __init__(self, name: str, obj_storage: ReplayStorage):
+        self.name = name
+        self.obj_storage = obj_storage
+
+    @property
+    def message(self):
+        name = self.name
+        return _('{} - The account backup passage task has been completed.'
+                 ' See the attachment for details').format(name)
+
+    def publish(self, attachment_list=None):
+        upload_backup_to_obj_storage(
+            self.obj_storage, attachment_list
+        )
+
+
 class ChangeSecretExecutionTaskMsg(object):
    subject = _('Notification of implementation result of encryption change plan')

@@ -48,6 +70,28 @@ class ChangeSecretExecutionTaskMsg(object):
                     "file encryption password to set the encryption password").format(name)

    def publish(self, attachments=None):
-        send_mail_attachment_async(
+        send_mail_attachment(
            self.subject, self.message, [self.user.email], attachments
        )
+
+
+class GatherAccountChangeMsg(UserMessage):
+    subject = _('Gather account change information')
+
+    def __init__(self, user, change_info: dict):
+        self.change_info = change_info
+        super().__init__(user)
+
+    def get_html_msg(self) -> dict:
+        context = {'change_info': self.change_info}
+        message = render_to_string('accounts/asset_account_change_info.html', context)
+
+        return {
+            'subject': str(self.subject),
+            'message': message
+        }
+
+    @classmethod
+    def gen_test_msg(cls):
+        user = User.objects.first()
+        return cls(user, {})
--- a/apps/accounts/serializers/account/init.py
+++ b/apps/accounts/serializers/account/init.py
@@ -1,5 +1,6 @@
 from .account import *
 from .backup import *
 from .base import *
-from .template import *
 from .gathered_account import *
+from .template import *
+from .virtual import *
--- a/apps/accounts/serializers/account/account.py
+++ b/apps/accounts/serializers/account/account.py
@@ -2,8 +2,9 @@ import uuid
 from copy import deepcopy

 from django.db import IntegrityError
+from django.db import transaction
 from django.db.models import Q
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 from rest_framework.generics import get_object_or_404
 from rest_framework.validators import UniqueTogetherValidator
@@ -73,6 +74,23 @@ class AccountCreateUpdateSerializerMixin(serializers.Serializer):
            name = name + '_' + uuid.uuid4().hex[:4]
        initial_data['name'] = name

+    @staticmethod
+    def get_template_attr_for_account(template):
+        # Set initial data from template
+        field_names = [
+            'name', 'username', 'secret',
+            'secret_type', 'privileged', 'is_active'
+        ]
+
+        attrs = {}
+        for name in field_names:
+            value = getattr(template, name, None)
+            if value is None:
+                continue
+            attrs[name] = value
+        attrs['secret'] = template.get_secret()
+        return attrs
+
    def from_template_if_need(self, initial_data):
        if isinstance(initial_data, str):
            return
@@ -89,18 +107,7 @@ class AccountCreateUpdateSerializerMixin(serializers.Serializer):
            raise serializers.ValidationError({'template': 'Template not found'})

        self._template = template
-        # Set initial data from template
-        ignore_fields = ['id', 'date_created', 'date_updated', 'su_from', 'org_id']
-        field_names = [
-            field.name for field in template._meta.fields
-            if field.name not in ignore_fields
-        ]
-        attrs = {}
-        for name in field_names:
-            value = getattr(template, name, None)
-            if value is None:
-                continue
-            attrs[name] = value
+        attrs = self.get_template_attr_for_account(template)
        initial_data.update(attrs)
        initial_data.update({
            'source': Source.TEMPLATE,
@@ -112,10 +119,13 @@ class AccountCreateUpdateSerializerMixin(serializers.Serializer):
        asset = get_object_or_404(Asset, pk=asset_id)
        initial_data['su_from'] = template.get_su_from_account(asset)

-    @staticmethod
-    def push_account_if_need(instance, push_now, params, stat):
+    def push_account_if_need(self, instance, push_now, params, stat):
        if not push_now or stat not in ['created', 'updated']:
            return
+        transaction.on_commit(lambda: self.start_push(instance, params))
+
+    @staticmethod
+    def start_push(instance, params):
        push_accounts_to_assets_task.delay([str(instance.id)], params)

    def get_validators(self):
@@ -198,7 +208,6 @@ class AccountAssetSerializer(serializers.ModelSerializer):

 class AccountSerializer(AccountCreateUpdateSerializerMixin, BaseAccountSerializer):
    asset = AccountAssetSerializer(label=_('Asset'))
-    has_secret = serializers.BooleanField(label=_("Has secret"), read_only=True)
    source = LabeledChoiceField(
        choices=Source.choices, label=_("Source"), required=False,
        allow_null=True, default=Source.LOCAL
@@ -233,6 +242,15 @@ class AccountSerializer(AccountCreateUpdateSerializerMixin, BaseAccountSerialize
        return queryset


+class AccountDetailSerializer(AccountSerializer):
+    has_secret = serializers.BooleanField(label=_("Has secret"), read_only=True)
+
+    class Meta(AccountSerializer.Meta):
+        model = Account
+        fields = AccountSerializer.Meta.fields + ['has_secret']
+        read_only_fields = AccountSerializer.Meta.read_only_fields + ['has_secret']
+
+
 class AssetAccountBulkSerializerResultSerializer(serializers.Serializer):
    asset = serializers.CharField(read_only=True, label=_('Asset'))
    state = serializers.CharField(read_only=True, label=_('State'))
--- a/apps/accounts/serializers/account/backup.py
+++ b/apps/accounts/serializers/account/backup.py
@@ -1,11 +1,11 @@
 # -*- coding: utf-8 -*-
 #
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers

 from accounts.models import AccountBackupAutomation, AccountBackupExecution
 from common.const.choices import Trigger
-from common.serializers.fields import LabeledChoiceField
+from common.serializers.fields import LabeledChoiceField, EncryptedField
 from common.utils import get_logger
 from ops.mixin import PeriodTaskSerializerMixin
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
@@ -16,6 +16,11 @@ __all__ = ['AccountBackupSerializer', 'AccountBackupPlanExecutionSerializer']


 class AccountBackupSerializer(PeriodTaskSerializerMixin, BulkOrgResourceModelSerializer):
+    zip_encrypt_password = EncryptedField(
+        label=_('Zip Encrypt Password'), required=False, max_length=40960, allow_blank=True,
+        allow_null=True, write_only=True,
+    )
+
    class Meta:
        model = AccountBackupAutomation
        read_only_fields = [
@@ -24,7 +29,9 @@ class AccountBackupSerializer(PeriodTaskSerializerMixin, BulkOrgResourceModelSer
        ]
        fields = read_only_fields + [
            'id', 'name', 'is_periodic', 'interval', 'crontab',
-            'comment', 'recipients', 'types'
+            'comment', 'types', 'recipients_part_one', 'recipients_part_two', 'backup_type',
+            'is_password_divided_by_email', 'is_password_divided_by_obj_storage', 'obj_recipients_part_one',
+            'obj_recipients_part_two', 'zip_encrypt_password'
        ]
        extra_kwargs = {
            'name': {'required': True},
@@ -44,7 +51,7 @@ class AccountBackupPlanExecutionSerializer(serializers.ModelSerializer):
    class Meta:
        model = AccountBackupExecution
        read_only_fields = [
-            'id', 'date_start', 'timedelta', 'plan_snapshot',
-            'trigger', 'reason', 'is_success', 'org_id', 'recipients'
+            'id', 'date_start', 'timedelta', 'snapshot',
+            'trigger', 'reason', 'is_success', 'org_id'
        ]
        fields = read_only_fields + ['plan']
--- a/apps/accounts/serializers/account/base.py
+++ b/apps/accounts/serializers/account/base.py
@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers

 from accounts.const import SecretType
@@ -61,20 +61,18 @@ class AuthValidateMixin(serializers.Serializer):


 class BaseAccountSerializer(AuthValidateMixin, BulkOrgResourceModelSerializer):
-    has_secret = serializers.BooleanField(label=_("Has secret"), read_only=True)

    class Meta:
        model = BaseAccount
        fields_mini = ['id', 'name', 'username']
        fields_small = fields_mini + [
-            'secret_type', 'secret', 'has_secret', 'passphrase',
+            'secret_type', 'secret', 'passphrase',
            'privileged', 'is_active', 'spec_info',
        ]
        fields_other = ['created_by', 'date_created', 'date_updated', 'comment']
        fields = fields_small + fields_other
        read_only_fields = [
-            'has_secret', 'spec_info',
-            'date_verified', 'created_by', 'date_created',
+            'spec_info', 'date_verified', 'created_by', 'date_created',
        ]
        extra_kwargs = {
            'spec_info': {'label': _('Spec info')},
--- a/apps/accounts/serializers/account/gathered_account.py
+++ b/apps/accounts/serializers/account/gathered_account.py
@@ -1,4 +1,4 @@
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _

 from accounts.models import GatheredAccount
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
--- a/apps/accounts/serializers/account/template.py
+++ b/apps/accounts/serializers/account/template.py
@@ -1,16 +1,24 @@
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers

-from accounts.models import AccountTemplate, Account
+from accounts.const import SecretStrategy, SecretType
+from accounts.models import AccountTemplate
+from accounts.utils import SecretGenerator
 from common.serializers import SecretReadableMixin
 from common.serializers.fields import ObjectRelatedField
 from .base import BaseAccountSerializer


-class AccountTemplateSerializer(BaseAccountSerializer):
-    is_sync_account = serializers.BooleanField(default=False, write_only=True)
-    _is_sync_account = False
+class PasswordRulesSerializer(serializers.Serializer):
+    length = serializers.IntegerField(min_value=8, max_value=30, default=16, label=_('Password length'))
+    lowercase = serializers.BooleanField(default=True, label=_('Lowercase'))
+    uppercase = serializers.BooleanField(default=True, label=_('Uppercase'))
+    digit = serializers.BooleanField(default=True, label=_('Digit'))
+    symbol = serializers.BooleanField(default=True, label=_('Special symbol'))

+
+class AccountTemplateSerializer(BaseAccountSerializer):
+    password_rules = PasswordRulesSerializer(required=False, label=_('Password rules'))
    su_from = ObjectRelatedField(
        required=False, queryset=AccountTemplate.objects, allow_null=True,
        allow_empty=True, label=_('Su from'), attrs=('id', 'name', 'username')
@@ -18,36 +26,38 @@ class AccountTemplateSerializer(BaseAccountSerializer):

    class Meta(BaseAccountSerializer.Meta):
        model = AccountTemplate
-        fields = BaseAccountSerializer.Meta.fields + ['is_sync_account', 'su_from']
-
-    def sync_accounts_secret(self, instance, diff):
-        if not self._is_sync_account or 'secret' not in diff:
-            return
-        query_data = {
-            'source_id': instance.id,
-            'username': instance.username,
-            'secret_type': instance.secret_type
+        fields = BaseAccountSerializer.Meta.fields + [
+            'secret_strategy', 'password_rules',
+            'auto_push', 'push_params', 'platforms',
+            'su_from'
+        ]
+        extra_kwargs = {
+            'secret_strategy': {'help_text': _('Secret generation strategy for account creation')},
+            'auto_push': {'help_text': _('Whether to automatically push the account to the asset')},
+            'platforms': {
+                'help_text': _(
+                    'Associated platform, you can configure push parameters. '
+                    'If not associated, default parameters will be used'
+                ),
+                'required': False
+            },
        }
-        accounts = Account.objects.filter(**query_data)
-        instance.bulk_sync_account_secret(accounts, self.context['request'].user.id)
+
+    @staticmethod
+    def generate_secret(attrs):
+        secret_type = attrs.get('secret_type', SecretType.PASSWORD)
+        secret_strategy = attrs.get('secret_strategy', SecretStrategy.custom)
+        password_rules = attrs.get('password_rules')
+        if secret_strategy != SecretStrategy.random:
+            return
+        generator = SecretGenerator(secret_strategy, secret_type, password_rules)
+        attrs['secret'] = generator.get_secret()

    def validate(self, attrs):
-        self._is_sync_account = attrs.pop('is_sync_account', None)
        attrs = super().validate(attrs)
+        self.generate_secret(attrs)
        return attrs

-    def update(self, instance, validated_data):
-        diff = {
-            k: v for k, v in validated_data.items()
-            if getattr(instance, k, None) != v
-        }
-        instance = super().update(instance, validated_data)
-        if {'username', 'secret_type'} & set(diff.keys()):
-            Account.objects.filter(source_id=instance.id).update(source_id=None)
-        else:
-            self.sync_accounts_secret(instance, diff)
-        return instance
-

 class AccountTemplateSecretSerializer(SecretReadableMixin, AccountTemplateSerializer):
    class Meta(AccountTemplateSerializer.Meta):
--- a/apps/accounts/serializers/account/virtual.py
+++ b/apps/accounts/serializers/account/virtual.py
@@ -0,0 +1,30 @@
+from django.utils.translation import gettext_lazy as _
+from rest_framework import serializers
+
+from accounts.models import VirtualAccount
+
+__all__ = ['VirtualAccountSerializer']
+
+
+class VirtualAccountSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = VirtualAccount
+        field_mini = ['id', 'alias', 'username', 'name']
+        common_fields = ['date_created', 'date_updated', 'comment']
+        fields = field_mini + [
+            'secret_from_login',
+        ] + common_fields
+        read_only_fields = common_fields + common_fields
+        extra_kwargs = {
+            'comment': {'label': _('Comment')},
+            'name': {'label': _('Name')},
+            'username': {'label': _('Username')},
+            'secret_from_login': {
+                'help_text': _(
+                    'Current only support login from AD/LDAP. Secret priority: '
+                    'Same account in asset secret > Login secret > Manual input. <br/ >'
+                    'For security, please set config CACHE_LOGIN_PASSWORD_ENABLED to true'
+                )
+            },
+            'alias': {'required': False},
+        }
--- a/Show More
+++ b/Show More