Merge pull request #14901 from jumpserver/dev

v4.7.0
Merge pull request #14900 from jumpserver/pr@dev@translate
2025-12-16 17:12:53 +00:00 · 2025-02-20 10:21:16 +08:00 · 2025-02-19 19:26:09 +08:00 · 2025-02-19 19:17:21 +08:00 · 2025-02-19 16:27:10 +08:00 · 2025-02-18 15:26:11 +08:00
1422 changed files with 105286 additions and 51637 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -8,3 +8,4 @@ celerybeat.pid
 .vagrant/
 apps/xpack/.git
 .history/
 .idea
--- a/.github/ISSUE_TEMPLATE/----.md
+++ b/.github/ISSUE_TEMPLATE/----.md
@@ -1,12 +0,0 @@
 ---
 name: 需求建议
 about: 提出针对本项目的想法和建议
 title: "[Feature] "
 labels: 类型:需求
 assignees: 
  - ibuler
  - baijiangjie
  - wojiushixiaobai
 ---
 **请描述您的需求或者改进建议.**
--- a/.github/ISSUE_TEMPLATE/1_bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/1_bug_report.yml
@@ -0,0 +1,72 @@
 name: '🐛 Bug Report'
 description: 'Report an Bug'
 title: '[Bug] '
 labels: ['🐛 Bug']
 assignees: 
  - baijiangjie
 body:
  - type: input
    attributes:
      label: 'Product Version'
      description: The versions prior to v2.28 (inclusive) are no longer supported.
    validations:
      required: true
  - type: checkboxes
    attributes:
      label: 'Product Edition'
      options:
        - label: 'Community Edition'
        - label: 'Enterprise Edition'
        - label: 'Enterprise Trial Edition'
    validations:
      required: true
  - type: checkboxes
    attributes:
      label: 'Installation Method'
      options:
        - label: 'Online Installation (One-click command installation)'
        - label: 'Offline Package Installation'
        - label: 'All-in-One'
        - label: '1Panel'
        - label: 'Kubernetes'
        - label: 'Source Code'
  - type: textarea
    attributes:
      label: 'Environment Information'
      description: Please provide a clear and concise description outlining your environment information.
    validations:
      required: true
  - type: textarea
    attributes:
      label: '🐛 Bug Description'
      description:
        Please provide a clear and concise description of the defect. If the issue is complex, please provide detailed explanations. <br/>
        Unclear descriptions will not be processed. Please ensure you provide enough detail and information to support replicating and fixing the defect.
    validations:
      required: true
  - type: textarea
    attributes:
      label: 'Recurrence Steps'
      description: Please provide a clear and concise description outlining how to reproduce the issue.
    validations:
      required: true
  - type: textarea
    attributes:
      label: 'Expected Behavior'
      description: Please provide a clear and concise description of what you expect to happen.
  - type: textarea
    attributes:
      label: 'Additional Information'
      description: Please add any additional background information about the issue here.
  - type: textarea
    attributes:
      label: 'Attempted Solutions'
      description: If you have already attempted to solve the issue, please list the solutions you have tried here.
--- a/.github/ISSUE_TEMPLATE/2_question.yml
+++ b/.github/ISSUE_TEMPLATE/2_question.yml
@@ -0,0 +1,60 @@
 name: '🤔 Question'
 description: 'Pose a question'
 title: '[Question] '
 labels: ['🤔 Question']
 assignees: 
  - baijiangjie
 body:
  - type: input
    attributes:
      label: 'Product Version'
      description: The versions prior to v2.28 (inclusive) are no longer supported.
    validations:
      required: true
  - type: checkboxes
    attributes:
      label: 'Product Edition'
      options:
        - label: 'Community Edition'
        - label: 'Enterprise Edition'
        - label: 'Enterprise Trial Edition'
    validations:
      required: true
  - type: checkboxes
    attributes:
      label: 'Installation Method'
      options:
        - label: 'Online Installation (One-click command installation)'
        - label: 'Offline Package Installation'
        - label: 'All-in-One'
        - label: '1Panel'
        - label: 'Kubernetes'
        - label: 'Source Code'
  - type: textarea
    attributes:
      label: 'Environment Information'
      description: Please provide a clear and concise description outlining your environment information.
    validations:
      required: true
  - type: textarea
    attributes:
      label: '🤔 Question Description'
      description: |
        Please provide a clear and concise description of the defect. If the issue is complex, please provide detailed explanations. <br/>
        Unclear descriptions will not be processed. 
    validations:
      required: true
  - type: textarea
    attributes:
      label: 'Expected Behavior'
      description: Please provide a clear and concise description of what you expect to happen.
  - type: textarea
    attributes:
      label: 'Additional Information'
      description: Please add any additional background information about the issue here.
--- a/.github/ISSUE_TEMPLATE/3_feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/3_feature_request.yml
@@ -0,0 +1,56 @@
 name: '⭐️ Feature Request'
 description: 'Suggest an idea'
 title: '[Feature] '
 labels: ['⭐️ Feature Request']
 assignees: 
  - baijiangjie
  - ibuler
 body:
  - type: input
    attributes:
      label: 'Product Version'
      description: The versions prior to v2.28 (inclusive) are no longer supported.
    validations:
      required: true
  - type: checkboxes
    attributes:
      label: 'Product Edition'
      options:
        - label: 'Community Edition'
        - label: 'Enterprise Edition'
        - label: 'Enterprise Trial Edition'
    validations:
      required: true
  - type: checkboxes
    attributes:
      label: 'Installation Method'
      options:
        - label: 'Online Installation (One-click command installation)'
        - label: 'Offline Package Installation'
        - label: 'All-in-One'
        - label: '1Panel'
        - label: 'Kubernetes'
        - label: 'Source Code'
  - type: textarea
    attributes:
      label: '⭐️ Feature Description'
      description: |
        Please add a clear and concise description of the problem you aim to solve with this feature request.<br/>
        Unclear descriptions will not be processed.      
    validations:
      required: true
  - type: textarea
    attributes:
      label: 'Proposed Solution'
      description: Please provide a clear and concise description of the solution you desire.
    validations:
      required: true
  - type: textarea
    attributes:
      label: 'Additional Information'
      description: Please add any additional background information about the issue here.
--- a/.github/ISSUE_TEMPLATE/4_bug_report_cn.yml
+++ b/.github/ISSUE_TEMPLATE/4_bug_report_cn.yml
@@ -0,0 +1,72 @@
 name: '🐛 反馈缺陷'
 description: '反馈一个缺陷'
 title: '[Bug] '
 labels: ['🐛 Bug']
 assignees: 
  - baijiangjie
 body:
  - type: input
    attributes:
      label: '产品版本'
      description: 不再支持 v2.28（含）之前的版本。
    validations:
      required: true
  - type: checkboxes
    attributes:
      label: '版本类型'
      options:
        - label: '社区版'
        - label: '企业版'
        - label: '企业试用版'
    validations:
      required: true
  - type: checkboxes
    attributes:
      label: '安装方式'
      options:
        - label: '在线安装 (一键命令安装)'
        - label: '离线包安装'
        - label: 'All-in-One'
        - label: '1Panel'
        - label: 'Kubernetes'
        - label: '源码安装'
  - type: textarea
    attributes:
      label: '环境信息'
      description: 请提供一个清晰且简洁的描述，说明你的环境信息。
    validations:
      required: true
  - type: textarea
    attributes:
      label: '🐛 缺陷描述'
      description: |
        请提供一个清晰且简洁的缺陷描述，如果问题比较复杂，也请详细说明。<br/> 
        针对不清晰的描述信息将不予处理。请确保提供足够的细节和信息，以支持对缺陷进行复现和修复。
    validations:
      required: true
  - type: textarea
    attributes:
      label: '复现步骤'
      description: 请提供一个清晰且简洁的描述，说明如何复现问题。
    validations:
      required: true
  - type: textarea
    attributes:
      label: '期望结果'
      description: 请提供一个清晰且简洁的描述，说明你期望发生什么。
  - type: textarea
    attributes:
      label: '补充信息'
      description: 在这里添加关于问题的任何其他背景信息。
  - type: textarea
    attributes:
      label: '尝试过的解决方案'
      description: 如果你已经尝试解决问题，请在此列出你尝试过的解决方案。
--- a/.github/ISSUE_TEMPLATE/5_question_cn.yml
+++ b/.github/ISSUE_TEMPLATE/5_question_cn.yml
@@ -0,0 +1,61 @@
 name: '🤔 问题咨询'
 description: '提出一个问题'
 title: '[Question] '
 labels: ['🤔 Question']
 assignees: 
  - baijiangjie
 body:
  - type: input
    attributes:
      label: '产品版本'
      description: 不再支持 v2.28（含）之前的版本。
    validations:
      required: true
  - type: checkboxes
    attributes:
      label: '版本类型'
      options:
        - label: '社区版'
        - label: '企业版'
        - label: '企业试用版'
    validations:
      required: true
  - type: checkboxes
    attributes:
      label: '安装方式'
      options:
        - label: '在线安装 (一键命令安装)'
        - label: '离线包安装'
        - label: 'All-in-One'
        - label: '1Panel'
        - label: 'Kubernetes'
        - label: '源码安装'
  - type: textarea
    attributes:
      label: '环境信息'
      description: 请在此详细描述你的环境信息，如操作系统、浏览器和部署架构等。
    validations:
      required: true
  - type: textarea
    attributes:
      label: '🤔 问题描述'
      description: |
        请提供一个清晰且简洁的问题描述，如果问题比较复杂，也请详细说明。<br/> 
        针对不清晰的描述信息将不予处理。
    validations:
      required: true
  - type: textarea
    attributes:
      label: '期望结果'
      description: 请提供一个清晰且简洁的描述，说明你期望发生什么。
  - type: textarea
    attributes:
      label: '补充信息'
      description: 在这里添加关于问题的任何其他背景信息。
--- a/.github/ISSUE_TEMPLATE/6_feature_request_cn.yml
+++ b/.github/ISSUE_TEMPLATE/6_feature_request_cn.yml
@@ -0,0 +1,56 @@
 name: '⭐️ 功能需求'
 description: '提出需求或建议'
 title: '[Feature] '
 labels: ['⭐️ Feature Request']
 assignees: 
  - baijiangjie
  - ibuler
 body:
  - type: input
    attributes:
      label: '产品版本'
      description: 不再支持 v2.28（含）之前的版本。
    validations:
      required: true
  - type: checkboxes
    attributes:
      label: '版本类型'
      options:
        - label: '社区版'
        - label: '企业版'
        - label: '企业试用版'
    validations:
      required: true
  - type: checkboxes
    attributes:
      label: '安装方式'
      options:
        - label: '在线安装 (一键命令安装)'
        - label: '离线包安装'
        - label: 'All-in-One'
        - label: '1Panel'
        - label: 'Kubernetes'
        - label: '源码安装'
  - type: textarea
    attributes:
      label: '⭐️ 需求描述'
      description: |
        请添加一个清晰且简洁的问题描述，阐述你希望通过这个功能需求解决的问题。<br/>
        针对不清晰的描述信息将不予处理。
    validations:
      required: true
  - type: textarea
    attributes:
      label: '解决方案'
      description: 请清晰且简洁地描述你想要的解决方案。
    validations:
      required: true
  - type: textarea
    attributes:
      label: '补充信息'
      description: 在这里添加关于问题的任何其他背景信息。
--- a/.github/ISSUE_TEMPLATE/bug---.md
+++ b/.github/ISSUE_TEMPLATE/bug---.md
@@ -1,24 +0,0 @@
 ---
 name: Bug 提交
 about: 提交产品缺陷帮助我们更好的改进
 title: "[Bug] "
 labels: 类型:bug
 assignees: 
   - wojiushixiaobai
   - baijiangjie
 ---
 **JumpServer 版本( v2.28 之前的版本不再支持 )**
 **浏览器版本**
 **Bug 描述**
 **Bug 重现步骤(有截图更好)**
 1.
 2.
 3.
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@@ -1,12 +0,0 @@
 ---
 name: 问题咨询
 about: 提出针对本项目安装部署、使用及其他方面的相关问题
 title: "[Question] "
 labels: 类型:提问
 assignees: 
  - wojiushixiaobai
  - baijiangjie
 ---
 **请描述您的问题.**
--- a/.github/workflows/build-base-image.yml
+++ b/.github/workflows/build-base-image.yml
@@ -0,0 +1,72 @@
 name: Build and Push Base Image
 on:
  pull_request:
    branches:
      - 'dev'
      - 'v*'
    paths:
      - poetry.lock
      - pyproject.toml
      - Dockerfile-base
      - package.json
      - go.mod
      - yarn.lock
      - pom.xml
      - install_deps.sh
      - utils/clean_site_packages.sh
    types:
      - opened
      - synchronize
      - reopened
 jobs:
  build-and-push:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.ref }}
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to DockerHub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Extract date
        id: vars
        run: echo "IMAGE_TAG=$(date +'%Y%m%d_%H%M%S')" >> $GITHUB_ENV
      - name: Extract repository name
        id: repo
        run: echo "REPO=$(basename ${{ github.repository }})" >> $GITHUB_ENV
      - name: Build and push multi-arch image
        uses: docker/build-push-action@v6
        with:
          platforms: linux/amd64,linux/arm64
          push: true
          file: Dockerfile-base
          tags: jumpserver/core-base:${{ env.IMAGE_TAG }}
      - name: Update Dockerfile
        run: |
          sed -i 's|-base:.* AS stage-build|-base:${{ env.IMAGE_TAG }} AS stage-build|' Dockerfile
      - name: Commit changes
        run: |
          git config --global user.name 'github-actions[bot]'
          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
          git add Dockerfile
          git commit -m "perf: Update Dockerfile with new base image tag"
          git push origin ${{ github.event.pull_request.head.ref }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/check-compilemessages.yml
+++ b/.github/workflows/check-compilemessages.yml
@@ -0,0 +1,31 @@
 name: Check I18n files CompileMessages
 on:
  pull_request:
    branches:
      - 'dev'
    paths:
      - 'apps/i18n/core/**/*.po'
    types:
      - opened
      - synchronize
      - reopened
 jobs:
  compile-messages-check:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build and check compilemessages
        uses: docker/build-push-action@v6
        with:
          platforms: linux/amd64
          push: false
          file: Dockerfile
          target: stage-build
          tags: jumpserver/core:stage-build
--- a/.github/workflows/discord-release.yml
+++ b/.github/workflows/discord-release.yml
@@ -0,0 +1,24 @@
 name: Publish Release to Discord
 on:
  release:
    types: [published]
 jobs:
  send_discord_notification:
    runs-on: ubuntu-latest
    if: startsWith(github.event.release.tag_name, 'v4.')
    steps:
      - name: Send release notification to Discord
        env:
          WEBHOOK_URL: ${{ secrets.DISCORD_CHANGELOG_WEBHOOK }}
        run: |
          # 获取标签名称和 release body
          TAG_NAME="${{ github.event.release.tag_name }}"
          RELEASE_BODY="${{ github.event.release.body }}"
          # 使用 jq 构建 JSON 数据，以确保安全传递
          JSON_PAYLOAD=$(jq -n --arg tag "# JumpServer $TAG_NAME Released! 🚀" --arg body "$RELEASE_BODY" '{content: "\($tag)\n\($body)"}')
          # 使用 curl 发送 JSON 数据
          curl -X POST -H "Content-Type: application/json" -d "$JSON_PAYLOAD" "$WEBHOOK_URL"
--- a/.github/workflows/docs-release.yml
+++ b/.github/workflows/docs-release.yml
@@ -0,0 +1,24 @@
 name: Auto update docs changelog
 on:
  release:
    types: [published]
 jobs:
  update_docs_changelog:
    runs-on: ubuntu-latest
    if: startsWith(github.event.release.tag_name, 'v4.')
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Update docs changelog
        env:
          TAG_NAME: ${{ github.event.release.tag_name }}
          DOCS_TOKEN: ${{ secrets.DOCS_TOKEN }}
        run: |
          git config --global user.name 'BaiJiangJie'
          git config --global user.email 'jiangjie.bai@fit2cloud.com'
          git clone https://$DOCS_TOKEN@github.com/jumpservice/documentation.git
          cd documentation/utils
          bash update_changelog.sh
--- a/.github/workflows/issue-close-require.yml
+++ b/.github/workflows/issue-close-require.yml
@@ -12,7 +12,9 @@ jobs:
        uses: actions-cool/issues-helper@v2
        with:
          actions: 'close-issues'
-          labels: '状态:待反馈'
+          labels: '⏳ Pending feedback'
          inactive-day: 30
          body: |
            You haven't provided feedback for over 30 days. 
            We will close this issue. If you have any further needs, you can reopen it or submit a new issue.
            您超过 30 天未反馈信息，我们将关闭该 issue，如有需求您可以重新打开或者提交新的 issue。
--- a/.github/workflows/issue-close.yml
+++ b/.github/workflows/issue-close.yml
@@ -13,4 +13,4 @@ jobs:
        if: ${{ !github.event.issue.pull_request }}
        with:
          actions: 'remove-labels'
-          labels: '状态:待处理,状态:待反馈'
+          labels: '🔔 Pending processing,⏳ Pending feedback'
--- a/.github/workflows/issue-comment.yml
+++ b/.github/workflows/issue-comment.yml
@@ -13,13 +13,13 @@ jobs:
        uses: actions-cool/issues-helper@v2
        with:
          actions: 'add-labels'
-          labels: '状态:待处理'
+          labels: '🔔 Pending processing'
      - name: Remove require reply label
        uses: actions-cool/issues-helper@v2
        with:
          actions: 'remove-labels'
-          labels: '状态:待反馈'
+          labels: '⏳ Pending feedback'
  add-label-if-is-member:
    runs-on: ubuntu-latest
@@ -55,11 +55,11 @@ jobs:
        uses: actions-cool/issues-helper@v2
        with:
          actions: 'add-labels'
-          labels: '状态:待反馈'
+          labels: '⏳ Pending feedback'
      - name: Remove require handle label
        if: contains(steps.member_names.outputs.data, github.event.comment.user.login)
        uses: actions-cool/issues-helper@v2
        with:
          actions: 'remove-labels'
-          labels: '状态:待处理'
+          labels: '🔔 Pending processing'
--- a/.github/workflows/issue-open.yml
+++ b/.github/workflows/issue-open.yml
@@ -13,4 +13,4 @@ jobs:
        if: ${{ !github.event.issue.pull_request }}
        with:
          actions: 'add-labels'
-          labels: '状态:待处理'
+          labels: '🔔 Pending processing'
--- a/.github/workflows/jms-build-test.yml
+++ b/.github/workflows/jms-build-test.yml
@@ -1,36 +0,0 @@
 name: "Run Build Test"
 on:
  push:
    branches:
      - pr@*
      - repr@*
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - uses: docker/setup-qemu-action@v2
    - uses: docker/setup-buildx-action@v2
    - uses: docker/build-push-action@v3
      with:
        context: .
        push: false
        tags: jumpserver/core:test
        file: Dockerfile
        build-args: |
          APT_MIRROR=http://deb.debian.org
          PIP_MIRROR=https://pypi.org/simple
          PIP_JMS_MIRROR=https://pypi.org/simple
        cache-from: type=gha
        cache-to: type=gha,mode=max
    - uses: LouisBrunner/checks-action@v1.5.0
      if: always()
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        name: Check Build
        conclusion: ${{ job.status }}
--- a/.github/workflows/jms-build-test.yml.disabled
+++ b/.github/workflows/jms-build-test.yml.disabled
@@ -0,0 +1,63 @@
 name: "Run Build Test"
 on:
  push:
    paths:
      - 'Dockerfile'
      - 'Dockerfile*'
      - 'Dockerfile-*'
      - 'pyproject.toml'
      - 'poetry.lock'
 jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        component: [core]
        version: [v4]
    steps:
    - uses: actions/checkout@v4
    - uses: docker/setup-buildx-action@v3
    - name: Login to GitHub Container Registry
      uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ github.repository_owner }}
        password: ${{ secrets.GITHUB_TOKEN }}
    - name: Prepare Build
      run: |
        sed -i 's@^FROM registry.fit2cloud.com/jumpserver@FROM ghcr.io/jumpserver@g' Dockerfile-ee
    - name: Build CE Image
      uses: docker/build-push-action@v5
      with:
        context: .
        push: true
        file: Dockerfile
        tags: ghcr.io/jumpserver/${{ matrix.component }}:${{ matrix.version }}-ce
        platforms: linux/amd64
        build-args: |
          VERSION=${{ matrix.version }}
          APT_MIRROR=http://deb.debian.org
          PIP_MIRROR=https://pypi.org/simple
        outputs: type=image,oci-mediatypes=true,compression=zstd,compression-level=3,force-compression=true
        cache-from: type=gha
        cache-to: type=gha,mode=max
    - name: Build EE Image
      uses: docker/build-push-action@v5
      with:
        context: .
        push: false
        file: Dockerfile-ee
        tags: ghcr.io/jumpserver/${{ matrix.component }}:${{ matrix.version }}
        platforms: linux/amd64
        build-args: |
          VERSION=${{ matrix.version }}
          APT_MIRROR=http://deb.debian.org
          PIP_MIRROR=https://pypi.org/simple
        outputs: type=image,oci-mediatypes=true,compression=zstd,compression-level=3,force-compression=true
        cache-from: type=gha
        cache-to: type=gha,mode=max
--- a/.github/workflows/jms-generic-action-handler.yml
+++ b/.github/workflows/jms-generic-action-handler.yml
@@ -10,3 +10,4 @@ jobs:
      - uses: jumpserver/action-generic-handler@master
        env:
          GITHUB_TOKEN: ${{ secrets.PRIVATE_TOKEN }}
          I18N_TOKEN: ${{ secrets.I18N_TOKEN }}
--- a/.github/workflows/llm-code-review.yml
+++ b/.github/workflows/llm-code-review.yml
@@ -0,0 +1,28 @@
 name: LLM Code Review
 permissions:
  contents: read
  pull-requests: write
 on:
  pull_request:
    types: [opened, reopened, synchronize]
 jobs:
  llm-code-review:
    runs-on: ubuntu-latest
    steps:
      - uses: fit2cloud/LLM-CodeReview-Action@main
        env:
          GITHUB_TOKEN: ${{ secrets.FIT2CLOUDRD_LLM_CODE_REVIEW_TOKEN }}
          OPENAI_API_KEY: ${{ secrets.ALIYUN_LLM_API_KEY }}
          LANGUAGE: English
          OPENAI_API_ENDPOINT: https://dashscope.aliyuncs.com/compatible-mode/v1
          MODEL: qwen2-1.5b-instruct
          PROMPT: "Please check the following code differences for any irregularities, potential issues, or optimization suggestions, and provide your answers in English."
          top_p: 1
          temperature: 1
          # max_tokens: 10000
          MAX_PATCH_LENGTH: 10000 
          IGNORE_PATTERNS: "/node_modules,*.md,/dist,/.github"
          FILE_PATTERNS: "*.java,*.go,*.py,*.vue,*.ts,*.js,*.css,*.scss,*.html"
--- a/.github/workflows/translate-readme.yml
+++ b/.github/workflows/translate-readme.yml
@@ -0,0 +1,40 @@
 name: Translate README
 on:
  workflow_dispatch:
    inputs:
      target_langs:
        description: "Target Languages"
        required: false
        default: "zh-hans,zh-hant,ja,pt-br"
      gen_dir_path:
        description: "Generate Dir Name"
        required: false
        default: "readmes/"
      push_branch:
        description: "Push Branch"
        required: false
        default: "pr@dev@translate_readme"
      prompt:
        description: "AI Translate Prompt"
        required: false
        default: ""
      gpt_mode:
        description: "GPT Mode"
        required: false
        default: "gpt-4o-mini"
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Auto Translate
        uses: jumpserver-dev/action-translate-readme@main
        env:
          GITHUB_TOKEN: ${{ secrets.PRIVATE_TOKEN }}
          OPENAI_API_KEY: ${{ secrets.GPT_API_TOKEN }}
          GPT_MODE: ${{ github.event.inputs.gpt_mode }}
          TARGET_LANGUAGES: ${{ github.event.inputs.target_langs }}
          PUSH_BRANCH: ${{ github.event.inputs.push_branch }}
          GEN_DIR_PATH: ${{ github.event.inputs.gen_dir_path }}
          PROMPT: ${{ github.event.inputs.prompt }}
--- a/.gitignore
+++ b/.gitignore
@@ -43,3 +43,6 @@ releashe
 data/*
 test.py
 .history/
 .test/
 *.mo
 apps.iml
--- a/.isort.cfg
+++ b/.isort.cfg
@@ -1,3 +1,4 @@
 [settings]
 line_length=120
 known_first_party=common,users,assets,perms,authentication,jumpserver,notification,ops,orgs,rbac,settings,terminal,tickets
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,5 +1,10 @@
 # Contributing
 As a contributor, you should agree that:
 - The producer can adjust the open-source agreement to be more strict or relaxed as deemed necessary.
 - Your contributed code may be used for commercial purposes, including but not limited to its cloud business operations.
 ## Create pull request
 PR are always welcome, even if they only contain small fixes like typos or a few lines of code. If there will be a significant effort, please document it as an issue and get a discussion going before starting to work on it.
--- a/88
+++ b/88
@@ -1,84 +1,68 @@
-FROM python:3.11-slim-bullseye as stage-build
+FROM jumpserver/core-base:20241210_070105 AS stage-build
 ARG TARGETARCH
 ARG VERSION
 ENV VERSION=$VERSION
 WORKDIR /opt/jumpserver
 ADD . .
-RUN cd utils && bash -ixeu build.sh
+
 RUN echo > /opt/jumpserver/config.yml \
    && \
    if [ -n "${VERSION}" ]; then \
        sed -i "s@VERSION = .*@VERSION = '${VERSION}'@g" apps/jumpserver/const.py; \
    fi
 RUN set -ex \
    && export SECRET_KEY=$(head -c100 < /dev/urandom | base64 | tr -dc A-Za-z0-9 | head -c 48) \
    && . /opt/py3/bin/activate \
    && cd apps \
    && python manage.py compilemessages
 FROM python:3.11-slim-bullseye
-ARG TARGETARCH
+ENV LANG=en_US.UTF-8 \
-
+    PATH=/opt/py3/bin:$PATH
 ARG BUILD_DEPENDENCIES="              \
        g++                           \
        make                          \
        pkg-config"
 ARG DEPENDENCIES="                    \
        freetds-dev                   \
        libpq-dev                     \
        libffi-dev                    \
        libjpeg-dev                   \
        libkrb5-dev                   \
        libldap2-dev                  \
-        libsasl2-dev                  \
+        libx11-dev"
        libssl-dev                    \
        libxml2-dev                   \
        libxmlsec1-dev                \
        libxmlsec1-openssl            \
        freerdp2-dev                  \
        libaio-dev"
 ARG TOOLS="                           \
        cron                          \
        ca-certificates               \
        curl                          \
        default-libmysqlclient-dev    \
        default-mysql-client          \
        locales                       \
        nmap                          \
        openssh-client                \
        sshpass                       \
-        telnet                        \
+        bubblewrap"
        vim                           \
        wget"
-ARG APT_MIRROR=http://mirrors.ustc.edu.cn
+ARG APT_MIRROR=http://deb.debian.org
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
+RUN set -ex \
-    sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
+    && sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
    && rm -f /etc/apt/apt.conf.d/docker-clean \
    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
-    && apt-get update \
+    && apt-get update > /dev/null \
    && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
    && apt-get -y install --no-install-recommends ${TOOLS} \
    && mkdir -p /root/.ssh/ \
    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null\n\tCiphers +aes128-cbc\n\tKexAlgorithms +diffie-hellman-group1-sha1\n\tHostKeyAlgorithms +ssh-rsa" > /root/.ssh/config \
    && echo "set mouse-=a" > ~/.vimrc \
    && echo "no" | dpkg-reconfigure dash \
-    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
+    && apt-get clean all \
-    && sed -i "s@# export @export @g" ~/.bashrc \
+    && rm -rf /var/lib/apt/lists/* \
-    && sed -i "s@# alias @alias @g" ~/.bashrc \
+    && echo "0 3 * * * root find /tmp -type f -mtime +1 -size +1M -exec rm -f {} \; && date > /tmp/clean.log" > /etc/cron.d/cleanup_tmp \
-    && rm -rf /var/lib/apt/lists/*
+    && chmod 0644 /etc/cron.d/cleanup_tmp
 COPY --from=stage-build /opt /opt
 COPY --from=stage-build /usr/local/bin /usr/local/bin
 COPY --from=stage-build /opt/jumpserver/apps/libs/ansible/ansible.cfg /etc/ansible/
 COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
 WORKDIR /opt/jumpserver
 ARG PIP_MIRROR=https://pypi.tuna.tsinghua.edu.cn/simple
 RUN --mount=type=cache,target=/root/.cache \
    set -ex \
    && echo > /opt/jumpserver/config.yml \
    && pip install poetry -i ${PIP_MIRROR} \
    && poetry config virtualenvs.create false \
    && poetry install --only=main
 VOLUME /opt/jumpserver/data
 VOLUME /opt/jumpserver/logs
-ENV LANG=zh_CN.UTF-8
+ENTRYPOINT ["./entrypoint.sh"]
 EXPOSE 8080
-ENTRYPOINT ["./entrypoint.sh"]
+STOPSIGNAL SIGQUIT
 CMD ["start", "all"]
--- a/60
+++ b/60
@@ -0,0 +1,60 @@
 FROM python:3.11-slim-bullseye
 ARG TARGETARCH
 # Install APT dependencies
 ARG DEPENDENCIES="                    \
        ca-certificates               \
        wget                          \
        g++                           \
        make                          \
        pkg-config                    \
        default-libmysqlclient-dev    \
        freetds-dev                   \
        gettext                       \
        libkrb5-dev                   \
        libldap2-dev                  \
        libsasl2-dev"
 ARG APT_MIRROR=http://deb.debian.org
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=core \
    set -ex \
    && rm -f /etc/apt/apt.conf.d/docker-clean \
    && echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache \
    && sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
    && apt-get update > /dev/null \
    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
    && echo "no" | dpkg-reconfigure dash
 # Install bin tools
 ARG CHECK_VERSION=v1.0.4
 RUN set -ex \
    && wget https://github.com/jumpserver-dev/healthcheck/releases/download/${CHECK_VERSION}/check-${CHECK_VERSION}-linux-${TARGETARCH}.tar.gz \
    && tar -xf check-${CHECK_VERSION}-linux-${TARGETARCH}.tar.gz \
    && mv check /usr/local/bin/ \
    && chown root:root /usr/local/bin/check \
    && chmod 755 /usr/local/bin/check \
    && rm -f check-${CHECK_VERSION}-linux-${TARGETARCH}.tar.gz
 # Install Python dependencies
 WORKDIR /opt/jumpserver
 ARG PIP_MIRROR=https://pypi.org/simple
 ENV POETRY_PYPI_MIRROR_URL=${PIP_MIRROR}
 ENV ANSIBLE_COLLECTIONS_PATHS=/opt/py3/lib/python3.11/site-packages/ansible_collections
 RUN --mount=type=cache,target=/root/.cache \
    --mount=type=bind,source=poetry.lock,target=poetry.lock \
    --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
    --mount=type=bind,source=utils/clean_site_packages.sh,target=clean_site_packages.sh \
    --mount=type=bind,source=requirements/collections.yml,target=collections.yml \
    set -ex \
    && python3 -m venv /opt/py3 \
    && pip install poetry poetry-plugin-pypi-mirror -i ${PIP_MIRROR} \
    && . /opt/py3/bin/activate \
    && poetry config virtualenvs.create false \
    && poetry install --no-cache --only main \
    && ansible-galaxy collection install -r collections.yml --force --ignore-certs \
    && bash clean_site_packages.sh \
    && poetry cache clear pypi --all
--- a/37
+++ b/37
@@ -1,9 +1,34 @@
-ARG VERSION
+ARG VERSION=dev
-FROM registry.fit2cloud.com/jumpserver/xpack:${VERSION} as build-xpack
+
-FROM jumpserver/core:${VERSION}
+FROM registry.fit2cloud.com/jumpserver/xpack:${VERSION} AS build-xpack
 FROM jumpserver/core:${VERSION}-ce
 COPY --from=build-xpack /opt/xpack /opt/jumpserver/apps/xpack
-RUN --mount=type=cache,target=/root/.cache \
+ARG TOOLS="                           \
-    set -ex \
+        g++                           \
-    && poetry install --only=xpack
+        curl                          \
        iputils-ping                  \
        netcat-openbsd                \
        nmap                          \
        telnet                        \
        vim                           \
        wget"
 RUN set -ex \
    && apt-get update \
    && apt-get -y install --no-install-recommends ${TOOLS} \
    && apt-get clean all \
    && rm -rf /var/lib/apt/lists/*
 WORKDIR /opt/jumpserver
 ARG PIP_MIRROR=https://pypi.org/simple
 ENV POETRY_PYPI_MIRROR_URL=${PIP_MIRROR}
 COPY poetry.lock pyproject.toml ./
 RUN set -ex \
    && . /opt/py3/bin/activate \
    && pip install poetry poetry-plugin-pypi-mirror -i ${PIP_MIRROR} \
    && poetry install --only xpack \
    && poetry cache clear pypi --all
--- a/README.md
+++ b/README.md
@@ -1,125 +1,119 @@
-<p align="center">
+<div align="center">
-  <a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a>
+  <a name="readme-top"></a>
-</p>
+  <a href="https://jumpserver.org/index-en.html"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a>
-<h3 align="center">广受欢迎的开源堡垒机</h3>
+  
 ## An open-source PAM tool (Bastion Host)
-<p align="center">
+[![][license-shield]][license-link]
-  <a href="https://www.gnu.org/licenses/gpl-3.0.html"><img src="https://img.shields.io/github/license/jumpserver/jumpserver" alt="License: GPLv3"></a>
+[![][discord-shield]][discord-link]
-  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Docker pulls"></a>
+[![][docker-shield]][docker-link]
-  <a href="https://github.com/jumpserver/jumpserver/releases/latest"><img src="https://img.shields.io/github/v/release/jumpserver/jumpserver" alt="Latest release"></a>
+[![][github-release-shield]][github-release-link]
-  <a href="https://github.com/jumpserver/jumpserver"><img src="https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square" alt="Stars"></a>
+[![][github-stars-shield]][github-stars-link]
-</p>
+
 [English](/README.md) · [中文(简体)](/readmes/README.zh-hans.md) · [中文(繁體)](/readmes/README.zh-hant.md) · [日本語](/readmes/README.ja.md) · [Português (Brasil)](/readmes/README.pt-br.md)
 </div>
 <br/>
 ## What is JumpServer?
 JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser.
 ![JumpServer Overview](https://github.com/jumpserver/jumpserver/assets/32935519/35a371cb-8590-40ed-88ec-f351f8cf9045)
 ## Quickstart
 Prepare a clean Linux Server ( 64 bit, >= 4c8g )
 ```sh
 curl -sSL https://github.com/jumpserver/jumpserver/releases/latest/download/quick_start.sh | bash
 ```
 Access JumpServer in your browser at `http://your-jumpserver-ip/`
 - Username: `admin`
 - Password: `ChangeMe`
 [![JumpServer Quickstart](https://github.com/user-attachments/assets/0f32f52b-9935-485e-8534-336c63389612)](https://www.youtube.com/watch?v=UlGYRbKrpgY "JumpServer Quickstart")
 ## Screenshots
 <table style="border-collapse: collapse; border: 1px solid black;">
  <tr>
    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/99fabe5b-0475-4a53-9116-4c370a1426c4" alt="JumpServer Console"   /></td>
    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/a424d731-1c70-4108-a7d8-5bbf387dda9a" alt="JumpServer Audits"   /></td>
  </tr>
  <tr>
    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/393d2c27-a2d0-4dea-882d-00ed509e00c9" alt="JumpServer Workbench"   /></td>
    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/3a2611cd-8902-49b8-b82b-2a6dac851f3e" alt="JumpServer Settings"   /></td>
  </tr>
  <tr>
    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/1e236093-31f7-4563-8eb1-e36d865f1568" alt="JumpServer SSH"   /></td>
    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/69373a82-f7ab-41e8-b763-bbad2ba52167" alt="JumpServer RDP"   /></td>
  </tr>
  <tr>
    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/5bed98c6-cbe8-4073-9597-d53c69dc3957" alt="JumpServer K8s"   /></td>
    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/b80ad654-548f-42bc-ba3d-c1cfdf1b46d6" alt="JumpServer DB"   /></td>
  </tr>
 </table>
 ## Components
 JumpServer consists of multiple key components, which collectively form the functional framework of JumpServer, providing users with comprehensive capabilities for operations management and security control.
 | Project                                                | Status                                                                                                                                                                 | Description                                                                                             |
 |--------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
 | [Lina](https://github.com/jumpserver/lina)             | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a>                   | JumpServer Web UI                                                                                       |
 | [Luna](https://github.com/jumpserver/luna)             | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a>                   | JumpServer Web Terminal                                                                                 |
 | [KoKo](https://github.com/jumpserver/koko)             | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a>                   | JumpServer Character Protocol Connector                                                                 |
 | [Lion](https://github.com/jumpserver/lion)             | <a href="https://github.com/jumpserver/lion/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion.svg" /></a>                   | JumpServer Graphical Protocol Connector                                                                 |
 | [Chen](https://github.com/jumpserver/chen)             | <a href="https://github.com/jumpserver/chen/releases"><img alt="Chen release" src="https://img.shields.io/github/release/jumpserver/chen.svg" />                       | JumpServer Web DB                                                                                       |  
 | [Razor](https://github.com/jumpserver/razor)           | <img alt="Chen" src="https://img.shields.io/badge/release-private-red" />                                                                                              | JumpServer EE RDP Proxy Connector                                                                       |
 | [Tinker](https://github.com/jumpserver/tinker)         | <img alt="Tinker" src="https://img.shields.io/badge/release-private-red" />                                                                                            | JumpServer EE Remote Application Connector (Windows)                                                    |
 | [Panda](https://github.com/jumpserver/Panda)           | <img alt="Panda" src="https://img.shields.io/badge/release-private-red" />                                                                                             | JumpServer EE Remote Application Connector (Linux)                                                      |
 | [Magnus](https://github.com/jumpserver/magnus)         | <img alt="Magnus" src="https://img.shields.io/badge/release-private-red" />                                                                                            | JumpServer EE Database Proxy Connector                                                                  |
 | [Nec](https://github.com/jumpserver/nec)               | <img alt="Nec" src="https://img.shields.io/badge/release-private-red" />                                                                                               | JumpServer EE VNC Proxy Connector                                                                       |
 | [Facelive](https://github.com/jumpserver/facelive)     | <img alt="Facelive" src="https://img.shields.io/badge/release-private-red" />                                                                                          | JumpServer EE Facial Recognition                                                                        |
-<p align="center">
+## Contributing
    JumpServer <a href="https://github.com/jumpserver/jumpserver/releases/tag/v3.0.0">v3.0</a> 正式发布。
    <br>
    9 年时间，倾情投入，用心做好一款开源堡垒机。
 </p>
------------------------------
+Welcome to submit PR to contribute. Please refer to [CONTRIBUTING.md][contributing-link] for guidelines.
 JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运维安全审计系统。
-JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型的资产，包括：
+## Security
- **SSH**: Linux / Unix / 网络设备 等；
+JumpServer is a mission critical product. Please refer to the Basic Security Recommendations for installation and deployment. If you encounter any security-related issues, please contact us directly:
 - **Windows**: Web 方式连接 / 原生 RDP 连接；
 - **数据库**: MySQL / MariaDB / PostgreSQL / Oracle / SQLServer / ClickHouse 等；
 - **NoSQL**: Redis / MongoDB 等；
 - **GPT**: ChatGPT 等;
 - **云服务**: Kubernetes / VMware vSphere 等;
 - **Web 站点**: 各类系统的 Web 管理后台；
 - **应用**: 通过 Remote App 连接各类应用。
-## 产品特色
+- Email: support@fit2cloud.com
- **开源**: 零门槛，线上快速获取和安装；
+## License
 - **无插件**: 仅需浏览器，极致的 Web Terminal 使用体验；
 - **分布式**: 支持分布式部署和横向扩展，轻松支持大规模并发访问；
 - **多云支持**: 一套系统，同时管理不同云上面的资产；
 - **多租户**: 一套系统，多个子公司或部门同时使用；
 - **云端存储**: 审计录像云端存储，永不丢失；
-## UI 展示
+Copyright (c) 2014-2025 FIT2CLOUD, All rights reserved.
-![UI展示](https://docs.jumpserver.org/zh/v3/img/dashboard.png)
+Licensed under The GNU General Public License version 3 (GPLv3) (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
 ## 在线体验
 - 环境地址：<https://demo.jumpserver.org/>
 | :warning: 注意                 |
 |:-----------------------------|
 | 该环境仅作体验目的使用，我们会定时清理、重置数据！    |
 | 请勿修改体验环境用户的密码！               |
 | 请勿在环境中添加业务生产环境地址、用户名密码等敏感信息！ |
 ## 快速开始
 - [快速入门](https://docs.jumpserver.org/zh/v3/quick_start/)
 - [产品文档](https://docs.jumpserver.org)
 - [在线学习](https://edu.fit2cloud.com/page/2635362)
 - [知识库](https://kb.fit2cloud.com/categories/jumpserver)
 ## 案例研究
 - [腾讯海外游戏：基于JumpServer构建游戏安全运营能力](https://blog.fit2cloud.com/?p=3704)
 - [万华化学：通过JumpServer管理全球化分布式IT资产，并且实现与云管平台的联动](https://blog.fit2cloud.com/?p=3504)
 - [雪花啤酒：JumpServer堡垒机使用体会](https://blog.fit2cloud.com/?p=3412)
 - [顺丰科技：JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)
 - [沐瞳游戏：通过JumpServer管控多项目分布式资产](https://blog.fit2cloud.com/?p=3213)
 - [携程：JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)
 - [大智慧：JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)
 - [小红书：JumpServer 堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)
 - [中手游：JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)
 - [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)
 - [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)
 - [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)
 ## 社区交流
 如果您在使用过程中有任何疑问或对建议，欢迎提交 [GitHub Issue](https://github.com/jumpserver/jumpserver/issues/new/choose)。
 您也可以到我们的 [社区论坛](https://bbs.fit2cloud.com/c/js/5) 当中进行交流沟通。
 ### 参与贡献
 欢迎提交 PR 参与贡献。 参考 [CONTRIBUTING.md](https://github.com/jumpserver/jumpserver/blob/dev/CONTRIBUTING.md)
 ## 组件项目
 | 项目                                                     | 状态                                                                                                                                                                     | 描述                                                                                |
 |--------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------|
 | [Lina](https://github.com/jumpserver/lina)             | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a>                   | JumpServer Web UI 项目                                                              |
 | [Luna](https://github.com/jumpserver/luna)             | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a>                   | JumpServer Web Terminal 项目                                                        |
 | [KoKo](https://github.com/jumpserver/koko)             | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a>                   | JumpServer 字符协议 Connector 项目                                                      |
 | [Lion](https://github.com/jumpserver/lion-release)     | <a href="https://github.com/jumpserver/lion-release/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion-release.svg" /></a>   | JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/) |
 | [Razor](https://github.com/jumpserver/razor)           | <img alt="Chen" src="https://img.shields.io/badge/release-私有发布-red" />                                                                                                 | JumpServer RDP 代理 Connector 项目                                                    |
 | [Tinker](https://github.com/jumpserver/tinker)         | <img alt="Tinker" src="https://img.shields.io/badge/release-私有发布-red" />                                                                                               | JumpServer 远程应用 Connector 项目                                                      |
 | [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库代理 Connector 项目                                                     |
 | [Chen](https://github.com/jumpserver/chen-release)     | <a href="https://github.com/jumpserver/chen-release/releases"><img alt="Chen release" src="https://img.shields.io/github/release/jumpserver/chen-release.svg" />       | JumpServer Web DB 项目，替代原来的 OmniDB                                                 |
 | [Kael](https://github.com/jumpserver/kael)             | <a href="https://github.com/jumpserver/kael/releases"><img alt="Kael release" src="https://img.shields.io/github/release/jumpserver/kael.svg" />                       | JumpServer 连接 GPT 资产的组件项目                                                         |
 | [Wisp](https://github.com/jumpserver/wisp)             | <a href="https://github.com/jumpserver/wisp/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/wisp.svg" />                     | JumpServer 各系统终端组件和 Core Api 通信的组件项目                                              |
 | [Clients](https://github.com/jumpserver/clients)       | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" />              | JumpServer 客户端 项目                                                                 |
 | [Installer](https://github.com/jumpserver/installer)   | <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" />        | JumpServer 安装包 项目                                                                 |
 ## 安全说明
 JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.jumpserver.org/zh/master/install/install_security/)
 进行安装部署。如果您发现安全相关问题，请直接联系我们：
 - 邮箱：support@fit2cloud.com
 - 电话：400-052-0755
 ## License & Copyright
 Copyright (c) 2014-2023 飞致云 FIT2CLOUD, All rights reserved.
 Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in
 compliance with the License. You may obtain a copy of the License at
 https://www.gnu.org/licenses/gpl-3.0.html
-Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an " AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
-AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific
+
-language governing permissions and limitations under the License.
+<!-- JumpServer official link -->
 [docs-link]: https://jumpserver.com/docs
 [discord-link]: https://discord.com/invite/W6vYXmAQG2
 [contributing-link]: https://github.com/jumpserver/jumpserver/blob/dev/CONTRIBUTING.md
 <!-- JumpServer Other link-->
 [license-link]: https://www.gnu.org/licenses/gpl-3.0.html
 [docker-link]: https://hub.docker.com/u/jumpserver
 [github-release-link]: https://github.com/jumpserver/jumpserver/releases/latest
 [github-stars-link]: https://github.com/jumpserver/jumpserver
 [github-issues-link]: https://github.com/jumpserver/jumpserver/issues
 <!-- Shield link-->
 [github-release-shield]: https://img.shields.io/github/v/release/jumpserver/jumpserver
 [github-stars-shield]: https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square
 [docker-shield]: https://img.shields.io/docker/pulls/jumpserver/jms_all.svg
 [license-shield]: https://img.shields.io/github/license/jumpserver/jumpserver
 [discord-shield]: https://img.shields.io/discord/1194233267294052363?style=flat&logo=discord&logoColor=%23f5f5f5&labelColor=%235462eb&color=%235462eb
 <!-- Image link -->
--- a/README.zh-CN.md
+++ b/README.zh-CN.md
@@ -0,0 +1,121 @@
 <p align="center">
  <a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a>
 </p>
 <h3 align="center">广受欢迎的开源堡垒机</h3>
 <p align="center">
  <a href="https://www.gnu.org/licenses/gpl-3.0.html"><img src="https://img.shields.io/github/license/jumpserver/jumpserver" alt="License: GPLv3"></a>
  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Docker pulls"></a>
  <a href="https://github.com/jumpserver/jumpserver/releases/latest"><img src="https://img.shields.io/github/v/release/jumpserver/jumpserver" alt="Latest release"></a>
  <a href="https://github.com/jumpserver/jumpserver"><img src="https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square" alt="Stars"></a>
 </p>
 <p align="center">
    10 年时间，倾情投入，用心做好一款开源堡垒机。
 </p>
 ------------------------------
 ## JumpServer 是什么？
 JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运维安全审计系统。JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型的资产，包括：
 - **SSH**: Linux / Unix / 网络设备 等；
 - **Windows**: Web 方式连接 / 原生 RDP 连接；
 - **数据库**: MySQL / MariaDB / PostgreSQL / Oracle / SQLServer / ClickHouse 等；
 - **NoSQL**: Redis / MongoDB 等；
 - **GPT**: ChatGPT 等;
 - **云服务**: Kubernetes / VMware vSphere 等;
 - **Web 站点**: 各类系统的 Web 管理后台；
 - **应用**: 通过 Remote App 连接各类应用。
 ## 产品特色
 - **开源**: 零门槛，线上快速获取和安装；
 - **无插件**: 仅需浏览器，极致的 Web Terminal 使用体验；
 - **分布式**: 支持分布式部署和横向扩展，轻松支持大规模并发访问；
 - **多云支持**: 一套系统，同时管理不同云上面的资产；
 - **多租户**: 一套系统，多个子公司或部门同时使用；
 - **云端存储**: 审计录像云端存储，永不丢失；
 ## 快速开始
 - [快速入门](https://docs.jumpserver.org/zh/v3/quick_start/)
 - [产品文档](https://docs.jumpserver.org)
 - [在线学习](https://edu.fit2cloud.com/page/2635362)
 - [知识库](https://kb.fit2cloud.com/categories/jumpserver)
 ## UI 展示
 ![UI展示](https://docs.jumpserver.org/zh/v3/img/dashboard.png)
 ## 在线体验
 - 环境地址：<https://demo.jumpserver.org/>
 | :warning: 注意                 |
 |:-----------------------------|
 | 该环境仅作体验目的使用，我们会定时清理、重置数据！    |
 | 请勿修改体验环境用户的密码！               |
 | 请勿在环境中添加业务生产环境地址、用户名密码等敏感信息！ |
 ## 案例研究
 - [腾讯音乐娱乐集团：基于JumpServer的安全运维审计解决方案](https://blog.fit2cloud.com/?p=a04cdf0d-6704-4d18-9b40-9180baecd0e2)
 - [腾讯海外游戏：基于JumpServer构建游戏安全运营能力](https://blog.fit2cloud.com/?p=3704)
 - [万华化学：通过JumpServer管理全球化分布式IT资产，并且实现与云管平台的联动](https://blog.fit2cloud.com/?p=3504)
 - [雪花啤酒：JumpServer堡垒机使用体会](https://blog.fit2cloud.com/?p=3412)
 - [顺丰科技：JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)
 - [沐瞳游戏：通过JumpServer管控多项目分布式资产](https://blog.fit2cloud.com/?p=3213)
 - [携程：JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)
 - [大智慧：JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)
 - [小红书：JumpServer 堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)
 - [中手游：JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)
 - [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)
 - [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)
 - [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)
 ## 社区交流
 如果您在使用过程中有任何疑问或对建议，欢迎提交 [GitHub Issue](https://github.com/jumpserver/jumpserver/issues/new/choose)。
 您也可以到我们的 [社区论坛](https://bbs.fit2cloud.com/c/js/5) 当中进行交流沟通。
 ## 参与贡献
 欢迎提交 PR 参与贡献。 参考 [CONTRIBUTING.md](https://github.com/jumpserver/jumpserver/blob/dev/CONTRIBUTING.md)
 ## 组件项目
 | Project                                                | Status                                                                                                                                                                 | Description                                                                                             |
 |--------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
 | [Lina](https://github.com/jumpserver/lina)             | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a>                   | JumpServer Web UI                                                                                       |
 | [Luna](https://github.com/jumpserver/luna)             | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a>                   | JumpServer Web Terminal                                                                                 |
 | [KoKo](https://github.com/jumpserver/koko)             | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a>                   | JumpServer Character Protocol Connector                                                                 |
 | [Lion](https://github.com/jumpserver/lion)             | <a href="https://github.com/jumpserver/lion/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion.svg" /></a>                   | JumpServer Graphical Protocol Connector                                                                 |
 | [Chen](https://github.com/jumpserver/chen)             | <a href="https://github.com/jumpserver/chen/releases"><img alt="Chen release" src="https://img.shields.io/github/release/jumpserver/chen.svg" />                       | JumpServer Web DB                                                                                       |  
 | [Razor](https://github.com/jumpserver/razor)           | <img alt="Chen" src="https://img.shields.io/badge/release-private-red" />                                                                                              | JumpServer EE RDP Proxy Connector                                                                          |
 | [Tinker](https://github.com/jumpserver/tinker)         | <img alt="Tinker" src="https://img.shields.io/badge/release-private-red" />                                                                                            | JumpServer EE Remote Application Connector (Windows)                                                       |
 | [Panda](https://github.com/jumpserver/Panda)           | <img alt="Panda" src="https://img.shields.io/badge/release-private-red" />                                                                                             | JumpServer EE Remote Application Connector (Linux)                                                         |
 | [Magnus](https://github.com/jumpserver/magnus)         | <img alt="Magnus" src="https://img.shields.io/badge/release-private-red" />                                                                                            | JumpServer EE Database Proxy Connector                                                                     |
 ## 安全说明
 JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.jumpserver.org/zh/master/install/install_security/)
 进行安装部署。如果您发现安全相关问题，请直接联系我们：
 - 邮箱：support@fit2cloud.com
 - 电话：400-052-0755
 ## License & Copyright
 Copyright (c) 2014-2024 飞致云, All rights reserved.
 Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in
 compliance with the License. You may obtain a copy of the License at
 https://www.gnu.org/licenses/gpl-3.0.html
 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "
 AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific
 language governing permissions and limitations under the License.
--- a/README_EN.md
+++ b/README_EN.md
@@ -1,94 +0,0 @@
 <p align="center"><a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a></p>
 <h3 align="center">Open Source Bastion Host</h3>
 <p align="center">
  <a href="https://www.gnu.org/licenses/gpl-3.0.html"><img src="https://img.shields.io/github/license/jumpserver/jumpserver" alt="License: GPLv3"></a>
  <a href="https://shields.io/github/downloads/jumpserver/jumpserver/total"><img src="https://shields.io/github/downloads/jumpserver/jumpserver/total" alt=" release"></a>
  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Codacy"></a>
  <a href="https://github.com/jumpserver/jumpserver"><img src="https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square" alt="Stars"></a>
 </p>
 JumpServer is the world's first open-source Bastion Host and is licensed under the GPLv3. It is a 4A-compliant professional operation and maintenance security audit system.
 JumpServer uses Python / Django for development, follows Web 2.0 specifications, and is equipped with an industry-leading Web Terminal solution that provides a beautiful user interface and great user experience
 JumpServer adopts a distributed architecture to support multi-branch deployment across multiple cross-regional areas. The central node provides APIs, and login nodes are deployed in each branch. It can be scaled horizontally without concurrency restrictions.
 Change the world by taking every little step
 ----
 ### Advantages
 - Open Source: huge transparency and free to access with quick installation process.
 - Distributed: support large-scale concurrent access with ease.
 - No Plugin required: all you need is a browser, the ultimate Web Terminal experience.
 - Multi-Cloud supported: a unified system to manage assets on different clouds at the same time
 - Cloud storage: audit records are stored in the cloud. Data lost no more!
 - Multi-Tenant system: multiple subsidiary companies or departments access the same system simultaneously.
 - Many applications supported: link to databases, windows remote applications, and Kubernetes cluster, etc.
 ### JumpServer Component Projects
 - [Lina](https://github.com/jumpserver/lina) JumpServer Web UI
 - [Luna](https://github.com/jumpserver/luna) JumpServer Web Terminal
 - [KoKo](https://github.com/jumpserver/koko) JumpServer Character protocaol Connector, replace original Python Version [Coco](https://github.com/jumpserver/coco)
 - [Lion](https://github.com/jumpserver/lion-release) JumpServer Graphics protocol Connector，rely on [Apache Guacamole](https://guacamole.apache.org/)
 ### Contribution
 If you have any good ideas or helping us to fix bugs, please submit a Pull Request and accept our thanks :)
 Thanks to the following contributors for making JumpServer better everyday!
 <a href="https://github.com/jumpserver/jumpserver/graphs/contributors">
  <img src="https://contrib.rocks/image?repo=jumpserver/jumpserver" />
 </a>
 <a href="https://github.com/jumpserver/koko/graphs/contributors">
  <img src="https://contrib.rocks/image?repo=jumpserver/koko" />
 </a>
 <a href="https://github.com/jumpserver/lina/graphs/contributors">
  <img src="https://contrib.rocks/image?repo=jumpserver/lina" />
 </a>
 <a href="https://github.com/jumpserver/luna/graphs/contributors">
  <img src="https://contrib.rocks/image?repo=jumpserver/luna" />
 </a>
 ### Thanks to
 - [Apache Guacamole](https://guacamole.apache.org/) Web page connection RDP, SSH, VNC protocol equipment. JumpServer graphical connection dependent.
 - [OmniDB](https://omnidb.org/) Web page connection to databases. JumpServer Web database dependent.
 ### JumpServer Enterprise Version 
 - [Apply for it](https://jinshuju.net/f/kyOYpi)
 ### Case Study
 - [JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)；
 - [JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)；
 - [携程 JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)；
 - [小红书的JumpServer堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)；
 - [JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)；
 - [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)；
 - [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)；
 - [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)。
 ### For safety instructions
 JumpServer is a security product. Please refer to [Basic Security Recommendations](https://docs.jumpserver.org/zh/master/install/install_security/) for deployment and installation.
 If you find a security problem, please contact us directly：
 - ibuler@fit2cloud.com 
 - support@fit2cloud.com 
 - 400-052-0755
 ### License & Copyright
 Copyright (c) 2014-2022 FIT2CLOUD Tech, Inc., All rights reserved.
 Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
 https://www.gnu.org/licenses/gpl-3.0.htmll
 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
--- a/apps/accounts/api/account/account.py
+++ b/apps/accounts/api/account/account.py
@@ -6,11 +6,12 @@ from rest_framework.status import HTTP_200_OK
 from accounts import serializers
 from accounts.filters import AccountFilterSet
 from accounts.mixins import AccountRecordViewLogMixin
 from accounts.models import Account
 from assets.models import Asset, Node
-from common.api import ExtraFilterFieldsMixin
+from authentication.permissions import UserConfirmation, ConfirmType
-from common.permissions import UserConfirmation, ConfirmType, IsValidUser
+from common.api.mixin import ExtraFilterFieldsMixin
-from common.views.mixins import RecordViewLogMixin
+from common.permissions import IsValidUser
 from orgs.mixins.api import OrgBulkModelViewSet
 from rbac.permissions import RBACPermission
@@ -57,19 +58,19 @@ class AccountViewSet(OrgBulkModelViewSet):
        permission_classes=[IsValidUser]
    )
    def username_suggestions(self, request, *args, **kwargs):
-        asset_ids = request.data.get('assets')
+        asset_ids = request.data.get('assets', [])
-        node_ids = request.data.get('nodes')
+        node_ids = request.data.get('nodes', [])
-        username = request.data.get('username')
+        username = request.data.get('username', '')
-        assets = Asset.objects.all()
+        accounts = Account.objects.all()
        if asset_ids:
            assets = assets.filter(id__in=asset_ids)
        if node_ids:
            nodes = Node.objects.filter(id__in=node_ids)
            node_asset_ids = Node.get_nodes_all_assets(*nodes).values_list('id', flat=True)
-            assets = assets.filter(id__in=set(list(asset_ids) + list(node_asset_ids)))
+            asset_ids.extend(node_asset_ids)
        if asset_ids:
            accounts = accounts.filter(asset_id__in=list(set(asset_ids)))
        accounts = Account.objects.filter(asset__in=assets)
        if username:
            accounts = accounts.filter(username__icontains=username)
        usernames = list(accounts.values_list('username', flat=True).distinct()[:10])
@@ -86,7 +87,7 @@ class AccountViewSet(OrgBulkModelViewSet):
        return Response(status=HTTP_200_OK)
-class AccountSecretsViewSet(RecordViewLogMixin, AccountViewSet):
+class AccountSecretsViewSet(AccountRecordViewLogMixin, AccountViewSet):
    """
    因为可能要导出所有账号，所以单独建立了一个 viewset
    """
@@ -115,7 +116,7 @@ class AssetAccountBulkCreateApi(CreateAPIView):
        return Response(data=serializer.data, status=HTTP_200_OK)
-class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, RecordViewLogMixin, ListAPIView):
+class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, AccountRecordViewLogMixin, ListAPIView):
    model = Account.history.model
    serializer_class = serializers.AccountHistorySerializer
    http_method_names = ['get', 'options']
@@ -143,4 +144,3 @@ class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, RecordViewLogMixin, List
            return histories
        histories = histories.exclude(history_id=latest_history.history_id)
        return histories
--- a/apps/accounts/api/account/task.py
+++ b/apps/accounts/api/account/task.py
@@ -1,9 +1,13 @@
 from django.db.models import Q
 from rest_framework.generics import CreateAPIView
 from rest_framework.response import Response
 from accounts import serializers
-from accounts.tasks import verify_accounts_connectivity_task, push_accounts_to_assets_task
+from accounts.models import Account
-from assets.exceptions import NotSupportedTemporarilyError
+from accounts.permissions import AccountTaskActionPermission
 from accounts.tasks import (
    remove_accounts_task, verify_accounts_connectivity_task, push_accounts_to_assets_task
 )
 from authentication.permissions import UserConfirmation, ConfirmType
 __all__ = [
    'AccountsTaskCreateAPI',
@@ -12,38 +16,48 @@ __all__ = [
 class AccountsTaskCreateAPI(CreateAPIView):
    serializer_class = serializers.AccountTaskSerializer
    permission_classes = (AccountTaskActionPermission,)
-    def check_permissions(self, request):
+    def get_permissions(self):
-        act = request.data.get('action')
+        act = self.request.data.get('action')
-        if act == 'push':
+        if act == 'remove':
-            code = 'accounts.push_account'
+            self.permission_classes = [
-        else:
+                AccountTaskActionPermission,
-            code = 'accounts.verify_account'
+                UserConfirmation.require(ConfirmType.PASSWORD)
-        return request.user.has_perm(code)
+            ]
        return super().get_permissions()
    @staticmethod
    def get_account_ids(data, action):
        account_type = 'gather_accounts' if action == 'remove' else 'accounts'
        accounts = data.get(account_type, [])
        account_ids = [str(a.id) for a in accounts]
        if action == 'remove':
            return account_ids
        assets = data.get('assets', [])
        asset_ids = [str(a.id) for a in assets]
        ids = Account.objects.filter(
            Q(id__in=account_ids) | Q(asset_id__in=asset_ids)
        ).distinct().values_list('id', flat=True)
        return [str(_id) for _id in ids]
    def perform_create(self, serializer):
        data = serializer.validated_data
-        accounts = data.get('accounts', [])
+        action = data['action']
-        params = data.get('params')
+        ids = self.get_account_ids(data, action)
        account_ids = [str(a.id) for a in accounts]
-        if data['action'] == 'push':
+        if action == 'push':
-            task = push_accounts_to_assets_task.delay(account_ids, params)
+            task = push_accounts_to_assets_task.delay(ids, data.get('params'))
        elif action == 'remove':
            task = remove_accounts_task.delay(ids)
        elif action == 'verify':
            task = verify_accounts_connectivity_task.delay(ids)
        else:
-            account = accounts[0]
+            raise ValueError(f"Invalid action: {action}")
            asset = account.asset
            if not asset.auto_config['ansible_enabled'] or \
                    not asset.auto_config['ping_enabled']:
                raise NotSupportedTemporarilyError()
            task = verify_accounts_connectivity_task.delay(account_ids)
        data = getattr(serializer, '_data', {})
        data["task"] = task.id
        setattr(serializer, '_data', data)
        return task
    def get_exception_handler(self):
        def handler(e, context):
            return Response({"error": str(e)}, status=400)
        return handler
--- a/apps/accounts/api/account/template.py
+++ b/apps/accounts/api/account/template.py
@@ -1,13 +1,15 @@
 from django_filters import rest_framework as drf_filters
 from rest_framework import status
 from rest_framework.decorators import action
 from rest_framework.response import Response
 from accounts import serializers
 from accounts.mixins import AccountRecordViewLogMixin
 from accounts.models import AccountTemplate
 from accounts.tasks import template_sync_related_accounts
 from assets.const import Protocol
 from authentication.permissions import UserConfirmation, ConfirmType
 from common.drf.filters import BaseFilterSet
 from common.permissions import UserConfirmation, ConfirmType
 from common.views.mixins import RecordViewLogMixin
 from orgs.mixins.api import OrgBulkModelViewSet
 from rbac.permissions import RBACPermission
@@ -44,6 +46,7 @@ class AccountTemplateViewSet(OrgBulkModelViewSet):
    }
    rbac_perms = {
        'su_from_account_templates': 'accounts.view_accounttemplate',
        'sync_related_accounts': 'accounts.change_account',
    }
    @action(methods=['get'], detail=False, url_path='su-from-account-templates')
@@ -54,8 +57,15 @@ class AccountTemplateViewSet(OrgBulkModelViewSet):
        serializer = self.get_serializer(templates, many=True)
        return Response(data=serializer.data)
    @action(methods=['patch'], detail=True, url_path='sync-related-accounts')
    def sync_related_accounts(self, request, *args, **kwargs):
        instance = self.get_object()
        user_id = str(request.user.id)
        task = template_sync_related_accounts.delay(str(instance.id), user_id)
        return Response({'task': task.id}, status=status.HTTP_200_OK)
-class AccountTemplateSecretsViewSet(RecordViewLogMixin, AccountTemplateViewSet):
+
 class AccountTemplateSecretsViewSet(AccountRecordViewLogMixin, AccountTemplateViewSet):
    serializer_classes = {
        'default': serializers.AccountTemplateSecretSerializer,
    }
--- a/apps/accounts/api/automations/backup.py
+++ b/apps/accounts/api/automations/backup.py
@@ -18,9 +18,8 @@ __all__ = [
 class AccountBackupPlanViewSet(OrgBulkModelViewSet):
    model = AccountBackupAutomation
-    filter_fields = ('name',)
+    filterset_fields = ('name',)
-    search_fields = filter_fields
+    search_fields = filterset_fields
    ordering = ('name',)
    serializer_class = serializers.AccountBackupSerializer
--- a/apps/accounts/api/automations/base.py
+++ b/apps/accounts/api/automations/base.py
@@ -20,8 +20,8 @@ __all__ = [
 class AutomationAssetsListApi(generics.ListAPIView):
    model = BaseAutomation
    serializer_class = serializers.AutomationAssetsSerializer
-    filter_fields = ("name", "address")
+    filterset_fields = ("name", "address")
-    search_fields = filter_fields
+    search_fields = filterset_fields
    def get_object(self):
        pk = self.kwargs.get('pk')
--- a/apps/accounts/api/automations/change_secret.py
+++ b/apps/accounts/api/automations/change_secret.py
@@ -1,13 +1,17 @@
 # -*- coding: utf-8 -*-
 #
-
+from rest_framework import status, mixins
-from rest_framework import mixins
+from rest_framework.decorators import action
 from rest_framework.response import Response
 from accounts import serializers
 from accounts.const import AutomationTypes
-from accounts.models import ChangeSecretAutomation, ChangeSecretRecord, AutomationExecution
+from accounts.filters import ChangeSecretRecordFilterSet
-from common.utils import get_object_or_none
+from accounts.models import ChangeSecretAutomation, ChangeSecretRecord
 from accounts.tasks import execute_automation_record_task
 from authentication.permissions import UserConfirmation, ConfirmType
 from orgs.mixins.api import OrgBulkModelViewSet, OrgGenericViewSet
 from rbac.permissions import RBACPermission
 from .base import (
    AutomationAssetsListApi, AutomationRemoveAssetApi, AutomationAddAssetApi,
    AutomationNodeAddRemoveApi, AutomationExecutionViewSet
@@ -23,28 +27,53 @@ __all__ = [
 class ChangeSecretAutomationViewSet(OrgBulkModelViewSet):
    model = ChangeSecretAutomation
-    filter_fields = ('name', 'secret_type', 'secret_strategy')
+    filterset_fields = ('name', 'secret_type', 'secret_strategy')
-    search_fields = filter_fields
+    search_fields = filterset_fields
    serializer_class = serializers.ChangeSecretAutomationSerializer
 class ChangeSecretRecordViewSet(mixins.ListModelMixin, OrgGenericViewSet):
-    serializer_class = serializers.ChangeSecretRecordSerializer
+    filterset_class = ChangeSecretRecordFilterSet
-    filter_fields = ['asset', 'execution_id']
+    search_fields = ('asset__address',)
-    search_fields = ['asset__hostname']
+    tp = AutomationTypes.change_secret
    serializer_classes = {
        'default': serializers.ChangeSecretRecordSerializer,
        'secret': serializers.ChangeSecretRecordViewSecretSerializer,
    }
    rbac_perms = {
        'execute': 'accounts.add_changesecretexecution',
        'secret': 'accounts.view_changesecretrecord',
    }
    def get_permissions(self):
        if self.action == 'secret':
            self.permission_classes = [
                RBACPermission,
                UserConfirmation.require(ConfirmType.MFA)
            ]
        return super().get_permissions()
    def get_queryset(self):
-        return ChangeSecretRecord.objects.filter(
+        return ChangeSecretRecord.objects.all()
            execution__automation__type=AutomationTypes.change_secret
        )
-    def filter_queryset(self, queryset):
+    @action(methods=['post'], detail=False, url_path='execute')
-        queryset = super().filter_queryset(queryset)
+    def execute(self, request, *args, **kwargs):
-        eid = self.request.query_params.get('execution_id')
+        record_ids = request.data.get('record_ids')
-        execution = get_object_or_none(AutomationExecution, pk=eid)
+        records = self.get_queryset().filter(id__in=record_ids)
-        if execution:
+        execution_count = records.values_list('execution_id', flat=True).distinct().count()
-            queryset = queryset.filter(execution=execution)
+        if execution_count != 1:
-        return queryset
+            return Response(
                {'detail': 'Only one execution is allowed to execute'},
                status=status.HTTP_400_BAD_REQUEST
            )
        task = execute_automation_record_task.delay(record_ids, self.tp)
        return Response({'task': task.id}, status=status.HTTP_200_OK)
    @action(methods=['get'], detail=True, url_path='secret')
    def secret(self, request, *args, **kwargs):
        instance = self.get_object()
        serializer = self.get_serializer(instance)
        return Response(serializer.data)
 class ChangSecretExecutionViewSet(AutomationExecutionViewSet):
--- a/apps/accounts/api/automations/gather_accounts.py
+++ b/apps/accounts/api/automations/gather_accounts.py
@@ -20,8 +20,8 @@ __all__ = [
 class GatherAccountsAutomationViewSet(OrgBulkModelViewSet):
    model = GatherAccountsAutomation
-    filter_fields = ('name',)
+    filterset_fields = ('name',)
-    search_fields = filter_fields
+    search_fields = filterset_fields
    serializer_class = serializers.GatherAccountAutomationSerializer
--- a/apps/accounts/api/automations/push_account.py
+++ b/apps/accounts/api/automations/push_account.py
@@ -20,8 +20,8 @@ __all__ = [
 class PushAccountAutomationViewSet(OrgBulkModelViewSet):
    model = PushAccountAutomation
-    filter_fields = ('name', 'secret_type', 'secret_strategy')
+    filterset_fields = ('name', 'secret_type', 'secret_strategy')
-    search_fields = filter_fields
+    search_fields = filterset_fields
    serializer_class = serializers.PushAccountAutomationSerializer
@@ -42,6 +42,7 @@ class PushAccountExecutionViewSet(AutomationExecutionViewSet):
 class PushAccountRecordViewSet(ChangeSecretRecordViewSet):
    serializer_class = serializers.ChangeSecretRecordSerializer
    tp = AutomationTypes.push_account
    def get_queryset(self):
        return ChangeSecretRecord.objects.filter(
--- a/apps/accounts/apps.py
+++ b/apps/accounts/apps.py
@@ -4,6 +4,7 @@ from django.apps import AppConfig
 class AccountsConfig(AppConfig):
    default_auto_field = 'django.db.models.BigAutoField'
    name = 'accounts'
    verbose_name = 'App Accounts'
    def ready(self):
        from . import signal_handlers  # noqa
--- a/apps/accounts/automations/backup_account/handlers.py
+++ b/apps/accounts/automations/backup_account/handlers.py
@@ -3,17 +3,25 @@ import time
 from collections import defaultdict, OrderedDict
 from django.conf import settings
-from openpyxl import Workbook
+from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 from xlsxwriter import Workbook
-from accounts.notifications import AccountBackupExecutionTaskMsg
+from accounts.const import AccountBackupType
 from accounts.models.automations.backup_account import AccountBackupAutomation
 from accounts.notifications import AccountBackupExecutionTaskMsg, AccountBackupByObjStorageExecutionTaskMsg
 from accounts.serializers import AccountSecretSerializer
 from assets.const import AllTypes
-from common.utils.file import encrypt_and_compress_zip_file
+from common.utils.file import encrypt_and_compress_zip_file, zip_files
-from common.utils.timezone import local_now_display
+from common.utils.timezone import local_now_filename, local_now_display
 from terminal.models.component.storage import ReplayStorage
 from users.models import User
 PATH = os.path.join(os.path.dirname(settings.BASE_DIR), 'tmp')
 split_help_text = _('The account key will be split into two parts and sent')
 class RecipientsNotFound(Exception):
    pass
 class BaseAccountHandler:
@@ -67,7 +75,7 @@ class AssetAccountHandler(BaseAccountHandler):
    @staticmethod
    def get_filename(plan_name):
        filename = os.path.join(
-            PATH, f'{plan_name}-{local_now_display()}-{time.time()}.xlsx'
+            PATH, f'{plan_name}-{local_now_filename()}-{time.time()}.xlsx'
        )
        return filename
@@ -108,8 +116,8 @@ class AssetAccountHandler(BaseAccountHandler):
            data = AccountSecretSerializer(_accounts, many=True).data
            cls.handler_secret(data, section)
            data_map.update(cls.add_rows(data, header_fields, sheet_name))
-
+        number_of_backup_accounts = _('Number of backup accounts')
-        print('\n\033[33m- 共备份 {} 条账号\033[0m'.format(accounts.count()))
+        print('\n\033[33m- {}: {}\033[0m'.format(number_of_backup_accounts, accounts.count()))
        return data_map
@@ -120,9 +128,10 @@ class AccountBackupHandler:
        self.is_frozen = False  # 任务状态冻结标志
    def create_excel(self, section='complete'):
        hint = _('Generating asset or application related backup information files')
        print(
            '\n'
-            '\033[32m>>> 正在生成资产或应用相关备份信息文件\033[0m'
+            f'\033[32m>>> {hint}\033[0m'
            ''
        )
        # Print task start date
@@ -137,13 +146,16 @@ class AccountBackupHandler:
        wb = Workbook(filename)
        for sheet, data in data_map.items():
-            ws = wb.create_sheet(str(sheet))
+            ws = wb.add_worksheet(str(sheet))
-            for row in data:
+            for row_index, row_data in enumerate(data):
-                ws.append(row)
+                for col_index, col_data in enumerate(row_data):
-        wb.save(filename)
+                    ws.write_string(row_index, col_index, col_data)
        wb.close()
        files.append(filename)
        timedelta = round((time.time() - time_start), 2)
-        print('步骤完成: 用时 {}s'.format(timedelta))
+        time_cost = _('Time cost')
        file_created = _('Backup file creation completed')
        print('{}: {} {}s'.format(file_created, time_cost, timedelta))
        return files
    def send_backup_mail(self, files, recipients):
@@ -152,7 +164,7 @@ class AccountBackupHandler:
        recipients = User.objects.filter(id__in=list(recipients))
        print(
            '\n'
-            '\033[32m>>> 发送备份邮件\033[0m'
+            f'\033[32m>>> {_("Start sending backup emails")}\033[0m'
            ''
        )
        plan_name = self.plan_name
@@ -160,12 +172,37 @@ class AccountBackupHandler:
            if not user.secret_key:
                attachment_list = []
            else:
-                password = user.secret_key.encode('utf8')
+                attachment = os.path.join(PATH, f'{plan_name}-{local_now_filename()}-{time.time()}.zip')
-                attachment = os.path.join(PATH, f'{plan_name}-{local_now_display()}-{time.time()}.zip')
+                encrypt_and_compress_zip_file(attachment, user.secret_key, files)
                encrypt_and_compress_zip_file(attachment, password, files)
                attachment_list = [attachment, ]
            AccountBackupExecutionTaskMsg(plan_name, user).publish(attachment_list)
-            print('邮件已发送至{}({})'.format(user, user.email))
+            email_sent_to = _('Email sent to')
            print('{} {}({})'.format(email_sent_to, user, user.email))
        for file in files:
            os.remove(file)
    def send_backup_obj_storage(self, files, recipients, password):
        if not files:
            return
        recipients = ReplayStorage.objects.filter(id__in=list(recipients))
        print(
            '\n'
            '\033[32m>>> 📃 ---> sftp \033[0m'
            ''
        )
        plan_name = self.plan_name
        encrypt_file = _('Encrypting files using encryption password')
        for rec in recipients:
            attachment = os.path.join(PATH, f'{plan_name}-{local_now_filename()}-{time.time()}.zip')
            if password:
                print(f'\033[32m>>> {encrypt_file}\033[0m')
                encrypt_and_compress_zip_file(attachment, password, files)
            else:
                zip_files(attachment, files)
            attachment_list = attachment
            AccountBackupByObjStorageExecutionTaskMsg(plan_name, rec).publish(attachment_list)
            file_sent_to = _('The backup file will be sent to')
            print('{}: {}({})'.format(file_sent_to, rec.name, rec.id))
        for file in files:
            os.remove(file)
@@ -173,41 +210,27 @@ class AccountBackupHandler:
        self.execution.reason = reason[:1024]
        self.execution.is_success = is_success
        self.execution.save()
-        print('已完成对任务状态的更新')
+        finish = _('Finish')
        print(f'\n{finish}\n')
    @staticmethod
    def step_finished(is_success):
        if is_success:
-            print('任务执行成功')
+            print(_('Success'))
        else:
-            print('任务执行失败')
+            print(_('Failed'))
    def _run(self):
        is_success = False
        error = '-'
        try:
-            recipients_part_one = self.execution.snapshot.get('recipients_part_one', [])
+            backup_type = self.execution.snapshot.get('backup_type', AccountBackupType.email.value)
-            recipients_part_two = self.execution.snapshot.get('recipients_part_two', [])
+            if backup_type == AccountBackupType.email.value:
-            if not recipients_part_one and not recipients_part_two:
+                self.backup_by_email()
-                print(
+            elif backup_type == AccountBackupType.object_storage.value:
-                    '\n'
+                self.backup_by_obj_storage()
                    '\033[32m>>> 该备份任务未分配收件人\033[0m'
                    ''
                )
            if recipients_part_one and recipients_part_two:
                files = self.create_excel(section='front')
                self.send_backup_mail(files, recipients_part_one)
                files = self.create_excel(section='back')
                self.send_backup_mail(files, recipients_part_two)
            else:
                recipients = recipients_part_one or recipients_part_two
                files = self.create_excel()
                self.send_backup_mail(files, recipients)
        except Exception as e:
            self.is_frozen = True
            print('任务执行被异常中断')
            print('下面打印发生异常的 Traceback 信息 : ')
            print(e)
            error = str(e)
        else:
@@ -217,16 +240,68 @@ class AccountBackupHandler:
            self.step_perform_task_update(is_success, reason)
            self.step_finished(is_success)
    def backup_by_obj_storage(self):
        object_id = self.execution.snapshot.get('id')
        zip_encrypt_password = AccountBackupAutomation.objects.get(id=object_id).zip_encrypt_password
        obj_recipients_part_one = self.execution.snapshot.get('obj_recipients_part_one', [])
        obj_recipients_part_two = self.execution.snapshot.get('obj_recipients_part_two', [])
        no_assigned_sftp_server = _('The backup task has no assigned sftp server')
        if not obj_recipients_part_one and not obj_recipients_part_two:
            print(
                '\n'
                f'\033[31m>>> {no_assigned_sftp_server}\033[0m'
                ''
            )
            raise RecipientsNotFound('Not Found Recipients')
        if obj_recipients_part_one and obj_recipients_part_two:
            print(f'\033[32m>>> {split_help_text}\033[0m')
            files = self.create_excel(section='front')
            self.send_backup_obj_storage(files, obj_recipients_part_one, zip_encrypt_password)
            files = self.create_excel(section='back')
            self.send_backup_obj_storage(files, obj_recipients_part_two, zip_encrypt_password)
        else:
            recipients = obj_recipients_part_one or obj_recipients_part_two
            files = self.create_excel()
            self.send_backup_obj_storage(files, recipients, zip_encrypt_password)
    def backup_by_email(self):
        warn_text = _('The backup task has no assigned recipient')
        recipients_part_one = self.execution.snapshot.get('recipients_part_one', [])
        recipients_part_two = self.execution.snapshot.get('recipients_part_two', [])
        if not recipients_part_one and not recipients_part_two:
            print(
                '\n'
                f'\033[31m>>> {warn_text}\033[0m'
                ''
            )
            raise RecipientsNotFound('Not Found Recipients')
        if recipients_part_one and recipients_part_two:
            print(f'\033[32m>>> {split_help_text}\033[0m')
            files = self.create_excel(section='front')
            self.send_backup_mail(files, recipients_part_one)
            files = self.create_excel(section='back')
            self.send_backup_mail(files, recipients_part_two)
        else:
            recipients = recipients_part_one or recipients_part_two
            files = self.create_excel()
            self.send_backup_mail(files, recipients)
    def run(self):
-        print('任务开始: {}'.format(local_now_display()))
+        plan_start = _('Plan start')
        plan_end = _('Plan end')
        time_cost = _('Time cost')
        error = _('An exception occurred during task execution')
        print('{}: {}'.format(plan_start, local_now_display()))
        time_start = time.time()
        try:
            self._run()
        except Exception as e:
-            print('任务运行出现异常')
+            print(error)
            print('下面显示异常 Traceback 信息: ')
            print(e)
        finally:
-            print('\n任务结束: {}'.format(local_now_display()))
+            print('\n{}: {}'.format(plan_end, local_now_display()))
            timedelta = round((time.time() - time_start), 2)
-            print('用时: {}'.format(timedelta))
+            print('{}: {}s'.format(time_cost, timedelta))
--- a/apps/accounts/automations/backup_account/manager.py
+++ b/apps/accounts/automations/backup_account/manager.py
@@ -3,6 +3,7 @@
 import time
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 from common.utils.timezone import local_now_display
 from .handlers import AccountBackupHandler
@@ -19,7 +20,8 @@ class AccountBackupManager:
    def do_run(self):
        execution = self.execution
-        print('\n\033[33m# 账号备份计划正在执行\033[0m')
+        account_backup_execution_being_executed = _('The account backup plan is being executed')
        print(f'\n\033[33m# {account_backup_execution_being_executed}\033[0m')
        handler = AccountBackupHandler(execution)
        handler.run()
@@ -32,9 +34,11 @@ class AccountBackupManager:
        self.date_end = timezone.now()
        print('\n\n' + '-' * 80)
-        print('计划执行结束 {}\n'.format(local_now_display()))
+        plan_execution_end = _('Plan execution end')
        print('{} {}\n'.format(plan_execution_end, local_now_display()))
        self.timedelta = self.time_end - self.time_start
-        print('用时: {}s'.format(self.timedelta))
+        time_cost = _('Time cost')
        print('{}: {}s'.format(time_cost, self.timedelta))
        self.execution.timedelta = self.timedelta
        self.execution.save()
--- a/apps/accounts/automations/change_secret/custom/ssh/main.yml
+++ b/apps/accounts/automations/change_secret/custom/ssh/main.yml
@@ -13,12 +13,15 @@
        login_password: "{{ jms_account.secret }}"
        login_secret_type: "{{ jms_account.secret_type }}"
        login_private_key_path: "{{ jms_account.private_key_path }}"
-        become: "{{ custom_become | default(False) }}"
+        become: "{{ jms_custom_become | default(False) }}"
-        become_method: "{{ custom_become_method | default('su') }}"
+        become_method: "{{ jms_custom_become_method | default('su') }}"
-        become_user: "{{ custom_become_user | default('') }}"
+        become_user: "{{ jms_custom_become_user | default('') }}"
-        become_password: "{{ custom_become_password | default('') }}"
+        become_password: "{{ jms_custom_become_password | default('') }}"
-        become_private_key_path: "{{ custom_become_private_key_path | default(None) }}"
+        become_private_key_path: "{{ jms_custom_become_private_key_path | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
      register: ping_info
      delegate_to: localhost
    - name: Change asset password (paramiko)
      custom_command:
@@ -28,11 +31,11 @@
        login_port: "{{ jms_asset.port }}"
        login_secret_type: "{{ jms_account.secret_type }}"
        login_private_key_path: "{{ jms_account.private_key_path }}"
-        become: "{{ custom_become | default(False) }}"
+        become: "{{ jms_custom_become | default(False) }}"
-        become_method: "{{ custom_become_method | default('su') }}"
+        become_method: "{{ jms_custom_become_method | default('su') }}"
-        become_user: "{{ custom_become_user | default('') }}"
+        become_user: "{{ jms_custom_become_user | default('') }}"
-        become_password: "{{ custom_become_password | default('') }}"
+        become_password: "{{ jms_custom_become_password | default('') }}"
-        become_private_key_path: "{{ custom_become_private_key_path | default(None) }}"
+        become_private_key_path: "{{ jms_custom_become_private_key_path | default(None) }}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
        commands: "{{ params.commands }}"
@@ -40,6 +43,7 @@
      ignore_errors: true
      when: ping_info is succeeded
      register: change_info
      delegate_to: localhost
    - name: Verify password (paramiko)
      ssh_ping:
@@ -47,4 +51,11 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
-        become: false
+        become: "{{ account.become.ansible_become | default(False) }}"
        become_method: su
        become_user: "{{ account.become.ansible_user | default('') }}"
        become_password: "{{ account.become.ansible_password | default('') }}"
        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
      delegate_to: localhost
--- a/apps/accounts/automations/change_secret/custom/ssh/manifest.yml
+++ b/apps/accounts/automations/change_secret/custom/ssh/manifest.yml
@@ -6,15 +6,27 @@ category:
 type:
  - all
 method: change_secret
 protocol: ssh
 priority: 50
 params:
  - name: commands
    type: list
-    label: '自定义命令'
+    label: "{{ 'Params commands label' | trans }}"
    default: [ '' ]
-    help_text: '自定义命令中如需包含账号的 账号、密码、SSH 连接的用户密码 字段，<br />请使用 &#123;username&#125;、&#123;password&#125;、&#123;login_password&#125;格式，执行任务时会进行替换 。<br />比如针对 Cisco 主机进行改密，一般需要配置五条命令：<br />1. enable<br />2. &#123;login_password&#125;<br />3. configure terminal<br />4. username &#123;username&#125; privilege 0 password &#123;password&#125; <br />5. end'
+    help_text: "{{ 'Params commands help text' | trans }}"
 i18n:
  SSH account change secret:
-    zh: 使用 SSH 命令行自定义改密
+    zh: '使用 SSH 命令行自定义改密'
-    ja: SSH コマンドライン方式でカスタムパスワード変更
+    ja: 'SSH コマンドライン方式でカスタムパスワード変更'
-    en: Custom password change by SSH command line
+    en: 'Custom password change by SSH command line'
  Params commands help text:
    zh: '自定义命令中如需包含账号的 账号、密码、SSH 连接的用户密码 字段，<br />请使用 &#123;username&#125;、&#123;password&#125;、&#123;login_password&#125;格式，执行任务时会进行替换 。<br />比如针对 Cisco 主机进行改密，一般需要配置五条命令：<br />1. enable<br />2. &#123;login_password&#125;<br />3. configure terminal<br />4. username &#123;username&#125; privilege 0 password &#123;password&#125; <br />5. end'
    ja: 'カスタム コマンドに SSH 接続用のアカウント番号、パスワード、ユーザー パスワード フィールドを含める必要がある場合は、<br />&#123;ユーザー名&#125;、&#123;パスワード&#125;、&#123;login_password& を使用してください。 # 125; 形式。タスクの実行時に置き換えられます。 <br />たとえば、Cisco ホストのパスワードを変更するには、通常、次の 5 つのコマンドを設定する必要があります:<br />1.enable<br />2.&#123;login_password&#125;<br />3 .ターミナルの設定<br / >4. ユーザー名 &#123;ユーザー名&#125; 権限 0 パスワード &#123;パスワード&#125; <br />5. 終了'
    en: 'If the custom command needs to include the account number, password, and user password field for SSH connection,<br />Please use &#123;username&#125;, &#123;password&#125;, &#123;login_password&# 125; format, which will be replaced when executing the task. <br />For example, to change the password of a Cisco host, you generally need to configure five commands:<br />1. enable<br />2. &#123;login_password&#125;<br />3. configure terminal<br / >4. username &#123;username&#125; privilege 0 password &#123;password&#125; <br />5. end'
  Params commands label:
    zh: '自定义命令'
    ja: 'カスタムコマンド'
    en: 'Custom command'
--- a/apps/accounts/automations/change_secret/database/mongodb/main.yml
+++ b/apps/accounts/automations/change_secret/database/mongodb/main.yml
@@ -1,7 +1,7 @@
 - hosts: mongodb
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: Test MongoDB connection
@@ -11,9 +11,9 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl }}"
+        ssl: "{{ jms_asset.spec_info.use_ssl | default('') }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
      register: db_info
@@ -31,8 +31,8 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
        db: "{{ jms_asset.spec_info.db_name }}"
@@ -49,7 +49,7 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
--- a/apps/accounts/automations/change_secret/database/mysql/main.yml
+++ b/apps/accounts/automations/change_secret/database/mysql/main.yml
@@ -1,8 +1,12 @@
 - hosts: mysql
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
    db_name: "{{ jms_asset.spec_info.db_name }}"
    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"
  tasks:
    - name: Test MySQL connection
@@ -11,6 +15,10 @@
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        filter: version
      register: db_info
@@ -24,6 +32,10 @@
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
        host: "%"
@@ -37,4 +49,8 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        filter: version
--- a/apps/accounts/automations/change_secret/database/oracle/main.yml
+++ b/apps/accounts/automations/change_secret/database/oracle/main.yml
@@ -1,7 +1,7 @@
 - hosts: oracle
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: Test Oracle connection
@@ -39,3 +39,4 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        mode: "{{ account.mode }}"
--- a/apps/accounts/automations/change_secret/database/postgresql/main.yml
+++ b/apps/accounts/automations/change_secret/database/postgresql/main.yml
@@ -1,7 +1,11 @@
 - hosts: postgre
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
    check_ssl: "{{ jms_asset.spec_info.use_ssl }}"
    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"
  tasks:
    - name: Test PostgreSQL connection
@@ -11,6 +15,10 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_db: "{{ jms_asset.spec_info.db_name }}"
        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
        ssl_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
        ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
      register: result
      failed_when: not result.is_available
@@ -28,6 +36,10 @@
        db: "{{ jms_asset.spec_info.db_name }}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
        ssl_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
        ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
        role_attr_flags: LOGIN
      ignore_errors: true
      when: result is succeeded
@@ -39,3 +51,7 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        db: "{{ jms_asset.spec_info.db_name }}"
        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
        ssl_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
        ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
--- a/apps/accounts/automations/change_secret/database/sqlserver/main.yml
+++ b/apps/accounts/automations/change_secret/database/sqlserver/main.yml
@@ -1,7 +1,7 @@
 - hosts: sqlserver
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: Test SQLServer connection
@@ -40,7 +40,7 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; select @@version"
      ignore_errors: true
      when: user_exist.query_results[0] | length != 0
@@ -51,7 +51,7 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; CREATE USER {{ account.username }} FOR LOGIN {{ account.username }}; select @@version"
      ignore_errors: true
      when: user_exist.query_results[0] | length == 0
--- a/apps/accounts/automations/change_secret/host/aix/main.yml
+++ b/apps/accounts/automations/change_secret/host/aix/main.yml
@@ -14,51 +14,15 @@
    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
-        shell: "{{ params.shell }}"
+        uid: "{{ params.uid | int if params.uid | length > 0 else omit }}"
-        home: "{{ params.home | default('/home/' + account.username, true) }}"
+        shell: "{{ params.shell if params.shell | length > 0 else omit }}"
-        groups: "{{ params.groups }}"
+        home: "{{ params.home if params.home | length > 0 else '/home/' + account.username }}"
        groups: "{{ params.groups if params.groups | length > 0 else omit }}"
        append: yes
        expires: -1
        state: present
      when: user_info.failed
    - name: "Add {{ account.username }} group"
      ansible.builtin.group:
        name: "{{ account.username }}"
        state: present
      when: user_info.failed
    - name: "Add {{ account.username }} user to group"
      ansible.builtin.user:
        name: "{{ account.username }}"
        groups: "{{ params.groups }}"
      when:
        - user_info.failed
        - params.groups
    - name: "Change {{ account.username }} password"
      ansible.builtin.user:
        name: "{{ account.username }}"
        password: "{{ account.secret | password_hash('des') }}"
        update_password: always
      ignore_errors: true
      when: account.secret_type == "password"
    - name: remove jumpserver ssh key
      ansible.builtin.lineinfile:
        dest: "{{ ssh_params.dest }}"
        regexp: "{{ ssh_params.regexp }}"
        state: absent
      when:
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"
    - name: "Change {{ account.username }} SSH key"
      ansible.builtin.authorized_key:
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
      when: account.secret_type == "ssh_key"
    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
@@ -67,9 +31,59 @@
        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
        validate: visudo -cf %s
      when:
-        - user_info.failed
+        - user_info.failed or params.modify_sudo
        - params.sudo
    - name: "Change {{ account.username }} password"
      ansible.builtin.user:
        name: "{{ account.username }}"
        password: "{{ account.secret | password_hash('des') }}"
        update_password: always
      ignore_errors: true
      when: account.secret_type == "password"
    - name: "Get home directory for {{ account.username }}"
      ansible.builtin.shell: "getent passwd {{ account.username }} | cut -d: -f6"
      register: home_dir
      when: account.secret_type == "ssh_key"
      ignore_errors: yes
    - name: "Check if home directory exists for {{ account.username }}"
      ansible.builtin.stat:
        path: "{{ home_dir.stdout.strip() }}"
      register: home_dir_stat
      when: account.secret_type == "ssh_key"
      ignore_errors: yes
    - name: "Ensure {{ account.username }} home directory exists"
      ansible.builtin.file:
        path: "{{ home_dir.stdout.strip() }}"
        state: directory
        owner: "{{ account.username }}"
        group: "{{ account.username }}"
        mode: '0750'
      when:
        - account.secret_type == "ssh_key"
        - home_dir_stat.stat.exists == false
      ignore_errors: yes
    - name: Remove jumpserver ssh key
      ansible.builtin.lineinfile:
        dest: "{{ home_dir.stdout.strip() }}/.ssh/authorized_keys"
        regexp: "{{ ssh_params.regexp }}"
        state: absent
      when:
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"
      ignore_errors: yes
    - name: "Change {{ account.username }} SSH key"
      ansible.builtin.authorized_key:
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
      when: account.secret_type == "ssh_key"
    - name: Refresh connection
      ansible.builtin.meta: reset_connection
@@ -79,8 +93,13 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
-        become: false
+        become: "{{ account.become.ansible_become | default(False) }}"
        become_method: su
        become_user: "{{ account.become.ansible_user | default('') }}"
        become_password: "{{ account.become.ansible_password | default('') }}"
        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "password"
      delegate_to: localhost
@@ -90,7 +109,7 @@
        login_port: "{{ jms_asset.port }}"
        login_user: "{{ account.username }}"
        login_private_key_path: "{{ account.private_key_path  }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
-        become: false
+        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "ssh_key"
      delegate_to: localhost
--- a/apps/accounts/automations/change_secret/host/aix/manifest.yml
+++ b/apps/accounts/automations/change_secret/host/aix/manifest.yml
@@ -5,6 +5,12 @@ type:
  - AIX
 method: change_secret
 params:
  - name: modify_sudo
    type: bool
    label: "{{ 'Modify sudo label' | trans }}"
    default: False
    help_text: "{{ 'Modify params sudo help text' | trans }}"
  - name: sudo
    type: str
    label: 'Sudo'
@@ -28,12 +34,23 @@ params:
    default: ''
    help_text: "{{ 'Params groups help text' | trans }}"
  - name: uid
    type: str
    label: "{{ 'Params uid label' | trans }}"
    default: ''
    help_text: "{{ 'Params uid help text' | trans }}"
 i18n:
  AIX account change secret:
    zh: '使用 Ansible 模块 user 执行账号改密 (DES)'
    ja: 'Ansible user モジュールを使用してアカウントのパスワード変更 (DES)'
    en: 'Using Ansible module user to change account secret (DES)'
  Modify params sudo help text:
    zh: '如果用户存在，可以修改sudo权限'
    ja: 'ユーザーが存在する場合、sudo権限を変更できます'
    en: 'If the user exists, sudo permissions can be modified'
  Params sudo help text:
    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
@@ -49,6 +66,16 @@ i18n:
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
  Params uid help text:
    zh: '请输入用户ID'
    ja: 'ユーザーIDを入力してください'
    en: 'Please enter the user ID'
  Modify sudo label:
    zh: '修改 sudo 权限'
    ja: 'sudo 権限を変更'
    en: 'Modify sudo'
  Params home label:
    zh: '家目录'
    ja: 'ホームディレクトリ'
@@ -59,3 +86,7 @@ i18n:
    ja: 'グループ'
    en: 'Groups'
  Params uid label:
    zh: '用户ID'
    ja: 'ユーザーID'
    en: 'User ID'
--- a/apps/accounts/automations/change_secret/host/posix/main.yml
+++ b/apps/accounts/automations/change_secret/host/posix/main.yml
@@ -14,51 +14,15 @@
    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
-        shell: "{{ params.shell }}"
+        uid: "{{ params.uid | int if params.uid | length > 0 else omit }}"
-        home: "{{ params.home | default('/home/' + account.username, true) }}"
+        shell: "{{ params.shell if params.shell | length > 0 else omit }}"
-        groups: "{{ params.groups }}"
+        home: "{{ params.home if params.home | length > 0 else '/home/' + account.username }}"
        groups: "{{ params.groups if params.groups | length > 0 else omit }}"
        append: yes
        expires: -1
        state: present
      when: user_info.failed
    - name: "Add {{ account.username }} group"
      ansible.builtin.group:
        name: "{{ account.username }}"
        state: present
      when: user_info.failed
    - name: "Add {{ account.username }} user to group"
      ansible.builtin.user:
        name: "{{ account.username }}"
        groups: "{{ params.groups }}"
      when:
        - user_info.failed
        - params.groups
    - name: "Change {{ account.username }} password"
      ansible.builtin.user:
        name: "{{ account.username }}"
        password: "{{ account.secret | password_hash('sha512') }}"
        update_password: always
      ignore_errors: true
      when: account.secret_type == "password"
    - name: remove jumpserver ssh key
      ansible.builtin.lineinfile:
        dest: "{{ ssh_params.dest }}"
        regexp: "{{ ssh_params.regexp }}"
        state: absent
      when:
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"
    - name: "Change {{ account.username }} SSH key"
      ansible.builtin.authorized_key:
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
      when: account.secret_type == "ssh_key"
    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
@@ -67,9 +31,59 @@
        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
        validate: visudo -cf %s
      when:
-        - user_info.failed
+        - user_info.failed or params.modify_sudo
        - params.sudo
    - name: "Change {{ account.username }} password"
      ansible.builtin.user:
        name: "{{ account.username }}"
        password: "{{ account.secret | password_hash('sha512') }}"
        update_password: always
      ignore_errors: true
      when: account.secret_type == "password"
    - name: "Get home directory for {{ account.username }}"
      ansible.builtin.shell: "getent passwd {{ account.username }} | cut -d: -f6"
      register: home_dir
      when: account.secret_type == "ssh_key"
      ignore_errors: yes
    - name: "Check if home directory exists for {{ account.username }}"
      ansible.builtin.stat:
        path: "{{ home_dir.stdout.strip() }}"
      register: home_dir_stat
      when: account.secret_type == "ssh_key"
      ignore_errors: yes
    - name: "Ensure {{ account.username }} home directory exists"
      ansible.builtin.file:
        path: "{{ home_dir.stdout.strip() }}"
        state: directory
        owner: "{{ account.username }}"
        group: "{{ account.username }}"
        mode: '0750'
      when:
        - account.secret_type == "ssh_key"
        - home_dir_stat.stat.exists == false
      ignore_errors: yes
    - name: Remove jumpserver ssh key
      ansible.builtin.lineinfile:
        dest: "{{ home_dir.stdout.strip() }}/.ssh/authorized_keys"
        regexp: "{{ ssh_params.regexp }}"
        state: absent
      when:
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"
      ignore_errors: yes
    - name: "Change {{ account.username }} SSH key"
      ansible.builtin.authorized_key:
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
      when: account.secret_type == "ssh_key"
    - name: Refresh connection
      ansible.builtin.meta: reset_connection
@@ -79,8 +93,13 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
-        become: false
+        become: "{{ account.become.ansible_become | default(False) }}"
        become_method: su
        become_user: "{{ account.become.ansible_user | default('') }}"
        become_password: "{{ account.become.ansible_password | default('') }}"
        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "password"
      delegate_to: localhost
@@ -90,7 +109,7 @@
        login_port: "{{ jms_asset.port }}"
        login_user: "{{ account.username }}"
        login_private_key_path: "{{ account.private_key_path  }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
-        become: false
+        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "ssh_key"
      delegate_to: localhost
--- a/apps/accounts/automations/change_secret/host/posix/manifest.yml
+++ b/apps/accounts/automations/change_secret/host/posix/manifest.yml
@@ -6,6 +6,12 @@ type:
  - linux
 method: change_secret
 params:
  - name: modify_sudo
    type: bool
    label: "{{ 'Modify sudo label' | trans }}"
    default: False
    help_text: "{{ 'Modify params sudo help text' | trans }}"
  - name: sudo
    type: str
    label: 'Sudo'
@@ -30,12 +36,23 @@ params:
    default: ''
    help_text: "{{ 'Params groups help text' | trans }}"
  - name: uid
    type: str
    label: "{{ 'Params uid label' | trans }}"
    default: ''
    help_text: "{{ 'Params uid help text' | trans }}"
 i18n:
  Posix account change secret:
    zh: '使用 Ansible 模块 user 执行账号改密 (SHA512)'
    ja: 'Ansible user モジュールを使用して アカウントのパスワード変更 (SHA512)'
    en: 'Using Ansible module user to change account secret (SHA512)'
  Modify params sudo help text:
    zh: '如果用户存在，可以修改sudo权限'
    ja: 'ユーザーが存在する場合、sudo権限を変更できます'
    en: 'If the user exists, sudo permissions can be modified'
  Params sudo help text:
    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
@@ -51,6 +68,16 @@ i18n:
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
  Params uid help text:
    zh: '请输入用户ID'
    ja: 'ユーザーIDを入力してください'
    en: 'Please enter the user ID'
  Modify sudo label:
    zh: '修改 sudo 权限'
    ja: 'sudo 権限を変更'
    en: 'Modify sudo'
  Params home label:
    zh: '家目录'
    ja: 'ホームディレクトリ'
@@ -61,3 +88,7 @@ i18n:
    ja: 'グループ'
    en: 'Groups'
  Params uid label:
    zh: '用户ID'
    ja: 'ユーザーID'
    en: 'User ID'
--- a/apps/accounts/automations/change_secret/host/windows_rdp_verify/main.yml
+++ b/apps/accounts/automations/change_secret/host/windows_rdp_verify/main.yml
@@ -0,0 +1,35 @@
 - hosts: demo
  gather_facts: no
  tasks:
    - name: Test privileged account
      ansible.windows.win_ping:
 #    - name: Print variables
 #      debug:
 #        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
    - name: Change password
      ansible.windows.win_user:
        fullname: "{{ account.username}}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
        password_never_expires: yes
        groups: "{{ params.groups }}"
        groups_action: add
        update_password: always
      ignore_errors: true
      when: account.secret_type == "password"
    - name: Refresh connection
      ansible.builtin.meta: reset_connection
    - name: Verify password (pyfreerdp)
      rdp_ping:
        login_host: "{{ jms_asset.origin_address }}"
        login_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'rdp') | map(attribute='port') | first }}"
        login_user: "{{ account.username }}"
        login_password: "{{ account.secret }}"
        login_secret_type: "{{ account.secret_type }}"
        gateway_args: "{{ jms_gateway | default({}) }}"
      when: account.secret_type == "password"
      delegate_to: localhost
--- a/apps/accounts/automations/change_secret/host/windows_rdp_verify/manifest.yml
+++ b/apps/accounts/automations/change_secret/host/windows_rdp_verify/manifest.yml
@@ -0,0 +1,27 @@
 id: change_secret_windows_rdp_verify
 name: "{{ 'Windows account change secret rdp verify' | trans }}"
 version: 1
 method: change_secret
 category: host
 type:
  - windows
 priority: 49
 params:
  - name: groups
    type: str
    label: '用户组'
    default: 'Users,Remote Desktop Users'
    help_text: "{{ 'Params groups help text' | trans }}"
 i18n:
  Windows account change secret rdp verify:
    zh: '使用 Ansible 模块 win_user 执行 Windows 账号改密 RDP 协议测试最后的可连接性'
    ja: 'Ansibleモジュールwin_userはWindowsアカウントの改密RDPプロトコルテストの最後の接続性を実行する'
    en: 'Using the Ansible module win_user performs Windows account encryption RDP protocol testing for final connectivity'
  Params groups help text:
    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
--- a/apps/accounts/automations/change_secret/manager.py
+++ b/apps/accounts/automations/change_secret/manager.py
@@ -1,20 +1,20 @@
 import os
 import time
 from collections import defaultdict
 from copy import deepcopy
 from django.conf import settings
 from django.utils import timezone
-from openpyxl import Workbook
+from django.utils.translation import gettext_lazy as _
 from xlsxwriter import Workbook
-from accounts.const import AutomationTypes, SecretType, SSHKeyStrategy, SecretStrategy
+from accounts.const import AutomationTypes, SecretType, SSHKeyStrategy, SecretStrategy, ChangeSecretRecordStatusChoice
-from accounts.models import ChangeSecretRecord
+from accounts.models import ChangeSecretRecord, BaseAccountQuerySet
-from accounts.notifications import ChangeSecretExecutionTaskMsg
+from accounts.notifications import ChangeSecretExecutionTaskMsg, ChangeSecretFailedMsg
 from accounts.serializers import ChangeSecretRecordBackUpSerializer
 from assets.const import HostTypes
 from common.utils import get_logger
 from common.utils.file import encrypt_and_compress_zip_file
-from common.utils.timezone import local_now_display
+from common.utils.timezone import local_now_filename
 from users.models import User
 from ..base.manager import AccountBasePlaybookManager
 from ...utils import SecretGenerator
@@ -27,7 +27,7 @@ class ChangeSecretManager(AccountBasePlaybookManager):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
-        self.method_hosts_mapper = defaultdict(list)
+        self.record_map = self.execution.snapshot.get('record_map', {})
        self.secret_type = self.execution.snapshot.get('secret_type')
        self.secret_strategy = self.execution.snapshot.get(
            'secret_strategy', SecretStrategy.custom
@@ -50,7 +50,6 @@ class ChangeSecretManager(AccountBasePlaybookManager):
        kwargs['exclusive'] = 'yes' if kwargs['strategy'] == SSHKeyStrategy.set else 'no'
        if kwargs['strategy'] == SSHKeyStrategy.set_jms:
            kwargs['dest'] = '/home/{}/.ssh/authorized_keys'.format(account.username)
            kwargs['regexp'] = '.*{}$'.format(secret.split()[2].strip())
        return kwargs
@@ -66,10 +65,10 @@ class ChangeSecretManager(AccountBasePlaybookManager):
        else:
            return self.secret_generator(secret_type).get_secret()
-    def get_accounts(self, privilege_account):
+    def get_accounts(self, privilege_account) -> BaseAccountQuerySet | None:
        if not privilege_account:
-            print(f'not privilege account')
+            print('Not privilege account')
-            return []
+            return
        asset = privilege_account.asset
        accounts = asset.accounts.all()
@@ -95,34 +94,50 @@ class ChangeSecretManager(AccountBasePlaybookManager):
            return host
        accounts = self.get_accounts(account)
        error_msg = _("No pending accounts found")
        if not accounts:
-            print('没有发现待改密账号: %s 用户ID: %s 类型: %s' % (
+            print(f'{asset}: {error_msg}')
                asset.name, self.account_ids, self.secret_type
            ))
            return []
        method_attr = getattr(automation, self.method_type() + '_method')
        method_hosts = self.method_hosts_mapper[method_attr]
        method_hosts = [h for h in method_hosts if h != host['name']]
        inventory_hosts = []
        records = []
-
+        inventory_hosts = []
        if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
            print(f'Windows {asset} does not support ssh key push')
            return inventory_hosts
        if asset.type == HostTypes.WINDOWS:
            accounts = accounts.filter(secret_type=SecretType.PASSWORD)
        host['ssh_params'] = {}
        for account in accounts:
            h = deepcopy(host)
            secret_type = account.secret_type
            h['name'] += '(' + account.username + ')'
-            new_secret = self.get_secret(secret_type)
+            if self.secret_type is None:
                new_secret = account.secret
            else:
                new_secret = self.get_secret(secret_type)
            if new_secret is None:
                print(f'new_secret is None, account: {account}')
                continue
            asset_account_id = f'{asset.id}-{account.id}'
            if asset_account_id not in self.record_map:
                recorder = ChangeSecretRecord(
                    asset=asset, account=account, execution=self.execution,
                    old_secret=account.secret, new_secret=new_secret,
                    comment=f'{account.username}@{asset.address}'
                )
                records.append(recorder)
            else:
                record_id = self.record_map[asset_account_id]
                try:
                    recorder = ChangeSecretRecord.objects.get(id=record_id)
                except ChangeSecretRecord.DoesNotExist:
                    print(f"Record {record_id} not found")
                    continue
            recorder = ChangeSecretRecord(
                asset=asset, account=account, execution=self.execution,
                old_secret=account.secret, new_secret=new_secret,
            )
            records.append(recorder)
            self.name_recorder_mapper[h['name']] = recorder
            private_key_path = None
@@ -135,42 +150,69 @@ class ChangeSecretManager(AccountBasePlaybookManager):
                'name': account.name,
                'username': account.username,
                'secret_type': secret_type,
-                'secret': new_secret,
+                'secret': account.escape_jinja2_syntax(new_secret),
-                'private_key_path': private_key_path
+                'private_key_path': private_key_path,
                'become': account.get_ansible_become_auth(),
            }
            if asset.platform.type == 'oracle':
                h['account']['mode'] = 'sysdba' if account.privileged else None
            inventory_hosts.append(h)
            method_hosts.append(h['name'])
        self.method_hosts_mapper[method_attr] = method_hosts
        ChangeSecretRecord.objects.bulk_create(records)
        return inventory_hosts
    @staticmethod
    def require_update_version(account, recorder):
        return account.secret != recorder.new_secret
    def on_host_success(self, host, result):
        recorder = self.name_recorder_mapper.get(host)
        if not recorder:
            return
-        recorder.status = 'success'
+        recorder.status = ChangeSecretRecordStatusChoice.success.value
        recorder.date_finished = timezone.now()
-        recorder.save()
+
        account = recorder.account
        if not account:
            print("Account not found, deleted ?")
            return
        version_update_required = self.require_update_version(account, recorder)
        account.secret = recorder.new_secret
-        account.save(update_fields=['secret'])
+        account.date_updated = timezone.now()
        max_retries = 3
        retry_count = 0
        while retry_count < max_retries:
            try:
                recorder.save()
                account_update_fields = ['secret', 'date_updated']
                if version_update_required:
                    account_update_fields.append('version')
                account.save(update_fields=account_update_fields)
                break
            except Exception as e:
                retry_count += 1
                if retry_count == max_retries:
                    self.on_host_error(host, str(e), result)
                else:
                    print(f'retry {retry_count} times for {host} recorder save error: {e}')
                    time.sleep(1)
    def on_host_error(self, host, error, result):
        recorder = self.name_recorder_mapper.get(host)
        if not recorder:
            return
-        recorder.status = 'failed'
+        recorder.status = ChangeSecretRecordStatusChoice.failed.value
        recorder.date_finished = timezone.now()
        recorder.error = error
-        recorder.save()
+        try:
            recorder.save()
        except Exception as e:
            print(f"\033[31m Save {host} recorder error: {e} \033[0m\n")
    def on_runner_failed(self, runner, e):
-        logger.error("Change secret error: ", e)
+        logger.error("Account error: ", e)
    def check_secret(self):
        if self.secret_strategy == SecretStrategy.custom \
@@ -179,35 +221,72 @@ class ChangeSecretManager(AccountBasePlaybookManager):
            return False
        return True
    @staticmethod
    def get_summary(recorders):
        total, succeed, failed = 0, 0, 0
        for recorder in recorders:
            if recorder.status == ChangeSecretRecordStatusChoice.success.value:
                succeed += 1
            else:
                failed += 1
            total += 1
        summary = _('Success: %s, Failed: %s, Total: %s') % (succeed, failed, total)
        return summary
    def run(self, *args, **kwargs):
-        if not self.check_secret():
+        if self.secret_type and not self.check_secret():
            self.execution.status = 'success'
            self.execution.date_finished = timezone.now()
            self.execution.save()
            return
        super().run(*args, **kwargs)
-        recorders = self.name_recorder_mapper.values()
+        recorders = list(self.name_recorder_mapper.values())
-        recorders = list(recorders)
+        summary = self.get_summary(recorders)
-        self.send_recorder_mail(recorders)
+        print(summary, end='')
-    def send_recorder_mail(self, recorders):
+        if self.record_map:
        recipients = self.execution.recipients
        if not recorders or not recipients:
            return
-        recipients = User.objects.filter(id__in=list(recipients.keys()))
+        failed_recorders = [
            r for r in recorders
            if r.status == ChangeSecretRecordStatusChoice.failed.value
        ]
        recipients = self.execution.recipients
        recipients = User.objects.filter(id__in=list(recipients.keys()))
        if not recipients:
            return
        if failed_recorders:
            name = self.execution.snapshot.get('name')
            execution_id = str(self.execution.id)
            _ids = [r.id for r in failed_recorders]
            asset_account_errors = ChangeSecretRecord.objects.filter(
                id__in=_ids).values_list('asset__name', 'account__username', 'error')
            for user in recipients:
                ChangeSecretFailedMsg(name, execution_id, user, asset_account_errors).publish()
        if not recorders:
            return
        self.send_recorder_mail(recipients, recorders, summary)
    def send_recorder_mail(self, recipients, recorders, summary):
        name = self.execution.snapshot['name']
        path = os.path.join(os.path.dirname(settings.BASE_DIR), 'tmp')
-        filename = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.xlsx')
+        filename = os.path.join(path, f'{name}-{local_now_filename()}-{time.time()}.xlsx')
        if not self.create_file(recorders, filename):
            return
        for user in recipients:
            attachments = []
            if user.secret_key:
-                password = user.secret_key.encode('utf8')
+                attachment = os.path.join(path, f'{name}-{local_now_filename()}-{time.time()}.zip')
-                attachment = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.zip')
+                encrypt_and_compress_zip_file(attachment, user.secret_key, [filename])
                encrypt_and_compress_zip_file(attachment, password, [filename])
                attachments = [attachment]
-            ChangeSecretExecutionTaskMsg(name, user).publish(attachments)
+            ChangeSecretExecutionTaskMsg(name, user, summary).publish(attachments)
        os.remove(filename)
    @staticmethod
@@ -222,8 +301,9 @@ class ChangeSecretManager(AccountBasePlaybookManager):
        rows.insert(0, header)
        wb = Workbook(filename)
-        ws = wb.create_sheet('Sheet1')
+        ws = wb.add_worksheet('Sheet1')
-        for row in rows:
+        for row_index, row_data in enumerate(rows):
-            ws.append(row)
+            for col_index, col_data in enumerate(row_data):
-        wb.save(filename)
+                ws.write_string(row_index, col_index, col_data)
        wb.close()
        return True
--- a/apps/accounts/automations/endpoint.py
+++ b/apps/accounts/automations/endpoint.py
@@ -1,8 +1,9 @@
 from .push_account.manager import PushAccountManager
 from .change_secret.manager import ChangeSecretManager
 from .verify_account.manager import VerifyAccountManager
 from .backup_account.manager import AccountBackupManager
 from .change_secret.manager import ChangeSecretManager
 from .gather_accounts.manager import GatherAccountsManager
 from .push_account.manager import PushAccountManager
 from .remove_account.manager import RemoveAccountManager
 from .verify_account.manager import VerifyAccountManager
 from .verify_gateway_account.manager import VerifyGatewayAccountManager
 from ..const import AutomationTypes
@@ -12,6 +13,7 @@ class ExecutionManager:
        AutomationTypes.push_account: PushAccountManager,
        AutomationTypes.change_secret: ChangeSecretManager,
        AutomationTypes.verify_account: VerifyAccountManager,
        AutomationTypes.remove_account: RemoveAccountManager,
        AutomationTypes.gather_accounts: GatherAccountsManager,
        AutomationTypes.verify_gateway_account: VerifyGatewayAccountManager,
        # TODO 后期迁移到自动化策略中
--- a/apps/accounts/automations/gather_accounts/database/mongodb/main.yml
+++ b/apps/accounts/automations/gather_accounts/database/mongodb/main.yml
@@ -1,7 +1,7 @@
 - hosts: mongodb
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: Get info
@@ -12,8 +12,8 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
        filter: users
--- a/apps/accounts/automations/gather_accounts/database/mysql/main.yml
+++ b/apps/accounts/automations/gather_accounts/database/mysql/main.yml
@@ -1,7 +1,11 @@
 - hosts: mysql
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"
  tasks:
    - name: Get info
@@ -10,6 +14,10 @@
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        filter: users
      register: db_info
--- a/apps/accounts/automations/gather_accounts/database/oracle/main.yml
+++ b/apps/accounts/automations/gather_accounts/database/oracle/main.yml
@@ -1,7 +1,7 @@
 - hosts: oralce
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: Get info
--- a/apps/accounts/automations/gather_accounts/database/postgresql/main.yml
+++ b/apps/accounts/automations/gather_accounts/database/postgresql/main.yml
@@ -1,7 +1,11 @@
 - hosts: postgresql
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
    check_ssl: "{{ jms_asset.spec_info.use_ssl }}"
    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"
  tasks:
    - name: Get info
@@ -11,6 +15,10 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_db: "{{ jms_asset.spec_info.db_name }}"
        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
        ssl_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
        ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
        filter: "roles"
      register: db_info
--- a/apps/accounts/automations/gather_accounts/filter.py
+++ b/apps/accounts/automations/gather_accounts/filter.py
@@ -31,7 +31,7 @@ class GatherAccountsFilter:
    def posix_filter(info):
        username_pattern = re.compile(r'^(\S+)')
        ip_pattern = re.compile(r'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})')
-        login_time_pattern = re.compile(r'\w{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}')
+        login_time_pattern = re.compile(r'\w{3} \w{3}\s+\d{1,2} \d{2}:\d{2}:\d{2} \d{4}')
        result = {}
        for line in info:
            usernames = username_pattern.findall(line)
@@ -46,7 +46,8 @@ class GatherAccountsFilter:
                result[username].update({'address': ip_addr})
            login_times = login_time_pattern.findall(line)
            if login_times:
-                date = timezone.datetime.strptime(f'{login_times[0]} +0800', '%b %d %H:%M:%S %Y %z')
+                datetime_str = login_times[0].split(' ', 1)[1] + " +0800"
                date = timezone.datetime.strptime(datetime_str, '%b %d %H:%M:%S %Y %z')
                result[username].update({'date': date})
        return result
--- a/apps/accounts/automations/gather_accounts/host/windows/main.yml
+++ b/apps/accounts/automations/gather_accounts/host/windows/main.yml
@@ -1,9 +1,10 @@
 - hosts: demo
  gather_facts: no
  tasks:
-    - name: Gather posix account
+    - name: Gather windows account
      ansible.builtin.win_shell: net user
      register: result
      ignore_errors: true
    - name: Define info by set_fact
      ansible.builtin.set_fact:
--- a/apps/accounts/automations/gather_accounts/manager.py
+++ b/apps/accounts/automations/gather_accounts/manager.py
@@ -1,9 +1,14 @@
 from collections import defaultdict
 from accounts.const import AutomationTypes
 from accounts.models import GatheredAccount
 from assets.models import Asset
 from common.utils import get_logger
 from orgs.utils import tmp_to_org
 from users.models import User
 from .filter import GatherAccountsFilter
 from ..base.manager import AccountBasePlaybookManager
 from ...notifications import GatherAccountChangeMsg
 logger = get_logger(__name__)
@@ -12,6 +17,9 @@ class GatherAccountsManager(AccountBasePlaybookManager):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.host_asset_mapper = {}
        self.asset_account_info = {}
        self.asset_username_mapper = defaultdict(set)
        self.is_sync_account = self.execution.snapshot.get('is_sync_account')
    @classmethod
@@ -26,10 +34,11 @@ class GatherAccountsManager(AccountBasePlaybookManager):
    def filter_success_result(self, tp, result):
        result = GatherAccountsFilter(tp).run(self.method_id_meta_mapper, result)
        return result
-    @staticmethod
+
-    def generate_data(asset, result):
+    def generate_data(self, asset, result):
        data = []
        for username, info in result.items():
            self.asset_username_mapper[str(asset.id)].add(username)
            d = {'asset': asset, 'username': username, 'present': True}
            if info.get('date'):
                d['date_last_login'] = info['date']
@@ -38,26 +47,93 @@ class GatherAccountsManager(AccountBasePlaybookManager):
            data.append(d)
        return data
-    def update_or_create_accounts(self, asset, result):
+    def collect_asset_account_info(self, asset, result):
        data = self.generate_data(asset, result)
-        with tmp_to_org(asset.org_id):
+        self.asset_account_info[asset] = data
-            gathered_accounts = []
+
-            GatheredAccount.objects.filter(asset=asset, present=True).update(present=False)
+    @staticmethod
-            for d in data:
+    def get_nested_info(data, *keys):
-                username = d['username']
+        for key in keys:
-                gathered_account, __ = GatheredAccount.objects.update_or_create(
+            data = data.get(key, {})
-                    defaults=d, asset=asset, username=username,
+            if not data:
-                )
+                break
-                gathered_accounts.append(gathered_account)
+        return data
            if not self.is_sync_account:
                return
            GatheredAccount.sync_accounts(gathered_accounts)
    def on_host_success(self, host, result):
-        info = result.get('debug', {}).get('res', {}).get('info', {})
+        info = self.get_nested_info(result, 'debug', 'res', 'info')
        asset = self.host_asset_mapper.get(host)
        if asset and info:
            result = self.filter_success_result(asset.type, info)
-            self.update_or_create_accounts(asset, result)
+            self.collect_asset_account_info(asset, result)
        else:
-            logger.error("Not found info".format(host))
+            print(f'\033[31m Not found {host} info \033[0m\n')
    def update_or_create_accounts(self):
        for asset, data in self.asset_account_info.items():
            with tmp_to_org(asset.org_id):
                gathered_accounts = []
                GatheredAccount.objects.filter(asset=asset, present=True).update(present=False)
                for d in data:
                    username = d['username']
                    gathered_account, __ = GatheredAccount.objects.update_or_create(
                        defaults=d, asset=asset, username=username,
                    )
                    gathered_accounts.append(gathered_account)
                if not self.is_sync_account:
                    continue
                GatheredAccount.sync_accounts(gathered_accounts)
    def run(self, *args, **kwargs):
        super().run(*args, **kwargs)
        users, change_info = self.generate_send_users_and_change_info()
        self.update_or_create_accounts()
        self.send_email_if_need(users, change_info)
    def generate_send_users_and_change_info(self):
        recipients = self.execution.recipients
        if not self.asset_username_mapper or not recipients:
            return None, None
        users = User.objects.filter(id__in=recipients)
        if not users.exists():
            return users, None
        asset_ids = self.asset_username_mapper.keys()
        assets = Asset.objects.filter(id__in=asset_ids).prefetch_related('accounts')
        gather_accounts = GatheredAccount.objects.filter(asset_id__in=asset_ids, present=True)
        asset_id_map = {str(asset.id): asset for asset in assets}
        asset_id_username = list(assets.values_list('id', 'accounts__username'))
        asset_id_username.extend(list(gather_accounts.values_list('asset_id', 'username')))
        system_asset_username_mapper = defaultdict(set)
        for asset_id, username in asset_id_username:
            system_asset_username_mapper[str(asset_id)].add(username)
        change_info = defaultdict(dict)
        for asset_id, usernames in self.asset_username_mapper.items():
            system_usernames = system_asset_username_mapper.get(asset_id)
            if not system_usernames:
                continue
            add_usernames = usernames - system_usernames
            remove_usernames = system_usernames - usernames
            if not add_usernames and not remove_usernames:
                continue
            change_info[str(asset_id_map[asset_id])] = {
                'add_usernames': add_usernames,
                'remove_usernames': remove_usernames
            }
        return users, dict(change_info)
    @staticmethod
    def send_email_if_need(users, change_info):
        if not users or not change_info:
            return
        for user in users:
            GatherAccountChangeMsg(user, change_info).publish_async()
--- a/apps/accounts/automations/push_account/database/mongodb/main.yml
+++ b/apps/accounts/automations/push_account/database/mongodb/main.yml
@@ -1,7 +1,7 @@
 - hosts: mongodb
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: Test MongoDB connection
@@ -12,8 +12,8 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
      register: db_info
@@ -31,8 +31,8 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
        db: "{{ jms_asset.spec_info.db_name }}"
@@ -49,7 +49,7 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
--- a/apps/accounts/automations/push_account/database/mysql/main.yml
+++ b/apps/accounts/automations/push_account/database/mysql/main.yml
@@ -1,8 +1,12 @@
 - hosts: mysql
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
    db_name: "{{ jms_asset.spec_info.db_name }}"
    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"
  tasks:
    - name: Test MySQL connection
@@ -11,6 +15,10 @@
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        filter: version
      register: db_info
@@ -24,6 +32,10 @@
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
        host: "%"
@@ -37,4 +49,8 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        filter: version
--- a/apps/accounts/automations/push_account/database/oracle/main.yml
+++ b/apps/accounts/automations/push_account/database/oracle/main.yml
@@ -1,7 +1,7 @@
 - hosts: oracle
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: Test Oracle connection
@@ -39,3 +39,4 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        mode: "{{ account.mode }}"
--- a/apps/accounts/automations/push_account/database/postgresql/main.yml
+++ b/apps/accounts/automations/push_account/database/postgresql/main.yml
@@ -1,7 +1,11 @@
 - hosts: postgre
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
    check_ssl: "{{ jms_asset.spec_info.use_ssl }}"
    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"
  tasks:
    - name: Test PostgreSQL connection
@@ -11,6 +15,10 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_db: "{{ jms_asset.spec_info.db_name }}"
        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
        ssl_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
        ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
      register: result
      failed_when: not result.is_available
@@ -28,9 +36,14 @@
        db: "{{ jms_asset.spec_info.db_name }}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
        ssl_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
        ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
        role_attr_flags: LOGIN
      ignore_errors: true
      when: result is succeeded
      register: change_info
    - name: Verify password
      community.postgresql.postgresql_ping:
@@ -39,6 +52,12 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        db: "{{ jms_asset.spec_info.db_name }}"
        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
        ssl_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
        ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
      when:
        - result is succeeded
        - change_info is succeeded
      register: result
      failed_when: not result.is_available
--- a/apps/accounts/automations/push_account/database/sqlserver/main.yml
+++ b/apps/accounts/automations/push_account/database/sqlserver/main.yml
@@ -1,7 +1,7 @@
 - hosts: sqlserver
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: Test SQLServer connection
@@ -40,7 +40,7 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; select @@version"
      ignore_errors: true
      when: user_exist.query_results[0] | length != 0
      register: change_info
@@ -52,7 +52,7 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+        script: "CREATE LOGIN [{{ account.username }}] WITH PASSWORD = '{{ account.secret }}'; CREATE USER [{{ account.username }}] FOR LOGIN [{{ account.username }}]; select @@version"
      ignore_errors: true
      when: user_exist.query_results[0] | length == 0
      register: change_info
--- a/apps/accounts/automations/push_account/host/aix/main.yml
+++ b/apps/accounts/automations/push_account/host/aix/main.yml
@@ -14,51 +14,15 @@
    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
-        shell: "{{ params.shell }}"
+        uid: "{{ params.uid | int if params.uid | length > 0 else omit }}"
-        home: "{{ params.home | default('/home/' + account.username, true) }}"
+        shell: "{{ params.shell if params.shell | length > 0 else omit }}"
-        groups: "{{ params.groups }}"
+        home: "{{ params.home if params.home | length > 0 else '/home/' + account.username }}"
        groups: "{{ params.groups if params.groups | length > 0 else omit }}"
        append: yes
        expires: -1
        state: present
      when: user_info.failed
    - name: "Add {{ account.username }} group"
      ansible.builtin.group:
        name: "{{ account.username }}"
        state: present
      when: user_info.failed
    - name: "Add {{ account.username }} user to group"
      ansible.builtin.user:
        name: "{{ account.username }}"
        groups: "{{ params.groups }}"
      when:
        - user_info.failed
        - params.groups
    - name: "Change {{ account.username }} password"
      ansible.builtin.user:
        name: "{{ account.username }}"
        password: "{{ account.secret | password_hash('des') }}"
        update_password: always
      ignore_errors: true
      when: account.secret_type == "password"
    - name: remove jumpserver ssh key
      ansible.builtin.lineinfile:
        dest: "{{ ssh_params.dest }}"
        regexp: "{{ ssh_params.regexp }}"
        state: absent
      when:
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"
    - name: "Change {{ account.username }} SSH key"
      ansible.builtin.authorized_key:
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
      when: account.secret_type == "ssh_key"
    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
@@ -67,9 +31,59 @@
        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
        validate: visudo -cf %s
      when:
-        - user_info.failed
+        - user_info.failed or params.modify_sudo
        - params.sudo
    - name: "Change {{ account.username }} password"
      ansible.builtin.user:
        name: "{{ account.username }}"
        password: "{{ account.secret | password_hash('des') }}"
        update_password: always
      ignore_errors: true
      when: account.secret_type == "password"
    - name: "Get home directory for {{ account.username }}"
      ansible.builtin.shell: "getent passwd {{ account.username }} | cut -d: -f6"
      register: home_dir
      when: account.secret_type == "ssh_key"
      ignore_errors: yes
    - name: "Check if home directory exists for {{ account.username }}"
      ansible.builtin.stat:
        path: "{{ home_dir.stdout.strip() }}"
      register: home_dir_stat
      when: account.secret_type == "ssh_key"
      ignore_errors: yes
    - name: "Ensure {{ account.username }} home directory exists"
      ansible.builtin.file:
        path: "{{ home_dir.stdout.strip() }}"
        state: directory
        owner: "{{ account.username }}"
        group: "{{ account.username }}"
        mode: '0750'
      when:
        - account.secret_type == "ssh_key"
        - home_dir_stat.stat.exists == false
      ignore_errors: yes
    - name: Remove jumpserver ssh key
      ansible.builtin.lineinfile:
        dest: "{{ home_dir.stdout.strip() }}/.ssh/authorized_keys"
        regexp: "{{ ssh_params.regexp }}"
        state: absent
      when:
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"
      ignore_errors: yes
    - name: "Change {{ account.username }} SSH key"
      ansible.builtin.authorized_key:
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
      when: account.secret_type == "ssh_key"
    - name: Refresh connection
      ansible.builtin.meta: reset_connection
@@ -79,8 +93,13 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
-        become: false
+        become: "{{ account.become.ansible_become | default(False) }}"
        become_method: su
        become_user: "{{ account.become.ansible_user | default('') }}"
        become_password: "{{ account.become.ansible_password | default('') }}"
        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "password"
      delegate_to: localhost
@@ -90,8 +109,8 @@
        login_port: "{{ jms_asset.port }}"
        login_user: "{{ account.username }}"
        login_private_key_path: "{{ account.private_key_path  }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
-        become: false
+        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "ssh_key"
      delegate_to: localhost
--- a/apps/accounts/automations/push_account/host/aix/manifest.yml
+++ b/apps/accounts/automations/push_account/host/aix/manifest.yml
@@ -5,11 +5,17 @@ type:
  - AIX
 method: push_account
 params:
  - name: modify_sudo
    type: bool
    label: "{{ 'Modify sudo label' | trans }}"
    default: False
    help_text: "{{ 'Modify params sudo help text' | trans }}"
  - name: sudo
    type: str
    label: 'Sudo'
    default: '/bin/whoami'
-    help_text: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
+    help_text: "{{ 'Params sudo help text' | trans }}"
  - name: shell
    type: str
@@ -18,19 +24,69 @@ params:
  - name: home
    type: str
-    label: '家目录'
+    label: "{{ 'Params home label' | trans }}"
    default: ''
-    help_text: '默认家目录 /home/系统用户名: /home/username'
+    help_text: "{{ 'Params home help text' | trans }}"
  - name: groups
    type: str
-    label: '用户组'
+    label: "{{ 'Params groups label' | trans }}"
    default: ''
-    help_text: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
+    help_text: "{{ 'Params groups help text' | trans }}"
  - name: uid
    type: str
    label: "{{ 'Params uid label' | trans }}"
    default: ''
    help_text: "{{ 'Params uid help text' | trans }}"
 i18n:
  Aix account push:
-    zh: 使用 Ansible 模块 user 执行 Aix 账号推送 (DES)
+    zh: '使用 Ansible 模块 user 执行 Aix 账号推送 (DES)'
-    ja: Ansible user モジュールを使用して Aix アカウントをプッシュする (DES)
+    ja: 'Ansible user モジュールを使用して Aix アカウントをプッシュする (DES)'
-    en: Using Ansible module user to push account (DES)
+    en: 'Using Ansible module user to push account (DES)'
  Modify params sudo help text:
    zh: '如果用户存在，可以修改sudo权限'
    ja: 'ユーザーが存在する場合、sudo権限を変更できます'
    en: 'If the user exists, sudo permissions can be modified'
  Params sudo help text:
    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
    en: 'Use commas to separate multiple commands, such as: /bin/whoami,/sbin/ifconfig'
  Params home help text:
    zh: '默认家目录 /home/{账号用户名}'
    ja: 'デフォルトのホームディレクトリ /home/{アカウントユーザ名}'
    en: 'Default home directory /home/{account username}'
  Params groups help text:
    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
  Params uid help text:
    zh: '请输入用户ID'
    ja: 'ユーザーIDを入力してください'
    en: 'Please enter the user ID'
  Modify sudo label:
    zh: '修改 sudo 权限'
    ja: 'sudo 権限を変更'
    en: 'Modify sudo'
  Params home label:
    zh: '家目录'
    ja: 'ホームディレクトリ'
    en: 'Home'
  Params groups label:
    zh: '用户组'
    ja: 'グループ'
    en: 'Groups'
  Params uid label:
    zh: '用户ID'
    ja: 'ユーザーID'
    en: 'User ID'
--- a/apps/accounts/automations/push_account/host/posix/main.yml
+++ b/apps/accounts/automations/push_account/host/posix/main.yml
@@ -14,51 +14,15 @@
    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
-        shell: "{{ params.shell }}"
+        uid: "{{ params.uid | int if params.uid | length > 0 else omit }}"
-        home: "{{ params.home | default('/home/' + account.username, true) }}"
+        shell: "{{ params.shell if params.shell | length > 0 else omit }}"
-        groups: "{{ params.groups }}"
+        home: "{{ params.home if params.home | length > 0 else '/home/' + account.username }}"
        groups: "{{ params.groups if params.groups | length > 0 else omit }}"
        append: yes
        expires: -1
        state: present
      when: user_info.failed
    - name: "Add {{ account.username }} group"
      ansible.builtin.group:
        name: "{{ account.username }}"
        state: present
      when: user_info.failed
    - name: "Add {{ account.username }} user to group"
      ansible.builtin.user:
        name: "{{ account.username }}"
        groups: "{{ params.groups }}"
      when:
        - user_info.failed
        - params.groups
    - name: "Change {{ account.username }} password"
      ansible.builtin.user:
        name: "{{ account.username }}"
        password: "{{ account.secret | password_hash('sha512') }}"
        update_password: always
      ignore_errors: true
      when: account.secret_type == "password"
    - name: remove jumpserver ssh key
      ansible.builtin.lineinfile:
        dest: "{{ ssh_params.dest }}"
        regexp: "{{ ssh_params.regexp }}"
        state: absent
      when:
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"
    - name: "Change {{ account.username }} SSH key"
      ansible.builtin.authorized_key:
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
      when: account.secret_type == "ssh_key"
    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
@@ -67,9 +31,59 @@
        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
        validate: visudo -cf %s
      when:
-        - user_info.failed
+        - user_info.failed or params.modify_sudo
        - params.sudo
    - name: "Change {{ account.username }} password"
      ansible.builtin.user:
        name: "{{ account.username }}"
        password: "{{ account.secret | password_hash('sha512') }}"
        update_password: always
      ignore_errors: true
      when: account.secret_type == "password"
    - name: "Get home directory for {{ account.username }}"
      ansible.builtin.shell: "getent passwd {{ account.username }} | cut -d: -f6"
      register: home_dir
      when: account.secret_type == "ssh_key"
      ignore_errors: yes
    - name: "Check if home directory exists for {{ account.username }}"
      ansible.builtin.stat:
        path: "{{ home_dir.stdout.strip() }}"
      register: home_dir_stat
      when: account.secret_type == "ssh_key"
      ignore_errors: yes
    - name: "Ensure {{ account.username }} home directory exists"
      ansible.builtin.file:
        path: "{{ home_dir.stdout.strip() }}"
        state: directory
        owner: "{{ account.username }}"
        group: "{{ account.username }}"
        mode: '0750'
      when:
        - account.secret_type == "ssh_key"
        - home_dir_stat.stat.exists == false
      ignore_errors: yes
    - name: Remove jumpserver ssh key
      ansible.builtin.lineinfile:
        dest: "{{ home_dir.stdout.strip() }}/.ssh/authorized_keys"
        regexp: "{{ ssh_params.regexp }}"
        state: absent
      when:
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"
      ignore_errors: yes
    - name: "Change {{ account.username }} SSH key"
      ansible.builtin.authorized_key:
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
      when: account.secret_type == "ssh_key"
    - name: Refresh connection
      ansible.builtin.meta: reset_connection
@@ -79,8 +93,13 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
-        become: false
+        become: "{{ account.become.ansible_become | default(False) }}"
        become_method: su
        become_user: "{{ account.become.ansible_user | default('') }}"
        become_password: "{{ account.become.ansible_password | default('') }}"
        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "password"
      delegate_to: localhost
@@ -90,8 +109,8 @@
        login_port: "{{ jms_asset.port }}"
        login_user: "{{ account.username }}"
        login_private_key_path: "{{ account.private_key_path  }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
-        become: false
+        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "ssh_key"
      delegate_to: localhost
--- a/apps/accounts/automations/push_account/host/posix/manifest.yml
+++ b/apps/accounts/automations/push_account/host/posix/manifest.yml
@@ -6,11 +6,17 @@ type:
  - linux
 method: push_account
 params:
  - name: modify_sudo
    type: bool
    label: "{{ 'Modify sudo label' | trans }}"
    default: False
    help_text: "{{ 'Modify params sudo help text' | trans }}"
  - name: sudo
    type: str
    label: 'Sudo'
    default: '/bin/whoami'
-    help_text: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
+    help_text: "{{ 'Params sudo help text' | trans }}"
  - name: shell
    type: str
@@ -20,18 +26,69 @@ params:
  - name: home
    type: str
-    label: '家目录'
+    label: "{{ 'Params home label' | trans }}"
    default: ''
-    help_text: '默认家目录 /home/系统用户名: /home/username'
+    help_text: "{{ 'Params home help text' | trans }}"
  - name: groups
    type: str
-    label: '用户组'
+    label: "{{ 'Params groups label' | trans }}"
    default: ''
-    help_text: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
+    help_text: "{{ 'Params groups help text' | trans }}"
  - name: uid
    type: str
    label: "{{ 'Params uid label' | trans }}"
    default: ''
    help_text: "{{ 'Params uid help text' | trans }}"
 i18n:
  Posix account push:
-    zh: 使用 Ansible 模块 user 执行账号推送 (sha512)
+    zh: '使用 Ansible 模块 user 执行账号推送 (sha512)'
-    ja: Ansible user モジュールを使用してアカウントをプッシュする (sha512)
+    ja: 'Ansible user モジュールを使用してアカウントをプッシュする (sha512)'
-    en: Using Ansible module user to push account (sha512)
+    en: 'Using Ansible module user to push account (sha512)'
  Modify params sudo help text:
    zh: '如果用户存在，可以修改sudo权限'
    ja: 'ユーザーが存在する場合、sudo権限を変更できます'
    en: 'If the user exists, sudo permissions can be modified'
  Params sudo help text:
    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
    en: 'Use commas to separate multiple commands, such as: /bin/whoami,/sbin/ifconfig'
  Params home help text:
    zh: '默认家目录 /home/{账号用户名}'
    ja: 'デフォルトのホームディレクトリ /home/{アカウントユーザ名}'
    en: 'Default home directory /home/{account username}'
  Params groups help text:
    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
  Params uid help text:
    zh: '请输入用户ID'
    ja: 'ユーザーIDを入力してください'
    en: 'Please enter the user ID'
  Modify sudo label:
    zh: '修改 sudo 权限'
    ja: 'sudo 権限を変更'
    en: 'Modify sudo'
  Params home label:
    zh: '家目录'
    ja: 'ホームディレクトリ'
    en: 'Home'
  Params groups label:
    zh: '用户组'
    ja: 'グループ'
    en: 'Groups'
  Params uid label:
    zh: '用户ID'
    ja: 'ユーザーID'
    en: 'User ID'
--- a/apps/accounts/automations/push_account/host/windows/manifest.yml
+++ b/apps/accounts/automations/push_account/host/windows/manifest.yml
@@ -10,10 +10,15 @@ params:
    type: str
    label: '用户组'
    default: 'Users,Remote Desktop Users'
-    help_text: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
+    help_text: "{{ 'Params groups help text' | trans }}"
 i18n:
  Windows account push:
-    zh: 使用 Ansible 模块 win_user 执行 Windows 账号推送
+    zh: '使用 Ansible 模块 win_user 执行 Windows 账号推送'
-    ja: Ansible win_user モジュールを使用して Windows アカウントをプッシュする
+    ja: 'Ansible win_user モジュールを使用して Windows アカウントをプッシュする'
-    en: Using Ansible module win_user to push account
+    en: 'Using Ansible module win_user to push account'
  Params groups help text:
    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
--- a/apps/accounts/automations/push_account/host/windows_rdp_verify/main.yml
+++ b/apps/accounts/automations/push_account/host/windows_rdp_verify/main.yml
@@ -0,0 +1,35 @@
 - hosts: demo
  gather_facts: no
  tasks:
    - name: Test privileged account
      ansible.windows.win_ping:
 #    - name: Print variables
 #      debug:
 #        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
    - name: Push user password
      ansible.windows.win_user:
        fullname: "{{ account.username}}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
        password_never_expires: yes
        groups: "{{ params.groups }}"
        groups_action: add
        update_password: always
      ignore_errors: true
      when: account.secret_type == "password"
    - name: Refresh connection
      ansible.builtin.meta: reset_connection
    - name: Verify password (pyfreerdp)
      rdp_ping:
        login_host: "{{ jms_asset.origin_address }}"
        login_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'rdp') | map(attribute='port') | first }}"
        login_user: "{{ account.username }}"
        login_password: "{{ account.secret }}"
        login_secret_type: "{{ account.secret_type }}"
        gateway_args: "{{ jms_gateway | default({}) }}"
      when: account.secret_type == "password"
      delegate_to: localhost
--- a/apps/accounts/automations/push_account/host/windows_rdp_verify/manifest.yml
+++ b/apps/accounts/automations/push_account/host/windows_rdp_verify/manifest.yml
@@ -0,0 +1,25 @@
 id: push_account_windows_rdp_verify
 name: "{{ 'Windows account push rdp verify' | trans }}"
 version: 1
 method: push_account
 category: host
 type:
  - windows
 priority: 49
 params:
  - name: groups
    type: str
    label: '用户组'
    default: 'Users,Remote Desktop Users'
    help_text: "{{ 'Params groups help text' | trans }}"
 i18n:
  Windows account push rdp verify:
    zh: '使用 Ansible 模块 win_user 执行 Windows 账号推送（最后使用 Python 模块 pyfreerdp 验证账号的可连接性）'
    ja: 'Ansible モジュール win_user を使用して Windows アカウントのプッシュを実行します (最後に Python モジュール pyfreerdp を使用してアカウントの接続性を確認します)'
    en: 'Use the Ansible module win_user to perform Windows account push (finally use the Python module pyfreerdp to verify the connectability of the account)'
  Params groups help text:
    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
--- a/apps/accounts/automations/push_account/manager.py
+++ b/apps/accounts/automations/push_account/manager.py
@@ -1,7 +1,4 @@
-from copy import deepcopy
+from accounts.const import AutomationTypes
 from accounts.const import AutomationTypes, SecretType, Connectivity
 from assets.const import HostTypes
 from common.utils import get_logger
 from ..base.manager import AccountBasePlaybookManager
 from ..change_secret.manager import ChangeSecretManager
@@ -10,83 +7,16 @@ logger = get_logger(__name__)
 class PushAccountManager(ChangeSecretManager, AccountBasePlaybookManager):
-    ansible_account_prefer = ''
+
    @staticmethod
    def require_update_version(account, recorder):
        account.skip_history_when_saving = True
        return False
    @classmethod
    def method_type(cls):
        return AutomationTypes.push_account
    def host_callback(self, host, asset=None, account=None, automation=None, path_dir=None, **kwargs):
        host = super(ChangeSecretManager, self).host_callback(
            host, asset=asset, account=account, automation=automation,
            path_dir=path_dir, **kwargs
        )
        if host.get('error'):
            return host
        accounts = self.get_accounts(account)
        inventory_hosts = []
        if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
            msg = f'Windows {asset} does not support ssh key push'
            print(msg)
            return inventory_hosts
        host['ssh_params'] = {}
        for account in accounts:
            h = deepcopy(host)
            secret_type = account.secret_type
            h['name'] += '(' + account.username + ')'
            if self.secret_type is None:
                new_secret = account.secret
            else:
                new_secret = self.get_secret(secret_type)
            self.name_recorder_mapper[h['name']] = {
                'account': account, 'new_secret': new_secret,
            }
            private_key_path = None
            if secret_type == SecretType.SSH_KEY:
                private_key_path = self.generate_private_key_path(new_secret, path_dir)
                new_secret = self.generate_public_key(new_secret)
            h['ssh_params'].update(self.get_ssh_params(account, new_secret, secret_type))
            h['account'] = {
                'name': account.name,
                'username': account.username,
                'secret_type': secret_type,
                'secret': new_secret,
                'private_key_path': private_key_path
            }
            if asset.platform.type == 'oracle':
                h['account']['mode'] = 'sysdba' if account.privileged else None
            inventory_hosts.append(h)
        return inventory_hosts
    def on_host_success(self, host, result):
        account_info = self.name_recorder_mapper.get(host)
        if not account_info:
            return
        account = account_info['account']
        new_secret = account_info['new_secret']
        if not account:
            return
        account.secret = new_secret
        account.save(update_fields=['secret'])
        account.set_connectivity(Connectivity.OK)
    def on_host_error(self, host, error, result):
        pass
    def on_runner_failed(self, runner, e):
        logger.error("Pust account error: ", e)
    def run(self, *args, **kwargs):
        if self.secret_type and not self.check_secret():
            return
        super(ChangeSecretManager, self).run(*args, **kwargs)
    # @classmethod
    # def trigger_by_asset_create(cls, asset):
    #     automations = PushAccountAutomation.objects.filter(
--- a/apps/accounts/automations/remove_account/init.py
+++ b/apps/accounts/automations/remove_account/init.py
--- a/apps/accounts/automations/remove_account/database/mongodb/main.yml
+++ b/apps/accounts/automations/remove_account/database/mongodb/main.yml
@@ -0,0 +1,21 @@
 - hosts: mongodb
  gather_facts: no
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: "Remove account"
      mongodb_user:
        login_user: "{{ jms_account.username }}"
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
        db: "{{ jms_asset.spec_info.db_name }}"
        name: "{{ account.username }}"
        state: absent
--- a/apps/accounts/automations/remove_account/database/mongodb/manifest.yml
+++ b/apps/accounts/automations/remove_account/database/mongodb/manifest.yml
@@ -0,0 +1,12 @@
 id: remove_account_mongodb
 name: "{{ 'MongoDB account remove' | trans }}"
 category: database
 type:
  - mongodb
 method: remove_account
 i18n:
  MongoDB account remove:
    zh: 使用 Ansible 模块 mongodb 删除账号
    ja: Ansible モジュール mongodb を使用してアカウントを削除する
    en: Delete account using Ansible module mongodb
--- a/apps/accounts/automations/remove_account/database/mysql/main.yml
+++ b/apps/accounts/automations/remove_account/database/mysql/main.yml
@@ -0,0 +1,22 @@
 - hosts: mysql
  gather_facts: no
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"
  tasks:
    - name: "Remove account"
      community.mysql.mysql_user:
        login_user: "{{ jms_account.username }}"
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        name: "{{ account.username }}"
        state: absent
--- a/apps/accounts/automations/remove_account/database/mysql/manifest.yml
+++ b/apps/accounts/automations/remove_account/database/mysql/manifest.yml
@@ -0,0 +1,14 @@
 id: remove_account_mysql
 name: "{{ 'MySQL account remove' | trans }}"
 category: database
 type:
  - mysql
  - mariadb
 method: remove_account
 i18n:
  MySQL account remove:
    zh: 使用 Ansible 模块 mysql_user 删除账号
    ja: Ansible モジュール mysql_user を使用してアカウントを削除します
    en: Use the Ansible module mysql_user to delete the account
--- a/apps/accounts/automations/remove_account/database/oracle/main.yml
+++ b/apps/accounts/automations/remove_account/database/oracle/main.yml
@@ -0,0 +1,16 @@
 - hosts: oracle
  gather_facts: no
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: "Remove account"
      oracle_user:
        login_user: "{{ jms_account.username }}"
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        mode: "{{ jms_account.mode }}"
        name: "{{ account.username }}"
        state: absent
--- a/apps/accounts/automations/remove_account/database/oracle/manifest.yml
+++ b/apps/accounts/automations/remove_account/database/oracle/manifest.yml
@@ -0,0 +1,12 @@
 id: remove_account_oracle
 name: "{{ 'Oracle account remove' | trans }}"
 category: database
 type:
  - oracle
 method: remove_account
 i18n:
  Oracle account remove:
    zh: 使用 Python 模块 oracledb 删除账号
    ja: Python モジュール oracledb を使用してアカウントを検証する
    en: Using Python module oracledb to verify account
--- a/apps/accounts/automations/remove_account/database/postgresql/main.yml
+++ b/apps/accounts/automations/remove_account/database/postgresql/main.yml
@@ -0,0 +1,23 @@
 - hosts: postgresql
  gather_facts: no
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
    check_ssl: "{{ jms_asset.spec_info.use_ssl }}"
    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"
  tasks:
    - name: "Remove account"
      community.postgresql.postgresql_user:
        login_user: "{{ jms_account.username }}"
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        db: "{{ jms_asset.spec_info.db_name }}"
        name: "{{ account.username }}"
        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
        ssl_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
        ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
        state: absent
--- a/apps/accounts/automations/remove_account/database/postgresql/manifest.yml
+++ b/apps/accounts/automations/remove_account/database/postgresql/manifest.yml
@@ -0,0 +1,12 @@
 id: remove_account_postgresql
 name: "{{ 'PostgreSQL account remove' | trans }}"
 category: database
 type:
  - postgresql
 method: remove_account
 i18n:
  PostgreSQL account remove:
    zh: 使用 Ansible 模块 postgresql_user 删除账号
    ja: Ansible モジュール postgresql_user を使用してアカウントを削除します
    en: Use the Ansible module postgresql_user to delete the account
--- a/apps/accounts/automations/remove_account/database/sqlserver/main.yml
+++ b/apps/accounts/automations/remove_account/database/sqlserver/main.yml
@@ -0,0 +1,14 @@
 - hosts: sqlserver
  gather_facts: no
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: "Remove account"
      community.general.mssql_script:
        login_user: "{{ jms_account.username }}"
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        name: "{{ jms_asset.spec_info.db_name }}"
        script: "DROP USER {{ account.username }}"
--- a/apps/accounts/automations/remove_account/database/sqlserver/manifest.yml
+++ b/apps/accounts/automations/remove_account/database/sqlserver/manifest.yml
@@ -0,0 +1,12 @@
 id: remove_account_sqlserver
 name: "{{ 'SQLServer account remove' | trans }}"
 category: database
 type:
  - sqlserver
 method: remove_account
 i18n:
  SQLServer account remove:
    zh: 使用 Ansible 模块 mssql 删除账号
    ja: Ansible モジュール mssql を使用してアカウントを削除する
    en: Use Ansible module mssql to delete account
--- a/apps/accounts/automations/remove_account/host/posix/main.yml
+++ b/apps/accounts/automations/remove_account/host/posix/main.yml
@@ -0,0 +1,28 @@
 - hosts: demo
  gather_facts: no
  tasks:
    - name: "Get user home directory path"
      ansible.builtin.shell:
        cmd: "getent passwd {{ account.username }} | cut -d: -f6"
      register: user_home_dir
      ignore_errors: yes
    - name: "Check if user home directory exists"
      ansible.builtin.stat:
        path: "{{ user_home_dir.stdout }}"
      register: home_dir
      when: user_home_dir.stdout != ""
      ignore_errors: yes
    - name: "Rename user home directory if it exists"
      ansible.builtin.command:
        cmd: "mv {{ user_home_dir.stdout }} {{ user_home_dir.stdout }}.bak"
      when: home_dir.stat | default(false) and user_home_dir.stdout != ""
      ignore_errors: yes
    - name: "Remove account"
      ansible.builtin.user:
        name: "{{ account.username }}"
        state: absent
        remove: "{{ home_dir.stat.exists }}"
      when: home_dir.stat | default(false)
--- a/apps/accounts/automations/remove_account/host/posix/manifest.yml
+++ b/apps/accounts/automations/remove_account/host/posix/manifest.yml
@@ -0,0 +1,13 @@
 id: remove_account_posix
 name: "{{ 'Posix account remove' | trans }}"
 category: host
 type:
  - linux
  - unix
 method: remove_account
 i18n:
  Posix account remove:
    zh: 使用 Ansible 模块 user 删除账号
    ja: Ansible モジュール ユーザーを使用してアカウントを削除します
    en: Use the Ansible module user to delete the account
--- a/apps/accounts/automations/remove_account/host/windows/main.yml
+++ b/apps/accounts/automations/remove_account/host/windows/main.yml
@@ -0,0 +1,7 @@
 - hosts: windows
  gather_facts: no
  tasks:
    - name: "Remove account"
      ansible.windows.win_user:
        name: "{{ account.username }}"
        state: absent
--- a/apps/accounts/automations/remove_account/host/windows/manifest.yml
+++ b/apps/accounts/automations/remove_account/host/windows/manifest.yml
@@ -0,0 +1,13 @@
 id: remove_account_windows
 name: "{{ 'Windows account remove' | trans }}"
 version: 1
 method: remove_account
 category: host
 type:
  - windows
 i18n:
  Windows account remove:
    zh: 使用 Ansible 模块 win_user 删除账号
    ja: Ansible モジュール win_user を使用してアカウントを削除する
    en: Use the Ansible module win_user to delete an account
--- a/apps/accounts/automations/remove_account/manager.py
+++ b/apps/accounts/automations/remove_account/manager.py
@@ -0,0 +1,70 @@
 import os
 from copy import deepcopy
 from django.db.models import QuerySet
 from accounts.const import AutomationTypes
 from accounts.models import Account
 from common.utils import get_logger
 from ..base.manager import AccountBasePlaybookManager
 logger = get_logger(__name__)
 class RemoveAccountManager(AccountBasePlaybookManager):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.host_account_mapper = {}
    def prepare_runtime_dir(self):
        path = super().prepare_runtime_dir()
        ansible_config_path = os.path.join(path, 'ansible.cfg')
        with open(ansible_config_path, 'w') as f:
            f.write('[ssh_connection]\n')
            f.write('ssh_args = -o ControlMaster=no -o ControlPersist=no\n')
        return path
    @classmethod
    def method_type(cls):
        return AutomationTypes.remove_account
    def get_gather_accounts(self, privilege_account, gather_accounts: QuerySet):
        gather_account_ids = self.execution.snapshot['gather_accounts']
        gather_accounts = gather_accounts.filter(id__in=gather_account_ids)
        gather_accounts = gather_accounts.exclude(
            username__in=[privilege_account.username, 'root', 'Administrator']
        )
        return gather_accounts
    def host_callback(self, host, asset=None, account=None, automation=None, path_dir=None, **kwargs):
        if host.get('error'):
            return host
        gather_accounts = asset.gatheredaccount_set.all()
        gather_accounts = self.get_gather_accounts(account, gather_accounts)
        inventory_hosts = []
        for gather_account in gather_accounts:
            h = deepcopy(host)
            h['name'] += '(' + gather_account.username + ')'
            self.host_account_mapper[h['name']] = (asset, gather_account)
            h['account'] = {'username': gather_account.username}
            inventory_hosts.append(h)
        return inventory_hosts
    def on_host_success(self, host, result):
        tuple_asset_gather_account = self.host_account_mapper.get(host)
        if not tuple_asset_gather_account:
            return
        asset, gather_account = tuple_asset_gather_account
        try:
            Account.objects.filter(
                asset_id=asset.id,
                username=gather_account.username
            ).delete()
            gather_account.delete()
        except Exception as e:
            print(f'\033[31m Delete account {gather_account.username} failed: {e} \033[0m\n')
--- a/apps/accounts/automations/verify_account/custom/rdp/main.yml
+++ b/apps/accounts/automations/verify_account/custom/rdp/main.yml
@@ -3,6 +3,7 @@
  vars:
    ansible_shell_type: sh
    ansible_connection: local
    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: Verify account (pyfreerdp)
@@ -12,4 +13,3 @@
        login_user: "{{ account.username }}"
        login_password: "{{ account.secret }}"
        login_secret_type: "{{ account.secret_type }}"
        login_private_key_path: "{{ account.private_key_path }}"
--- a/apps/accounts/automations/verify_account/custom/rdp/manifest.yml
+++ b/apps/accounts/automations/verify_account/custom/rdp/manifest.yml
@@ -5,9 +5,11 @@ category:
 type:
  - windows
 method: verify_account
 protocol: rdp
 priority: 1
 i18n:
  Windows rdp account verify:
-    zh: 使用 Python 模块 pyfreerdp 验证账号
+    zh: '使用 Python 模块 pyfreerdp 验证账号'
-    ja: Python モジュール pyfreerdp を使用してアカウントを検証する
+    ja: 'Python モジュール pyfreerdp を使用してアカウントを検証する'
-    en: Using Python module pyfreerdp to verify account
+    en: 'Using Python module pyfreerdp to verify account'
--- a/apps/accounts/automations/verify_account/custom/ssh/main.yml
+++ b/apps/accounts/automations/verify_account/custom/ssh/main.yml
@@ -2,6 +2,7 @@
  gather_facts: no
  vars:
    ansible_connection: local
    ansible_shell_type: sh
    ansible_become: false
  tasks:
@@ -13,8 +14,10 @@
        login_password: "{{ account.secret }}"
        login_secret_type: "{{ account.secret_type }}"
        login_private_key_path: "{{ account.private_key_path }}"
-        become: "{{ custom_become | default(False) }}"
+        become: "{{ account.become.ansible_become | default(False) }}"
-        become_method: "{{ custom_become_method | default('su') }}"
+        become_method: "{{ account.become.ansible_become_method | default('su') }}"
-        become_user: "{{ custom_become_user | default('') }}"
+        become_user: "{{ account.become.ansible_user | default('') }}"
-        become_password: "{{ custom_become_password | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
-        become_private_key_path: "{{ custom_become_private_key_path | default(None) }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
--- a/apps/accounts/automations/verify_account/custom/ssh/manifest.yml
+++ b/apps/accounts/automations/verify_account/custom/ssh/manifest.yml
@@ -6,9 +6,11 @@ category:
 type:
  - all
 method: verify_account
 protocol: ssh
 priority: 50
 i18n:
  SSH account verify:
-    zh: 使用 Python 模块 paramiko 验证账号
+    zh: '使用 Python 模块 paramiko 验证账号'
-    ja: Python モジュール paramiko を使用してアカウントを検証する
+    ja: 'Python モジュール paramiko を使用してアカウントを検証する'
-    en: Using Python module paramiko to verify account
+    en: 'Using Python module paramiko to verify account'
--- a/apps/accounts/automations/verify_account/database/mongodb/main.yml
+++ b/apps/accounts/automations/verify_account/database/mongodb/main.yml
@@ -1,7 +1,7 @@
- hosts: mongdb
+- hosts: mongodb
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: Verify account
@@ -12,7 +12,7 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
+          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert }}"
--- a/apps/accounts/automations/verify_account/database/mysql/main.yml
+++ b/apps/accounts/automations/verify_account/database/mysql/main.yml
@@ -1,7 +1,11 @@
 - hosts: mysql
  gather_facts: no
  vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"
  tasks:
    - name: Verify account
@@ -10,4 +14,8 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        filter: version
--- a/Show More
+++ b/Show More