chore(version): bump version number

Revert "fix(api): fix invalid resource control check (#3225 )" (#3327 )
This reverts commit 1fbe6a12f1.
2019-11-05 14:41:27 +13:00 · 2019-11-01 17:48:51 +13:00 · 2019-11-01 17:48:20 +13:00
1044 changed files with 36690 additions and 44047 deletions
--- a/.babelrc
+++ b/.babelrc
@@ -5,7 +5,7 @@
      "@babel/preset-env",
      {
        "modules": false,
-        "useBuiltIns": "entry"
+        "useBuiltIns": "usage"
      }
    ]
  ]
--- a/.eslintrc.yml
+++ b/.eslintrc.yml
@@ -10,10 +10,6 @@ globals:

 extends:
  - 'eslint:recommended'
-  - prettier
-
-plugins:
-  - import

 parserOptions:
  ecmaVersion: 2018
@@ -21,9 +17,276 @@ parserOptions:
  ecmaFeatures:
    modules: true

+# # http://eslint.org/docs/rules/
 rules:
-  no-control-regex: off
+#   # Possible Errors
+#   no-await-in-loop: off
+#   no-cond-assign: error
+#   no-console: off
+#   no-constant-condition: error
+#   no-control-regex: error
+#   no-debugger: error
+#   no-dupe-args: error
+#   no-dupe-keys: error
+#   no-duplicate-case: error
+#   no-empty-character-class: error
  no-empty: warn
+#   no-ex-assign: error
+#   no-extra-boolean-cast: error
+#   no-extra-parens: off
+#   no-extra-semi: error
+#   no-func-assign: error
+#   no-inner-declarations:
+#     - error
+#     - functions
+#   no-invalid-regexp: error
+#   no-irregular-whitespace: error
+#   no-negated-in-lhs: error
+#   no-obj-calls: error
+#   no-prototype-builtins: off
+#   no-regex-spaces: error
+#   no-sparse-arrays: error
+#   no-template-curly-in-string: off
+#   no-unexpected-multiline: error
+#   no-unreachable: error
+#   no-unsafe-finally: off
+#   no-unsafe-negation: off
+#   use-isnan: error
+#   valid-jsdoc: off
+#   valid-typeof: error
+
+#   # Best Practices
+#   accessor-pairs: error
+#   array-callback-return: off
+#   block-scoped-var: off
+#   class-methods-use-this: off
+#   complexity:
+#     - error
+#     - 6
+#   consistent-return: off
+#   curly: off
+#   default-case: off
+#   dot-location: off
+#   dot-notation: off
+#   eqeqeq: error
+#   guard-for-in: error
+#   no-alert: error
+#   no-caller: error
+#   no-case-declarations: error
+#   no-div-regex: error
+#   no-else-return: off
  no-empty-function: warn
+#   no-empty-pattern: error
+#   no-eq-null: error
+#   no-eval: error
+#   no-extend-native: error
+#   no-extra-bind: error
+#   no-extra-label: off
+#   no-fallthrough: error
+#   no-floating-decimal: off
+#   no-global-assign: off
+#   no-implicit-coercion: off
+#   no-implied-eval: error
+#   no-invalid-this: off
+#   no-iterator: error
+#   no-labels:
+#     - error
+#     - allowLoop: true
+#       allowSwitch: true
+#   no-lone-blocks: error
+#   no-loop-func: error
+#   no-magic-number: off
+#   no-multi-spaces: off
+#   no-multi-str: off
+#   no-native-reassign: error
+#   no-new-func: error
+#   no-new-wrappers: error
+#   no-new: error
+#   no-octal-escape: error
+#   no-octal: error
+#   no-param-reassign: off
+#   no-proto: error
+#   no-redeclare: error
+#   no-restricted-properties: off
+#   no-return-assign: error
+#   no-return-await: off
+#   no-script-url: error
+#   no-self-assign: off
+#   no-self-compare: error
+#   no-sequences: off
+#   no-throw-literal: off
+#   no-unmodified-loop-condition: off
+#   no-unused-expressions: error
+#   no-unused-labels: off
+#   no-useless-call: error
+#   no-useless-concat: error
  no-useless-escape: off
-  import/order: error
+#   no-useless-return: off
+#   no-void: error
+#   no-warning-comments: off
+#   no-with: error
+#   prefer-promise-reject-errors: off
+#   radix: error
+#   require-await: off
+#   vars-on-top: off
+#   wrap-iife: error
+#   yoda: off
+
+#   # Strict
+#   strict: off
+
+#   # Variables
+#   init-declarations: off
+#   no-catch-shadow: error
+#   no-delete-var: error
+#   no-label-var: error
+#   no-restricted-globals: off
+#   no-shadow-restricted-names: error
+#   no-shadow: off
+#   no-undef-init: error
+#   no-undef: off
+#   no-undefined: off
+#   no-unused-vars:
+#     - warn
+#     -
+#       vars: local
+#   no-use-before-define: off
+
+#   # Node.js and CommonJS
+#   callback-return: error
+#   global-require: error
+#   handle-callback-err: error
+#   no-mixed-requires: off
+#   no-new-require: off
+#   no-path-concat: error
+#   no-process-env: off
+#   no-process-exit: error
+#   no-restricted-modules: off
+#   no-sync: off
+
+#   # Stylistic Issues
+#   array-bracket-spacing: off
+#   block-spacing: off
+#   brace-style: off
+#   camelcase: off
+#   capitalized-comments: off
+#   comma-dangle:
+#     - error
+#     - never
+#   comma-spacing: off
+#   comma-style: off
+#   computed-property-spacing: off
+#   consistent-this: off
+#   eol-last: off
+#   func-call-spacing: off
+#   func-name-matching: off
+#   func-names: off
+#   func-style: off
+#   id-length: off
+#   id-match: off
+#   indent: off
+#   jsx-quotes: off
+#   key-spacing: off
+#   keyword-spacing: off
+#   line-comment-position: off
+#   linebreak-style:
+#     - error
+#     - unix
+#   lines-around-comment: off
+#   lines-around-directive: off
+#   max-depth: off
+#   max-len: off
+#   max-nested-callbacks: off
+#   max-params: off
+#   max-statements-per-line: off
+#   max-statements:
+#     - error
+#     - 30
+#   multiline-ternary: off
+#   new-cap: off
+#   new-parens: off
+#   newline-after-var: off
+#   newline-before-return: off
+#   newline-per-chained-call: off
+#   no-array-constructor: off
+#   no-bitwise: off
+#   no-continue: off
+#   no-inline-comments: off
+#   no-lonely-if: off
+#   no-mixed-operators: off
+#   no-mixed-spaces-and-tabs: off
+#   no-multi-assign: off
+#   no-multiple-empty-lines: off
+#   no-negated-condition: off
+#   no-nested-ternary: off
+#   no-new-object: off
+#   no-plusplus: off
+#   no-restricted-syntax: off
+#   no-spaced-func: off
+#   no-tabs: off
+#   no-ternary: off
+#   no-trailing-spaces: off
+#   no-underscore-dangle: off
+#   no-unneeded-ternary: off
+#   object-curly-newline: off
+#   object-curly-spacing: off
+#   object-property-newline: off
+#   one-var-declaration-per-line: off
+#   one-var: off
+#   operator-assignment: off
+#   operator-linebreak: off
+#   padded-blocks: off
+#   quote-props: off
+#   quotes:
+#     - error
+#     - single
+#   require-jsdoc: off
+#   semi-spacing: off
+#   semi:
+#     - error
+#     - always
+#   sort-keys: off
+#   sort-vars: off
+#   space-before-blocks: off
+#   space-before-function-paren: off
+#   space-in-parens: off
+#   space-infix-ops: off
+#   space-unary-ops: off
+#   spaced-comment: off
+#   template-tag-spacing: off
+#   unicode-bom: off
+#   wrap-regex: off
+
+#   # ECMAScript 6
+#   arrow-body-style: off
+#   arrow-parens: off
+#   arrow-spacing: off
+#   constructor-super: off
+#   generator-star-spacing: off
+#   no-class-assign: off
+#   no-confusing-arrow: off
+#   no-const-assign: off
+#   no-dupe-class-members: off
+#   no-duplicate-imports: off
+#   no-new-symbol: off
+#   no-restricted-imports: off
+#   no-this-before-super: off
+#   no-useless-computed-key: off
+#   no-useless-constructor: off
+#   no-useless-rename: off
+#   no-var: off
+#   object-shorthand: off
+#   prefer-arrow-callback: off
+#   prefer-const: off
+#   prefer-destructuring: off
+#   prefer-numeric-literals: off
+#   prefer-rest-params: off
+#   prefer-reflect: off
+#   prefer-spread: off
+#   prefer-template: off
+#   require-yield: off
+#   rest-spread-spacing: off
+#   sort-imports: off
+#   symbol-description: off
+#   template-curly-spacing: off
+#   yield-star-spacing: off
--- a/.github/ISSUE_TEMPLATE/Bug_report.md
+++ b/.github/ISSUE_TEMPLATE/Bug_report.md
@@ -26,10 +26,6 @@ A clear and concise description of what the bug is.
 **Expected behavior**
 A clear and concise description of what you expected to happen.

-**Portainer Logs**
-Provide the logs of your Portainer container or Service.
-You can see how [here](https://portainer.readthedocs.io/en/stable/faq.html#how-do-i-get-the-logs-from-portainer)
-
 **Steps to reproduce the issue:**
 1. Go to '...'
 2. Click on '....'
--- a/.gitignore
+++ b/.gitignore
@@ -4,5 +4,4 @@ dist
 portainer-checksum.txt
 api/cmd/portainer/portainer*
 .tmp
-.vscode
-.eslintcache
+.vscode
--- a/.prettierrc
+++ b/.prettierrc
@@ -1,13 +0,0 @@
-{
-  "printWidth": 180,
-  "singleQuote": true,
-  "htmlWhitespaceSensitivity": "strict",
-  "overrides": [
-    {
-      "files": ["*.html"],
-      "options": {
-        "parser": "angular"
-      }
-    }
-  ]
-}
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -15,7 +15,21 @@ For example, if you work on a bugfix for the issue #361, you could name the bran

 ## Issues open to contribution

-Want to contribute but don't know where to start? Have a look at the issues labeled with the `good first issue` label: https://github.com/portainer/portainer/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22
+Want to contribute but don't know where to start?
+
+Some of the open issues are labeled with prefix `exp/`, this is used to mark them as available for contributors to work on. All of these have an attributed difficulty level:
+
+* **beginner**: a task that should be accessible with users not familiar with the codebase
+* **intermediate**: a task that require some understanding of the project codebase or some experience in
+either AngularJS or Golang
+* **advanced**: a task that require a deep understanding of the project codebase
+
+You can use Github filters to list these issues:
+
+* beginner labeled issues: https://github.com/portainer/portainer/labels/exp%2Fbeginner
+* intermediate labeled issues: https://github.com/portainer/portainer/labels/exp%2Fintermediate
+* advanced labeled issues: https://github.com/portainer/portainer/labels/exp%2Fadvanced
+

 ## Commit Message Format

--- a/README.md
+++ b/README.md
@@ -3,14 +3,15 @@
 </p>

 [![Docker Pulls](https://img.shields.io/docker/pulls/portainer/portainer.svg)](https://hub.docker.com/r/portainer/portainer/)
-[![Microbadger](https://images.microbadger.com/badges/image/portainer/portainer.svg)](http://microbadger.com/images/portainer/portainer 'Image size')
+[![Microbadger](https://images.microbadger.com/badges/image/portainer/portainer.svg)](http://microbadger.com/images/portainer/portainer "Image size")
+[![Documentation Status](https://readthedocs.org/projects/portainer/badge/?version=stable)](http://portainer.readthedocs.io/en/stable/?badge=stable)
 [![Build Status](https://portainer.visualstudio.com/Portainer%20CI/_apis/build/status/Portainer%20CI?branchName=develop)](https://portainer.visualstudio.com/Portainer%20CI/_build/latest?definitionId=3&branchName=develop)
 [![Code Climate](https://codeclimate.com/github/portainer/portainer/badges/gpa.svg)](https://codeclimate.com/github/portainer/portainer)
 [![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=YHXZJQNJQ36H6)

 **_Portainer_** is a lightweight management UI which allows you to **easily** manage your different Docker environments (Docker hosts or Swarm clusters).
 **_Portainer_** is meant to be as **simple** to deploy as it is to use. It consists of a single container that can run on any Docker engine (can be deployed as Linux container or a Windows native container, supports other platforms too).
-**_Portainer_** allows you to manage all your Docker resources (containers, images, volumes, networks and more) ! It is compatible with the _standalone Docker_ engine and with _Docker Swarm mode_.
+**_Portainer_** allows you to manage all your Docker resources (containers, images, volumes, networks and more) ! It is compatible with the *standalone Docker* engine and with *Docker Swarm mode*.

 ## Demo

@@ -28,31 +29,36 @@ Unlike the public demo, the playground sessions are deleted after 4 hours. Apart

 ## Getting started

- [Deploy Portainer](https://www.portainer.io/installation/)
- [Documentation](https://www.portainer.io/documentation/)
+* [Deploy Portainer](https://portainer.readthedocs.io/en/latest/deployment.html)
+* [Documentation](https://portainer.readthedocs.io)

 ## Getting help

-For FORMAL Support, please purchase a support subscription from here: https://www.portainer.io/products-services/portainer-business-support/
+**NOTE**: You can find more information about Portainer support framework policy here: https://www.portainer.io/2019/04/portainer-support-policy/

-For community support: You can find more information about Portainer's community support framework policy here: https://www.portainer.io/2019/04/portainer-support-policy/
-
- Issues: https://github.com/portainer/portainer/issues
- FAQ: https://www.portainer.io/documentation/faqs/
- Slack (chat): https://portainer.io/slack/
+* Issues: https://github.com/portainer/portainer/issues
+* FAQ: https://portainer.readthedocs.io/en/latest/faq.html
+* Slack (chat): https://portainer.io/slack/

 ## Reporting bugs and contributing

- Want to report a bug or request a feature? Please open [an issue](https://github.com/portainer/portainer/issues/new).
- Want to help us build **_portainer_**? Follow our [contribution guidelines](https://www.portainer.io/documentation/how-to-contribute/) to build it locally and make a pull request. We need all the help we can get!
+* Want to report a bug or request a feature? Please open [an issue](https://github.com/portainer/portainer/issues/new).
+* Want to help us build **_portainer_**? Follow our [contribution guidelines](https://portainer.readthedocs.io/en/latest/contribute.html) to build it  locally and make a pull request. We need all the help we can get!

 ## Security

- Here at Portainer, we believe in [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) of security issues. If you have found a security issue, please report it to <security@portainer.io>.
+* Here at Portainer, we believe in [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) of security issues. If you have found a security issue, please report it to <security@portainer.io>.

 ## Limitations

-Portainer supports "Current - 2 docker versions only. Prior versions may operate, however these are not supported.
+**_Portainer_** has full support for the following Docker versions:
+
+* Docker 1.10 to the latest version
+* Standalone Docker Swarm >= 1.2.3 _(**NOTE:** Use of Standalone Docker Swarm is being discouraged since the introduction of built-in Swarm Mode in Docker. While older versions of Portainer had support for Standalone Docker Swarm, Portainer 1.17.0 and newer **do not** support it. However, the built-in Swarm Mode of Docker is fully supported.)_
+
+Partial support for the following Docker versions (some features may not be available):
+
+* Docker 1.9

 ## Licensing

@@ -62,4 +68,4 @@ Portainer also contains the following code, which is licensed under the [MIT lic

 UI For Docker: Copyright (c) 2013-2016 Michael Crosby (crosbymichael.com), Kevan Ahlquist (kevanahlquist.com), Anthony Lapenna (portainer.io)

-rdash-angular: Copyright (c) [2014][elliot hesp]
+rdash-angular: Copyright (c) [2014] [Elliot Hesp]
--- a/api/access_control.go
+++ b/api/access_control.go
@@ -1,154 +0,0 @@
-package portainer
-
-// NewPrivateResourceControl will create a new private resource control associated to the resource specified by the
-// identifier and type parameters. It automatically assigns it to the user specified by the userID parameter.
-func NewPrivateResourceControl(resourceIdentifier string, resourceType ResourceControlType, userID UserID) *ResourceControl {
-	return &ResourceControl{
-		Type:           resourceType,
-		ResourceID:     resourceIdentifier,
-		SubResourceIDs: []string{},
-		UserAccesses: []UserResourceAccess{
-			{
-				UserID:      userID,
-				AccessLevel: ReadWriteAccessLevel,
-			},
-		},
-		TeamAccesses:       []TeamResourceAccess{},
-		AdministratorsOnly: false,
-		Public:             false,
-		System:             false,
-	}
-}
-
-// NewSystemResourceControl will create a new public resource control with the System flag set to true.
-// These kind of resource control are not persisted and are created on the fly by the Portainer API.
-func NewSystemResourceControl(resourceIdentifier string, resourceType ResourceControlType) *ResourceControl {
-	return &ResourceControl{
-		Type:               resourceType,
-		ResourceID:         resourceIdentifier,
-		SubResourceIDs:     []string{},
-		UserAccesses:       []UserResourceAccess{},
-		TeamAccesses:       []TeamResourceAccess{},
-		AdministratorsOnly: false,
-		Public:             true,
-		System:             true,
-	}
-}
-
-// NewPublicResourceControl will create a new public resource control.
-func NewPublicResourceControl(resourceIdentifier string, resourceType ResourceControlType) *ResourceControl {
-	return &ResourceControl{
-		Type:               resourceType,
-		ResourceID:         resourceIdentifier,
-		SubResourceIDs:     []string{},
-		UserAccesses:       []UserResourceAccess{},
-		TeamAccesses:       []TeamResourceAccess{},
-		AdministratorsOnly: false,
-		Public:             true,
-		System:             false,
-	}
-}
-
-// NewRestrictedResourceControl will create a new resource control with user and team accesses restrictions.
-func NewRestrictedResourceControl(resourceIdentifier string, resourceType ResourceControlType, userIDs []UserID, teamIDs []TeamID) *ResourceControl {
-	userAccesses := make([]UserResourceAccess, 0)
-	teamAccesses := make([]TeamResourceAccess, 0)
-
-	for _, id := range userIDs {
-		access := UserResourceAccess{
-			UserID:      id,
-			AccessLevel: ReadWriteAccessLevel,
-		}
-
-		userAccesses = append(userAccesses, access)
-	}
-
-	for _, id := range teamIDs {
-		access := TeamResourceAccess{
-			TeamID:      id,
-			AccessLevel: ReadWriteAccessLevel,
-		}
-
-		teamAccesses = append(teamAccesses, access)
-	}
-
-	return &ResourceControl{
-		Type:               resourceType,
-		ResourceID:         resourceIdentifier,
-		SubResourceIDs:     []string{},
-		UserAccesses:       userAccesses,
-		TeamAccesses:       teamAccesses,
-		AdministratorsOnly: false,
-		Public:             false,
-		System:             false,
-	}
-}
-
-// DecorateStacks will iterate through a list of stacks, check for an associated resource control for each
-// stack and decorate the stack element if a resource control is found.
-func DecorateStacks(stacks []Stack, resourceControls []ResourceControl) []Stack {
-	for idx, stack := range stacks {
-
-		resourceControl := GetResourceControlByResourceIDAndType(stack.Name, StackResourceControl, resourceControls)
-		if resourceControl != nil {
-			stacks[idx].ResourceControl = resourceControl
-		}
-	}
-
-	return stacks
-}
-
-// FilterAuthorizedStacks returns a list of decorated stacks filtered through resource control access checks.
-func FilterAuthorizedStacks(stacks []Stack, user *User, userTeamIDs []TeamID, rbacEnabled bool) []Stack {
-	authorizedStacks := make([]Stack, 0)
-
-	for _, stack := range stacks {
-		_, ok := user.EndpointAuthorizations[stack.EndpointID][EndpointResourcesAccess]
-		if rbacEnabled && ok {
-			authorizedStacks = append(authorizedStacks, stack)
-			continue
-		}
-
-		if stack.ResourceControl != nil && UserCanAccessResource(user.ID, userTeamIDs, stack.ResourceControl) {
-			authorizedStacks = append(authorizedStacks, stack)
-		}
-	}
-
-	return authorizedStacks
-}
-
-// UserCanAccessResource will valide that a user has permissions defined in the specified resource control
-// based on its identifier and the team(s) he is part of.
-func UserCanAccessResource(userID UserID, userTeamIDs []TeamID, resourceControl *ResourceControl) bool {
-	for _, authorizedUserAccess := range resourceControl.UserAccesses {
-		if userID == authorizedUserAccess.UserID {
-			return true
-		}
-	}
-
-	for _, authorizedTeamAccess := range resourceControl.TeamAccesses {
-		for _, userTeamID := range userTeamIDs {
-			if userTeamID == authorizedTeamAccess.TeamID {
-				return true
-			}
-		}
-	}
-
-	return resourceControl.Public
-}
-
-// GetResourceControlByResourceIDAndType retrieves the first matching resource control in a set of resource controls
-// based on the specified id and resource type parameters.
-func GetResourceControlByResourceIDAndType(resourceID string, resourceType ResourceControlType, resourceControls []ResourceControl) *ResourceControl {
-	for _, resourceControl := range resourceControls {
-		if resourceID == resourceControl.ResourceID && resourceType == resourceControl.Type {
-			return &resourceControl
-		}
-		for _, subResourceID := range resourceControl.SubResourceIDs {
-			if resourceID == subResourceID {
-				return &resourceControl
-			}
-		}
-	}
-	return nil
-}
--- a/api/archive/zip.go
+++ b/api/archive/zip.go
@@ -17,38 +17,32 @@ func UnzipArchive(archiveData []byte, dest string) error {
 	}

 	for _, zipFile := range zipReader.File {
-		err := extractFileFromArchive(zipFile, dest)
+
+		f, err := zipFile.Open()
 		if err != nil {
 			return err
 		}
+		defer f.Close()
+
+		data, err := ioutil.ReadAll(f)
+		if err != nil {
+			return err
+		}
+
+		fpath := filepath.Join(dest, zipFile.Name)
+
+		outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, zipFile.Mode())
+		if err != nil {
+			return err
+		}
+
+		_, err = io.Copy(outFile, bytes.NewReader(data))
+		if err != nil {
+			return err
+		}
+
+		outFile.Close()
 	}

 	return nil
 }
-
-func extractFileFromArchive(file *zip.File, dest string) error {
-	f, err := file.Open()
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-
-	data, err := ioutil.ReadAll(f)
-	if err != nil {
-		return err
-	}
-
-	fpath := filepath.Join(dest, file.Name)
-
-	outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, file.Mode())
-	if err != nil {
-		return err
-	}
-
-	_, err = io.Copy(outFile, bytes.NewReader(data))
-	if err != nil {
-		return err
-	}
-
-	return outFile.Close()
-}
--- a/api/authorizations.go
+++ b/api/authorizations.go
@@ -3,404 +3,37 @@ package portainer
 // AuthorizationService represents a service used to
 // update authorizations associated to a user or team.
 type AuthorizationService struct {
-	dataStore DataStore
+	endpointService       EndpointService
+	endpointGroupService  EndpointGroupService
+	registryService       RegistryService
+	roleService           RoleService
+	teamMembershipService TeamMembershipService
+	userService           UserService
+}
+
+// AuthorizationServiceParameters are the required parameters
+// used to create a new AuthorizationService.
+type AuthorizationServiceParameters struct {
+	EndpointService       EndpointService
+	EndpointGroupService  EndpointGroupService
+	RegistryService       RegistryService
+	RoleService           RoleService
+	TeamMembershipService TeamMembershipService
+	UserService           UserService
 }

 // NewAuthorizationService returns a point to a new AuthorizationService instance.
-func NewAuthorizationService(dataStore DataStore) *AuthorizationService {
+func NewAuthorizationService(parameters *AuthorizationServiceParameters) *AuthorizationService {
 	return &AuthorizationService{
-		dataStore: dataStore,
+		endpointService:       parameters.EndpointService,
+		endpointGroupService:  parameters.EndpointGroupService,
+		registryService:       parameters.RegistryService,
+		roleService:           parameters.RoleService,
+		teamMembershipService: parameters.TeamMembershipService,
+		userService:           parameters.UserService,
 	}
 }

-// DefaultEndpointAuthorizationsForEndpointAdministratorRole returns the default endpoint authorizations
-// associated to the endpoint administrator role.
-func DefaultEndpointAuthorizationsForEndpointAdministratorRole() Authorizations {
-	return map[Authorization]bool{
-		OperationDockerContainerArchiveInfo:         true,
-		OperationDockerContainerList:                true,
-		OperationDockerContainerExport:              true,
-		OperationDockerContainerChanges:             true,
-		OperationDockerContainerInspect:             true,
-		OperationDockerContainerTop:                 true,
-		OperationDockerContainerLogs:                true,
-		OperationDockerContainerStats:               true,
-		OperationDockerContainerAttachWebsocket:     true,
-		OperationDockerContainerArchive:             true,
-		OperationDockerContainerCreate:              true,
-		OperationDockerContainerPrune:               true,
-		OperationDockerContainerKill:                true,
-		OperationDockerContainerPause:               true,
-		OperationDockerContainerUnpause:             true,
-		OperationDockerContainerRestart:             true,
-		OperationDockerContainerStart:               true,
-		OperationDockerContainerStop:                true,
-		OperationDockerContainerWait:                true,
-		OperationDockerContainerResize:              true,
-		OperationDockerContainerAttach:              true,
-		OperationDockerContainerExec:                true,
-		OperationDockerContainerRename:              true,
-		OperationDockerContainerUpdate:              true,
-		OperationDockerContainerPutContainerArchive: true,
-		OperationDockerContainerDelete:              true,
-		OperationDockerImageList:                    true,
-		OperationDockerImageSearch:                  true,
-		OperationDockerImageGetAll:                  true,
-		OperationDockerImageGet:                     true,
-		OperationDockerImageHistory:                 true,
-		OperationDockerImageInspect:                 true,
-		OperationDockerImageLoad:                    true,
-		OperationDockerImageCreate:                  true,
-		OperationDockerImagePrune:                   true,
-		OperationDockerImagePush:                    true,
-		OperationDockerImageTag:                     true,
-		OperationDockerImageDelete:                  true,
-		OperationDockerImageCommit:                  true,
-		OperationDockerImageBuild:                   true,
-		OperationDockerNetworkList:                  true,
-		OperationDockerNetworkInspect:               true,
-		OperationDockerNetworkCreate:                true,
-		OperationDockerNetworkConnect:               true,
-		OperationDockerNetworkDisconnect:            true,
-		OperationDockerNetworkPrune:                 true,
-		OperationDockerNetworkDelete:                true,
-		OperationDockerVolumeList:                   true,
-		OperationDockerVolumeInspect:                true,
-		OperationDockerVolumeCreate:                 true,
-		OperationDockerVolumePrune:                  true,
-		OperationDockerVolumeDelete:                 true,
-		OperationDockerExecInspect:                  true,
-		OperationDockerExecStart:                    true,
-		OperationDockerExecResize:                   true,
-		OperationDockerSwarmInspect:                 true,
-		OperationDockerSwarmUnlockKey:               true,
-		OperationDockerSwarmInit:                    true,
-		OperationDockerSwarmJoin:                    true,
-		OperationDockerSwarmLeave:                   true,
-		OperationDockerSwarmUpdate:                  true,
-		OperationDockerSwarmUnlock:                  true,
-		OperationDockerNodeList:                     true,
-		OperationDockerNodeInspect:                  true,
-		OperationDockerNodeUpdate:                   true,
-		OperationDockerNodeDelete:                   true,
-		OperationDockerServiceList:                  true,
-		OperationDockerServiceInspect:               true,
-		OperationDockerServiceLogs:                  true,
-		OperationDockerServiceCreate:                true,
-		OperationDockerServiceUpdate:                true,
-		OperationDockerServiceDelete:                true,
-		OperationDockerSecretList:                   true,
-		OperationDockerSecretInspect:                true,
-		OperationDockerSecretCreate:                 true,
-		OperationDockerSecretUpdate:                 true,
-		OperationDockerSecretDelete:                 true,
-		OperationDockerConfigList:                   true,
-		OperationDockerConfigInspect:                true,
-		OperationDockerConfigCreate:                 true,
-		OperationDockerConfigUpdate:                 true,
-		OperationDockerConfigDelete:                 true,
-		OperationDockerTaskList:                     true,
-		OperationDockerTaskInspect:                  true,
-		OperationDockerTaskLogs:                     true,
-		OperationDockerPluginList:                   true,
-		OperationDockerPluginPrivileges:             true,
-		OperationDockerPluginInspect:                true,
-		OperationDockerPluginPull:                   true,
-		OperationDockerPluginCreate:                 true,
-		OperationDockerPluginEnable:                 true,
-		OperationDockerPluginDisable:                true,
-		OperationDockerPluginPush:                   true,
-		OperationDockerPluginUpgrade:                true,
-		OperationDockerPluginSet:                    true,
-		OperationDockerPluginDelete:                 true,
-		OperationDockerSessionStart:                 true,
-		OperationDockerDistributionInspect:          true,
-		OperationDockerBuildPrune:                   true,
-		OperationDockerBuildCancel:                  true,
-		OperationDockerPing:                         true,
-		OperationDockerInfo:                         true,
-		OperationDockerVersion:                      true,
-		OperationDockerEvents:                       true,
-		OperationDockerSystem:                       true,
-		OperationDockerUndefined:                    true,
-		OperationDockerAgentPing:                    true,
-		OperationDockerAgentList:                    true,
-		OperationDockerAgentHostInfo:                true,
-		OperationDockerAgentBrowseDelete:            true,
-		OperationDockerAgentBrowseGet:               true,
-		OperationDockerAgentBrowseList:              true,
-		OperationDockerAgentBrowsePut:               true,
-		OperationDockerAgentBrowseRename:            true,
-		OperationDockerAgentUndefined:               true,
-		OperationPortainerResourceControlCreate:     true,
-		OperationPortainerResourceControlUpdate:     true,
-		OperationPortainerStackList:                 true,
-		OperationPortainerStackInspect:              true,
-		OperationPortainerStackFile:                 true,
-		OperationPortainerStackCreate:               true,
-		OperationPortainerStackMigrate:              true,
-		OperationPortainerStackUpdate:               true,
-		OperationPortainerStackDelete:               true,
-		OperationPortainerWebsocketExec:             true,
-		OperationPortainerWebhookList:               true,
-		OperationPortainerWebhookCreate:             true,
-		OperationPortainerWebhookDelete:             true,
-		OperationIntegrationStoridgeAdmin:           true,
-		EndpointResourcesAccess:                     true,
-	}
-}
-
-// DefaultEndpointAuthorizationsForHelpDeskRole returns the default endpoint authorizations
-// associated to the helpdesk role.
-func DefaultEndpointAuthorizationsForHelpDeskRole(volumeBrowsingAuthorizations bool) Authorizations {
-	authorizations := map[Authorization]bool{
-		OperationDockerContainerArchiveInfo: true,
-		OperationDockerContainerList:        true,
-		OperationDockerContainerChanges:     true,
-		OperationDockerContainerInspect:     true,
-		OperationDockerContainerTop:         true,
-		OperationDockerContainerLogs:        true,
-		OperationDockerContainerStats:       true,
-		OperationDockerImageList:            true,
-		OperationDockerImageSearch:          true,
-		OperationDockerImageGetAll:          true,
-		OperationDockerImageGet:             true,
-		OperationDockerImageHistory:         true,
-		OperationDockerImageInspect:         true,
-		OperationDockerNetworkList:          true,
-		OperationDockerNetworkInspect:       true,
-		OperationDockerVolumeList:           true,
-		OperationDockerVolumeInspect:        true,
-		OperationDockerSwarmInspect:         true,
-		OperationDockerNodeList:             true,
-		OperationDockerNodeInspect:          true,
-		OperationDockerServiceList:          true,
-		OperationDockerServiceInspect:       true,
-		OperationDockerServiceLogs:          true,
-		OperationDockerSecretList:           true,
-		OperationDockerSecretInspect:        true,
-		OperationDockerConfigList:           true,
-		OperationDockerConfigInspect:        true,
-		OperationDockerTaskList:             true,
-		OperationDockerTaskInspect:          true,
-		OperationDockerTaskLogs:             true,
-		OperationDockerPluginList:           true,
-		OperationDockerDistributionInspect:  true,
-		OperationDockerPing:                 true,
-		OperationDockerInfo:                 true,
-		OperationDockerVersion:              true,
-		OperationDockerEvents:               true,
-		OperationDockerSystem:               true,
-		OperationDockerAgentPing:            true,
-		OperationDockerAgentList:            true,
-		OperationDockerAgentHostInfo:        true,
-		OperationPortainerStackList:         true,
-		OperationPortainerStackInspect:      true,
-		OperationPortainerStackFile:         true,
-		OperationPortainerWebhookList:       true,
-		EndpointResourcesAccess:             true,
-	}
-
-	if volumeBrowsingAuthorizations {
-		authorizations[OperationDockerAgentBrowseGet] = true
-		authorizations[OperationDockerAgentBrowseList] = true
-	}
-
-	return authorizations
-}
-
-// DefaultEndpointAuthorizationsForStandardUserRole returns the default endpoint authorizations
-// associated to the standard user role.
-func DefaultEndpointAuthorizationsForStandardUserRole(volumeBrowsingAuthorizations bool) Authorizations {
-	authorizations := map[Authorization]bool{
-		OperationDockerContainerArchiveInfo:         true,
-		OperationDockerContainerList:                true,
-		OperationDockerContainerExport:              true,
-		OperationDockerContainerChanges:             true,
-		OperationDockerContainerInspect:             true,
-		OperationDockerContainerTop:                 true,
-		OperationDockerContainerLogs:                true,
-		OperationDockerContainerStats:               true,
-		OperationDockerContainerAttachWebsocket:     true,
-		OperationDockerContainerArchive:             true,
-		OperationDockerContainerCreate:              true,
-		OperationDockerContainerKill:                true,
-		OperationDockerContainerPause:               true,
-		OperationDockerContainerUnpause:             true,
-		OperationDockerContainerRestart:             true,
-		OperationDockerContainerStart:               true,
-		OperationDockerContainerStop:                true,
-		OperationDockerContainerWait:                true,
-		OperationDockerContainerResize:              true,
-		OperationDockerContainerAttach:              true,
-		OperationDockerContainerExec:                true,
-		OperationDockerContainerRename:              true,
-		OperationDockerContainerUpdate:              true,
-		OperationDockerContainerPutContainerArchive: true,
-		OperationDockerContainerDelete:              true,
-		OperationDockerImageList:                    true,
-		OperationDockerImageSearch:                  true,
-		OperationDockerImageGetAll:                  true,
-		OperationDockerImageGet:                     true,
-		OperationDockerImageHistory:                 true,
-		OperationDockerImageInspect:                 true,
-		OperationDockerImageLoad:                    true,
-		OperationDockerImageCreate:                  true,
-		OperationDockerImagePush:                    true,
-		OperationDockerImageTag:                     true,
-		OperationDockerImageDelete:                  true,
-		OperationDockerImageCommit:                  true,
-		OperationDockerImageBuild:                   true,
-		OperationDockerNetworkList:                  true,
-		OperationDockerNetworkInspect:               true,
-		OperationDockerNetworkCreate:                true,
-		OperationDockerNetworkConnect:               true,
-		OperationDockerNetworkDisconnect:            true,
-		OperationDockerNetworkDelete:                true,
-		OperationDockerVolumeList:                   true,
-		OperationDockerVolumeInspect:                true,
-		OperationDockerVolumeCreate:                 true,
-		OperationDockerVolumeDelete:                 true,
-		OperationDockerExecInspect:                  true,
-		OperationDockerExecStart:                    true,
-		OperationDockerExecResize:                   true,
-		OperationDockerSwarmInspect:                 true,
-		OperationDockerSwarmUnlockKey:               true,
-		OperationDockerSwarmInit:                    true,
-		OperationDockerSwarmJoin:                    true,
-		OperationDockerSwarmLeave:                   true,
-		OperationDockerSwarmUpdate:                  true,
-		OperationDockerSwarmUnlock:                  true,
-		OperationDockerNodeList:                     true,
-		OperationDockerNodeInspect:                  true,
-		OperationDockerNodeUpdate:                   true,
-		OperationDockerNodeDelete:                   true,
-		OperationDockerServiceList:                  true,
-		OperationDockerServiceInspect:               true,
-		OperationDockerServiceLogs:                  true,
-		OperationDockerServiceCreate:                true,
-		OperationDockerServiceUpdate:                true,
-		OperationDockerServiceDelete:                true,
-		OperationDockerSecretList:                   true,
-		OperationDockerSecretInspect:                true,
-		OperationDockerSecretCreate:                 true,
-		OperationDockerSecretUpdate:                 true,
-		OperationDockerSecretDelete:                 true,
-		OperationDockerConfigList:                   true,
-		OperationDockerConfigInspect:                true,
-		OperationDockerConfigCreate:                 true,
-		OperationDockerConfigUpdate:                 true,
-		OperationDockerConfigDelete:                 true,
-		OperationDockerTaskList:                     true,
-		OperationDockerTaskInspect:                  true,
-		OperationDockerTaskLogs:                     true,
-		OperationDockerPluginList:                   true,
-		OperationDockerPluginPrivileges:             true,
-		OperationDockerPluginInspect:                true,
-		OperationDockerPluginPull:                   true,
-		OperationDockerPluginCreate:                 true,
-		OperationDockerPluginEnable:                 true,
-		OperationDockerPluginDisable:                true,
-		OperationDockerPluginPush:                   true,
-		OperationDockerPluginUpgrade:                true,
-		OperationDockerPluginSet:                    true,
-		OperationDockerPluginDelete:                 true,
-		OperationDockerSessionStart:                 true,
-		OperationDockerDistributionInspect:          true,
-		OperationDockerBuildPrune:                   true,
-		OperationDockerBuildCancel:                  true,
-		OperationDockerPing:                         true,
-		OperationDockerInfo:                         true,
-		OperationDockerVersion:                      true,
-		OperationDockerEvents:                       true,
-		OperationDockerSystem:                       true,
-		OperationDockerUndefined:                    true,
-		OperationDockerAgentPing:                    true,
-		OperationDockerAgentList:                    true,
-		OperationDockerAgentHostInfo:                true,
-		OperationDockerAgentUndefined:               true,
-		OperationPortainerResourceControlUpdate:     true,
-		OperationPortainerStackList:                 true,
-		OperationPortainerStackInspect:              true,
-		OperationPortainerStackFile:                 true,
-		OperationPortainerStackCreate:               true,
-		OperationPortainerStackMigrate:              true,
-		OperationPortainerStackUpdate:               true,
-		OperationPortainerStackDelete:               true,
-		OperationPortainerWebsocketExec:             true,
-		OperationPortainerWebhookList:               true,
-		OperationPortainerWebhookCreate:             true,
-	}
-
-	if volumeBrowsingAuthorizations {
-		authorizations[OperationDockerAgentBrowseGet] = true
-		authorizations[OperationDockerAgentBrowseList] = true
-		authorizations[OperationDockerAgentBrowseDelete] = true
-		authorizations[OperationDockerAgentBrowsePut] = true
-		authorizations[OperationDockerAgentBrowseRename] = true
-	}
-
-	return authorizations
-}
-
-// DefaultEndpointAuthorizationsForReadOnlyUserRole returns the default endpoint authorizations
-// associated to the readonly user role.
-func DefaultEndpointAuthorizationsForReadOnlyUserRole(volumeBrowsingAuthorizations bool) Authorizations {
-	authorizations := map[Authorization]bool{
-		OperationDockerContainerArchiveInfo: true,
-		OperationDockerContainerList:        true,
-		OperationDockerContainerChanges:     true,
-		OperationDockerContainerInspect:     true,
-		OperationDockerContainerTop:         true,
-		OperationDockerContainerLogs:        true,
-		OperationDockerContainerStats:       true,
-		OperationDockerImageList:            true,
-		OperationDockerImageSearch:          true,
-		OperationDockerImageGetAll:          true,
-		OperationDockerImageGet:             true,
-		OperationDockerImageHistory:         true,
-		OperationDockerImageInspect:         true,
-		OperationDockerNetworkList:          true,
-		OperationDockerNetworkInspect:       true,
-		OperationDockerVolumeList:           true,
-		OperationDockerVolumeInspect:        true,
-		OperationDockerSwarmInspect:         true,
-		OperationDockerNodeList:             true,
-		OperationDockerNodeInspect:          true,
-		OperationDockerServiceList:          true,
-		OperationDockerServiceInspect:       true,
-		OperationDockerServiceLogs:          true,
-		OperationDockerSecretList:           true,
-		OperationDockerSecretInspect:        true,
-		OperationDockerConfigList:           true,
-		OperationDockerConfigInspect:        true,
-		OperationDockerTaskList:             true,
-		OperationDockerTaskInspect:          true,
-		OperationDockerTaskLogs:             true,
-		OperationDockerPluginList:           true,
-		OperationDockerDistributionInspect:  true,
-		OperationDockerPing:                 true,
-		OperationDockerInfo:                 true,
-		OperationDockerVersion:              true,
-		OperationDockerEvents:               true,
-		OperationDockerSystem:               true,
-		OperationDockerAgentPing:            true,
-		OperationDockerAgentList:            true,
-		OperationDockerAgentHostInfo:        true,
-		OperationPortainerStackList:         true,
-		OperationPortainerStackInspect:      true,
-		OperationPortainerStackFile:         true,
-		OperationPortainerWebhookList:       true,
-	}
-
-	if volumeBrowsingAuthorizations {
-		authorizations[OperationDockerAgentBrowseGet] = true
-		authorizations[OperationDockerAgentBrowseList] = true
-	}
-
-	return authorizations
-}
-
 // DefaultPortainerAuthorizations returns the default Portainer authorizations used by non-admin users.
 func DefaultPortainerAuthorizations() Authorizations {
 	return map[Authorization]bool{
@@ -428,7 +61,7 @@ func DefaultPortainerAuthorizations() Authorizations {
 // the authorizations will be dropped for the each role. If removeAuthorizations is set to false, the authorizations
 // will be reset based for each role.
 func (service AuthorizationService) UpdateVolumeBrowsingAuthorizations(remove bool) error {
-	roles, err := service.dataStore.Role().Roles()
+	roles, err := service.roleService.Roles()
 	if err != nil {
 		return err
 	}
@@ -438,7 +71,7 @@ func (service AuthorizationService) UpdateVolumeBrowsingAuthorizations(remove bo
 		if role.ID != RoleID(1) {
 			updateRoleVolumeBrowsingAuthorizations(&role, remove)

-			err := service.dataStore.Role().UpdateRole(role.ID, &role)
+			err := service.roleService.UpdateRole(role.ID, &role)
 			if err != nil {
 				return err
 			}
@@ -471,7 +104,7 @@ func updateRoleVolumeBrowsingAuthorizations(role *Role, removeAuthorizations boo

 // RemoveTeamAccessPolicies will remove all existing access policies associated to the specified team
 func (service *AuthorizationService) RemoveTeamAccessPolicies(teamID TeamID) error {
-	endpoints, err := service.dataStore.Endpoint().Endpoints()
+	endpoints, err := service.endpointService.Endpoints()
 	if err != nil {
 		return err
 	}
@@ -481,7 +114,7 @@ func (service *AuthorizationService) RemoveTeamAccessPolicies(teamID TeamID) err
 			if policyTeamID == teamID {
 				delete(endpoint.TeamAccessPolicies, policyTeamID)

-				err := service.dataStore.Endpoint().UpdateEndpoint(endpoint.ID, &endpoint)
+				err := service.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
 				if err != nil {
 					return err
 				}
@@ -491,7 +124,7 @@ func (service *AuthorizationService) RemoveTeamAccessPolicies(teamID TeamID) err
 		}
 	}

-	endpointGroups, err := service.dataStore.EndpointGroup().EndpointGroups()
+	endpointGroups, err := service.endpointGroupService.EndpointGroups()
 	if err != nil {
 		return err
 	}
@@ -501,7 +134,7 @@ func (service *AuthorizationService) RemoveTeamAccessPolicies(teamID TeamID) err
 			if policyTeamID == teamID {
 				delete(endpointGroup.TeamAccessPolicies, policyTeamID)

-				err := service.dataStore.EndpointGroup().UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
+				err := service.endpointGroupService.UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
 				if err != nil {
 					return err
 				}
@@ -511,7 +144,7 @@ func (service *AuthorizationService) RemoveTeamAccessPolicies(teamID TeamID) err
 		}
 	}

-	registries, err := service.dataStore.Registry().Registries()
+	registries, err := service.registryService.Registries()
 	if err != nil {
 		return err
 	}
@@ -521,7 +154,7 @@ func (service *AuthorizationService) RemoveTeamAccessPolicies(teamID TeamID) err
 			if policyTeamID == teamID {
 				delete(registry.TeamAccessPolicies, policyTeamID)

-				err := service.dataStore.Registry().UpdateRegistry(registry.ID, &registry)
+				err := service.registryService.UpdateRegistry(registry.ID, &registry)
 				if err != nil {
 					return err
 				}
@@ -531,12 +164,12 @@ func (service *AuthorizationService) RemoveTeamAccessPolicies(teamID TeamID) err
 		}
 	}

-	return service.UpdateUsersAuthorizations()
+	return nil
 }

 // RemoveUserAccessPolicies will remove all existing access policies associated to the specified user
 func (service *AuthorizationService) RemoveUserAccessPolicies(userID UserID) error {
-	endpoints, err := service.dataStore.Endpoint().Endpoints()
+	endpoints, err := service.endpointService.Endpoints()
 	if err != nil {
 		return err
 	}
@@ -546,7 +179,7 @@ func (service *AuthorizationService) RemoveUserAccessPolicies(userID UserID) err
 			if policyUserID == userID {
 				delete(endpoint.UserAccessPolicies, policyUserID)

-				err := service.dataStore.Endpoint().UpdateEndpoint(endpoint.ID, &endpoint)
+				err := service.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
 				if err != nil {
 					return err
 				}
@@ -556,7 +189,7 @@ func (service *AuthorizationService) RemoveUserAccessPolicies(userID UserID) err
 		}
 	}

-	endpointGroups, err := service.dataStore.EndpointGroup().EndpointGroups()
+	endpointGroups, err := service.endpointGroupService.EndpointGroups()
 	if err != nil {
 		return err
 	}
@@ -566,7 +199,7 @@ func (service *AuthorizationService) RemoveUserAccessPolicies(userID UserID) err
 			if policyUserID == userID {
 				delete(endpointGroup.UserAccessPolicies, policyUserID)

-				err := service.dataStore.EndpointGroup().UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
+				err := service.endpointGroupService.UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
 				if err != nil {
 					return err
 				}
@@ -576,7 +209,7 @@ func (service *AuthorizationService) RemoveUserAccessPolicies(userID UserID) err
 		}
 	}

-	registries, err := service.dataStore.Registry().Registries()
+	registries, err := service.registryService.Registries()
 	if err != nil {
 		return err
 	}
@@ -586,7 +219,7 @@ func (service *AuthorizationService) RemoveUserAccessPolicies(userID UserID) err
 			if policyUserID == userID {
 				delete(registry.UserAccessPolicies, policyUserID)

-				err := service.dataStore.Registry().UpdateRegistry(registry.ID, &registry)
+				err := service.registryService.UpdateRegistry(registry.ID, &registry)
 				if err != nil {
 					return err
 				}
@@ -601,7 +234,7 @@ func (service *AuthorizationService) RemoveUserAccessPolicies(userID UserID) err

 // UpdateUsersAuthorizations will trigger an update of the authorizations for all the users.
 func (service *AuthorizationService) UpdateUsersAuthorizations() error {
-	users, err := service.dataStore.User().Users()
+	users, err := service.userService.Users()
 	if err != nil {
 		return err
 	}
@@ -617,7 +250,7 @@ func (service *AuthorizationService) UpdateUsersAuthorizations() error {
 }

 func (service *AuthorizationService) updateUserAuthorizations(userID UserID) error {
-	user, err := service.dataStore.User().User(userID)
+	user, err := service.userService.User(userID)
 	if err != nil {
 		return err
 	}
@@ -629,7 +262,7 @@ func (service *AuthorizationService) updateUserAuthorizations(userID UserID) err

 	user.EndpointAuthorizations = endpointAuthorizations

-	return service.dataStore.User().UpdateUser(userID, user)
+	return service.userService.UpdateUser(userID, user)
 }

 func (service *AuthorizationService) getAuthorizations(user *User) (EndpointAuthorizations, error) {
@@ -638,22 +271,22 @@ func (service *AuthorizationService) getAuthorizations(user *User) (EndpointAuth
 		return endpointAuthorizations, nil
 	}

-	userMemberships, err := service.dataStore.TeamMembership().TeamMembershipsByUserID(user.ID)
+	userMemberships, err := service.teamMembershipService.TeamMembershipsByUserID(user.ID)
 	if err != nil {
 		return endpointAuthorizations, err
 	}

-	endpoints, err := service.dataStore.Endpoint().Endpoints()
+	endpoints, err := service.endpointService.Endpoints()
 	if err != nil {
 		return endpointAuthorizations, err
 	}

-	endpointGroups, err := service.dataStore.EndpointGroup().EndpointGroups()
+	endpointGroups, err := service.endpointGroupService.EndpointGroups()
 	if err != nil {
 		return endpointAuthorizations, err
 	}

-	roles, err := service.dataStore.Role().Roles()
+	roles, err := service.roleService.Roles()
 	if err != nil {
 		return endpointAuthorizations, err
 	}
@@ -750,25 +383,37 @@ func getAuthorizationsFromTeamEndpointGroupPolicies(memberships []TeamMembership
 }

 func getAuthorizationsFromRoles(roleIdentifiers []RoleID, roles []Role) Authorizations {
-	var associatedRoles []Role
-
+	var roleAuthorizations []Authorizations
 	for _, id := range roleIdentifiers {
 		for _, role := range roles {
 			if role.ID == id {
-				associatedRoles = append(associatedRoles, role)
+				roleAuthorizations = append(roleAuthorizations, role.Authorizations)
 				break
 			}
 		}
 	}

-	var authorizations Authorizations
-	highestPriority := 0
-	for _, role := range associatedRoles {
-		if role.Priority > highestPriority {
-			highestPriority = role.Priority
-			authorizations = role.Authorizations
+	processedAuthorizations := make(Authorizations)
+	if len(roleAuthorizations) > 0 {
+		processedAuthorizations = roleAuthorizations[0]
+		for idx, authorizations := range roleAuthorizations {
+			if idx == 0 {
+				continue
+			}
+			processedAuthorizations = mergeAuthorizations(processedAuthorizations, authorizations)
 		}
 	}

-	return authorizations
+	return processedAuthorizations
+}
+
+func mergeAuthorizations(a, b Authorizations) Authorizations {
+	c := make(map[Authorization]bool)
+
+	for k := range b {
+		if _, ok := a[k]; ok {
+			c[k] = true
+		}
+	}
+	return c
 }
--- a/api/bolt/datastore.go
+++ b/api/bolt/datastore.go
@@ -5,14 +5,13 @@ import (
 	"path"
 	"time"

+	"github.com/portainer/portainer/api/bolt/tunnelserver"
+
 	"github.com/boltdb/bolt"
 	"github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/dockerhub"
-	"github.com/portainer/portainer/api/bolt/edgegroup"
-	"github.com/portainer/portainer/api/bolt/edgestack"
 	"github.com/portainer/portainer/api/bolt/endpoint"
 	"github.com/portainer/portainer/api/bolt/endpointgroup"
-	"github.com/portainer/portainer/api/bolt/endpointrelation"
 	"github.com/portainer/portainer/api/bolt/extension"
 	"github.com/portainer/portainer/api/bolt/migrator"
 	"github.com/portainer/portainer/api/bolt/registry"
@@ -24,7 +23,7 @@ import (
 	"github.com/portainer/portainer/api/bolt/tag"
 	"github.com/portainer/portainer/api/bolt/team"
 	"github.com/portainer/portainer/api/bolt/teammembership"
-	"github.com/portainer/portainer/api/bolt/tunnelserver"
+	"github.com/portainer/portainer/api/bolt/template"
 	"github.com/portainer/portainer/api/bolt/user"
 	"github.com/portainer/portainer/api/bolt/version"
 	"github.com/portainer/portainer/api/bolt/webhook"
@@ -37,30 +36,28 @@ const (
 // Store defines the implementation of portainer.DataStore using
 // BoltDB as the storage system.
 type Store struct {
-	path                    string
-	db                      *bolt.DB
-	isNew                   bool
-	fileService             portainer.FileService
-	DockerHubService        *dockerhub.Service
-	EdgeGroupService        *edgegroup.Service
-	EdgeStackService        *edgestack.Service
-	EndpointGroupService    *endpointgroup.Service
-	EndpointService         *endpoint.Service
-	EndpointRelationService *endpointrelation.Service
-	ExtensionService        *extension.Service
-	RegistryService         *registry.Service
-	ResourceControlService  *resourcecontrol.Service
-	RoleService             *role.Service
-	ScheduleService         *schedule.Service
-	SettingsService         *settings.Service
-	StackService            *stack.Service
-	TagService              *tag.Service
-	TeamMembershipService   *teammembership.Service
-	TeamService             *team.Service
-	TunnelServerService     *tunnelserver.Service
-	UserService             *user.Service
-	VersionService          *version.Service
-	WebhookService          *webhook.Service
+	path                   string
+	db                     *bolt.DB
+	checkForDataMigration  bool
+	fileService            portainer.FileService
+	RoleService            *role.Service
+	DockerHubService       *dockerhub.Service
+	EndpointGroupService   *endpointgroup.Service
+	EndpointService        *endpoint.Service
+	ExtensionService       *extension.Service
+	RegistryService        *registry.Service
+	ResourceControlService *resourcecontrol.Service
+	SettingsService        *settings.Service
+	StackService           *stack.Service
+	TagService             *tag.Service
+	TeamMembershipService  *teammembership.Service
+	TeamService            *team.Service
+	TemplateService        *template.Service
+	TunnelServerService    *tunnelserver.Service
+	UserService            *user.Service
+	VersionService         *version.Service
+	WebhookService         *webhook.Service
+	ScheduleService        *schedule.Service
 }

 // NewStore initializes a new Store and the associated services
@@ -68,7 +65,6 @@ func NewStore(storePath string, fileService portainer.FileService) (*Store, erro
 	store := &Store{
 		path:        storePath,
 		fileService: fileService,
-		isNew:       true,
 	}

 	databasePath := path.Join(storePath, databaseFileName)
@@ -77,8 +73,10 @@ func NewStore(storePath string, fileService portainer.FileService) (*Store, erro
 		return nil, err
 	}

-	if databaseFileExists {
-		store.isNew = false
+	if !databaseFileExists {
+		store.checkForDataMigration = false
+	} else {
+		store.checkForDataMigration = true
 	}

 	return store, nil
@@ -104,16 +102,9 @@ func (store *Store) Close() error {
 	return nil
 }

-// IsNew returns true if the database was just created and false if it is re-using
-// existing data.
-func (store *Store) IsNew() bool {
-	return store.isNew
-}
-
 // MigrateData automatically migrate the data based on the DBVersion.
-// This process is only triggered on an existing database, not if the database was just created.
 func (store *Store) MigrateData() error {
-	if store.isNew {
+	if !store.checkForDataMigration {
 		return store.VersionService.StoreDBVersion(portainer.DBVersion)
 	}

@@ -126,24 +117,22 @@ func (store *Store) MigrateData() error {

 	if version < portainer.DBVersion {
 		migratorParams := &migrator.Parameters{
-			DB:                      store.db,
-			DatabaseVersion:         version,
-			EndpointGroupService:    store.EndpointGroupService,
-			EndpointService:         store.EndpointService,
-			EndpointRelationService: store.EndpointRelationService,
-			ExtensionService:        store.ExtensionService,
-			RegistryService:         store.RegistryService,
-			ResourceControlService:  store.ResourceControlService,
-			RoleService:             store.RoleService,
-			ScheduleService:         store.ScheduleService,
-			SettingsService:         store.SettingsService,
-			StackService:            store.StackService,
-			TagService:              store.TagService,
-			TeamMembershipService:   store.TeamMembershipService,
-			UserService:             store.UserService,
-			VersionService:          store.VersionService,
-			FileService:             store.fileService,
-			AuthorizationService:    portainer.NewAuthorizationService(store),
+			DB:                     store.db,
+			DatabaseVersion:        version,
+			EndpointGroupService:   store.EndpointGroupService,
+			EndpointService:        store.EndpointService,
+			ExtensionService:       store.ExtensionService,
+			RegistryService:        store.RegistryService,
+			ResourceControlService: store.ResourceControlService,
+			RoleService:            store.RoleService,
+			ScheduleService:        store.ScheduleService,
+			SettingsService:        store.SettingsService,
+			StackService:           store.StackService,
+			TeamMembershipService:  store.TeamMembershipService,
+			TemplateService:        store.TemplateService,
+			UserService:            store.UserService,
+			VersionService:         store.VersionService,
+			FileService:            store.fileService,
 		}
 		migrator := migrator.NewMigrator(migratorParams)

@@ -171,18 +160,6 @@ func (store *Store) initServices() error {
 	}
 	store.DockerHubService = dockerhubService

-	edgeStackService, err := edgestack.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.EdgeStackService = edgeStackService
-
-	edgeGroupService, err := edgegroup.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.EdgeGroupService = edgeGroupService
-
 	endpointgroupService, err := endpointgroup.NewService(store.db)
 	if err != nil {
 		return err
@@ -195,12 +172,6 @@ func (store *Store) initServices() error {
 	}
 	store.EndpointService = endpointService

-	endpointRelationService, err := endpointrelation.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.EndpointRelationService = endpointRelationService
-
 	extensionService, err := extension.NewService(store.db)
 	if err != nil {
 		return err
@@ -249,6 +220,12 @@ func (store *Store) initServices() error {
 	}
 	store.TeamService = teamService

+	templateService, err := template.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.TemplateService = templateService
+
 	tunnelServerService, err := tunnelserver.NewService(store.db)
 	if err != nil {
 		return err
@@ -281,103 +258,3 @@ func (store *Store) initServices() error {

 	return nil
 }
-
-// DockerHub gives access to the DockerHub data management layer
-func (store *Store) DockerHub() portainer.DockerHubService {
-	return store.DockerHubService
-}
-
-// EdgeGroup gives access to the EdgeGroup data management layer
-func (store *Store) EdgeGroup() portainer.EdgeGroupService {
-	return store.EdgeGroupService
-}
-
-// EdgeStack gives access to the EdgeStack data management layer
-func (store *Store) EdgeStack() portainer.EdgeStackService {
-	return store.EdgeStackService
-}
-
-// Endpoint gives access to the Endpoint data management layer
-func (store *Store) Endpoint() portainer.EndpointService {
-	return store.EndpointService
-}
-
-// EndpointGroup gives access to the EndpointGroup data management layer
-func (store *Store) EndpointGroup() portainer.EndpointGroupService {
-	return store.EndpointGroupService
-}
-
-// EndpointRelation gives access to the EndpointRelation data management layer
-func (store *Store) EndpointRelation() portainer.EndpointRelationService {
-	return store.EndpointRelationService
-}
-
-// Extension gives access to the Extension data management layer
-func (store *Store) Extension() portainer.ExtensionService {
-	return store.ExtensionService
-}
-
-// Registry gives access to the Registry data management layer
-func (store *Store) Registry() portainer.RegistryService {
-	return store.RegistryService
-}
-
-// ResourceControl gives access to the ResourceControl data management layer
-func (store *Store) ResourceControl() portainer.ResourceControlService {
-	return store.ResourceControlService
-}
-
-// Role gives access to the Role data management layer
-func (store *Store) Role() portainer.RoleService {
-	return store.RoleService
-}
-
-// Schedule gives access to the Schedule data management layer
-func (store *Store) Schedule() portainer.ScheduleService {
-	return store.ScheduleService
-}
-
-// Settings gives access to the Settings data management layer
-func (store *Store) Settings() portainer.SettingsService {
-	return store.SettingsService
-}
-
-// Stack gives access to the Stack data management layer
-func (store *Store) Stack() portainer.StackService {
-	return store.StackService
-}
-
-// Tag gives access to the Tag data management layer
-func (store *Store) Tag() portainer.TagService {
-	return store.TagService
-}
-
-// TeamMembership gives access to the TeamMembership data management layer
-func (store *Store) TeamMembership() portainer.TeamMembershipService {
-	return store.TeamMembershipService
-}
-
-// Team gives access to the Team data management layer
-func (store *Store) Team() portainer.TeamService {
-	return store.TeamService
-}
-
-// TunnelServer gives access to the TunnelServer data management layer
-func (store *Store) TunnelServer() portainer.TunnelServerService {
-	return store.TunnelServerService
-}
-
-// User gives access to the User data management layer
-func (store *Store) User() portainer.UserService {
-	return store.UserService
-}
-
-// Version gives access to the Version data management layer
-func (store *Store) Version() portainer.VersionService {
-	return store.VersionService
-}
-
-// Webhook gives access to the Webhook data management layer
-func (store *Store) Webhook() portainer.WebhookService {
-	return store.WebhookService
-}
--- a/api/bolt/edgestack/edgestack.go
+++ b/api/bolt/edgestack/edgestack.go
@@ -1,101 +0,0 @@
-package edgestack
-
-import (
-	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/internal"
-)
-
-const (
-	// BucketName represents the name of the bucket where this service stores data.
-	BucketName = "edge_stack"
-)
-
-// Service represents a service for managing Edge stack data.
-type Service struct {
-	db *bolt.DB
-}
-
-// NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
-	if err != nil {
-		return nil, err
-	}
-
-	return &Service{
-		db: db,
-	}, nil
-}
-
-// EdgeStacks returns an array containing all edge stacks
-func (service *Service) EdgeStacks() ([]portainer.EdgeStack, error) {
-	var stacks = make([]portainer.EdgeStack, 0)
-
-	err := service.db.View(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-
-		cursor := bucket.Cursor()
-		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
-			var stack portainer.EdgeStack
-			err := internal.UnmarshalObject(v, &stack)
-			if err != nil {
-				return err
-			}
-			stacks = append(stacks, stack)
-		}
-
-		return nil
-	})
-
-	return stacks, err
-}
-
-// EdgeStack returns an Edge stack by ID.
-func (service *Service) EdgeStack(ID portainer.EdgeStackID) (*portainer.EdgeStack, error) {
-	var stack portainer.EdgeStack
-	identifier := internal.Itob(int(ID))
-
-	err := internal.GetObject(service.db, BucketName, identifier, &stack)
-	if err != nil {
-		return nil, err
-	}
-
-	return &stack, nil
-}
-
-// CreateEdgeStack assign an ID to a new Edge stack and saves it.
-func (service *Service) CreateEdgeStack(edgeStack *portainer.EdgeStack) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-
-		if edgeStack.ID == 0 {
-			id, _ := bucket.NextSequence()
-			edgeStack.ID = portainer.EdgeStackID(id)
-		}
-
-		data, err := internal.MarshalObject(edgeStack)
-		if err != nil {
-			return err
-		}
-
-		return bucket.Put(internal.Itob(int(edgeStack.ID)), data)
-	})
-}
-
-// UpdateEdgeStack updates an Edge stack.
-func (service *Service) UpdateEdgeStack(ID portainer.EdgeStackID, edgeStack *portainer.EdgeStack) error {
-	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, edgeStack)
-}
-
-// DeleteEdgeStack deletes an Edge stack.
-func (service *Service) DeleteEdgeStack(ID portainer.EdgeStackID) error {
-	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
-}
-
-// GetNextIdentifier returns the next identifier for an endpoint.
-func (service *Service) GetNextIdentifier() int {
-	return internal.GetNextIdentifier(service.db, BucketName)
-}
--- a/api/bolt/endpointrelation/endpointrelation.go
+++ b/api/bolt/endpointrelation/endpointrelation.go
@@ -1,68 +0,0 @@
-package endpointrelation
-
-import (
-	"github.com/boltdb/bolt"
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/internal"
-)
-
-const (
-	// BucketName represents the name of the bucket where this service stores data.
-	BucketName = "endpoint_relations"
-)
-
-// Service represents a service for managing endpoint relation data.
-type Service struct {
-	db *bolt.DB
-}
-
-// NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
-	if err != nil {
-		return nil, err
-	}
-
-	return &Service{
-		db: db,
-	}, nil
-}
-
-// EndpointRelation returns a Endpoint relation object by EndpointID
-func (service *Service) EndpointRelation(endpointID portainer.EndpointID) (*portainer.EndpointRelation, error) {
-	var endpointRelation portainer.EndpointRelation
-	identifier := internal.Itob(int(endpointID))
-
-	err := internal.GetObject(service.db, BucketName, identifier, &endpointRelation)
-	if err != nil {
-		return nil, err
-	}
-
-	return &endpointRelation, nil
-}
-
-// CreateEndpointRelation saves endpointRelation
-func (service *Service) CreateEndpointRelation(endpointRelation *portainer.EndpointRelation) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-
-		data, err := internal.MarshalObject(endpointRelation)
-		if err != nil {
-			return err
-		}
-
-		return bucket.Put(internal.Itob(int(endpointRelation.EndpointID)), data)
-	})
-}
-
-// UpdateEndpointRelation updates an Endpoint relation object
-func (service *Service) UpdateEndpointRelation(EndpointID portainer.EndpointID, endpointRelation *portainer.EndpointRelation) error {
-	identifier := internal.Itob(int(EndpointID))
-	return internal.UpdateObject(service.db, BucketName, identifier, endpointRelation)
-}
-
-// DeleteEndpointRelation deletes an Endpoint relation object
-func (service *Service) DeleteEndpointRelation(EndpointID portainer.EndpointID) error {
-	identifier := internal.Itob(int(EndpointID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
-}
--- a/api/bolt/init.go
+++ b/api/bolt/init.go
@@ -4,55 +4,6 @@ import portainer "github.com/portainer/portainer/api"

 // Init creates the default data set.
 func (store *Store) Init() error {
-	_, err := store.SettingsService.Settings()
-	if err == portainer.ErrObjectNotFound {
-		defaultSettings := &portainer.Settings{
-			AuthenticationMethod: portainer.AuthenticationInternal,
-			BlackListedLabels:    make([]portainer.Pair, 0),
-			LDAPSettings: portainer.LDAPSettings{
-				AnonymousMode:   true,
-				AutoCreateUsers: true,
-				TLSConfig:       portainer.TLSConfiguration{},
-				SearchSettings: []portainer.LDAPSearchSettings{
-					portainer.LDAPSearchSettings{},
-				},
-				GroupSearchSettings: []portainer.LDAPGroupSearchSettings{
-					portainer.LDAPGroupSearchSettings{},
-				},
-			},
-			OAuthSettings:                      portainer.OAuthSettings{},
-			AllowBindMountsForRegularUsers:     true,
-			AllowPrivilegedModeForRegularUsers: true,
-			AllowVolumeBrowserForRegularUsers:  false,
-			EnableHostManagementFeatures:       false,
-			EdgeAgentCheckinInterval:           portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
-			TemplatesURL:                       portainer.DefaultTemplatesURL,
-		}
-
-		err = store.SettingsService.UpdateSettings(defaultSettings)
-		if err != nil {
-			return err
-		}
-	} else if err != nil {
-		return err
-	}
-
-	_, err = store.DockerHubService.DockerHub()
-	if err == portainer.ErrObjectNotFound {
-		defaultDockerHub := &portainer.DockerHub{
-			Authentication: false,
-			Username:       "",
-			Password:       "",
-		}
-
-		err := store.DockerHubService.UpdateDockerHub(defaultDockerHub)
-		if err != nil {
-			return err
-		}
-	} else if err != nil {
-		return err
-	}
-
 	groups, err := store.EndpointGroupService.EndpointGroups()
 	if err != nil {
 		return err
@@ -65,7 +16,7 @@ func (store *Store) Init() error {
 			Labels:             []portainer.Pair{},
 			UserAccessPolicies: portainer.UserAccessPolicies{},
 			TeamAccessPolicies: portainer.TeamAccessPolicies{},
-			TagIDs:             []portainer.TagID{},
+			Tags:               []string{},
 		}

 		err = store.EndpointGroupService.CreateEndpointGroup(unassignedGroup)
@@ -81,10 +32,141 @@ func (store *Store) Init() error {

 	if len(roles) == 0 {
 		environmentAdministratorRole := &portainer.Role{
-			Name:           "Endpoint administrator",
-			Description:    "Full control of all resources in an endpoint",
-			Priority:       1,
-			Authorizations: portainer.DefaultEndpointAuthorizationsForEndpointAdministratorRole(),
+			Name:        "Endpoint administrator",
+			Description: "Full control of all resources in an endpoint",
+			Authorizations: map[portainer.Authorization]bool{
+				portainer.OperationDockerContainerArchiveInfo:         true,
+				portainer.OperationDockerContainerList:                true,
+				portainer.OperationDockerContainerExport:              true,
+				portainer.OperationDockerContainerChanges:             true,
+				portainer.OperationDockerContainerInspect:             true,
+				portainer.OperationDockerContainerTop:                 true,
+				portainer.OperationDockerContainerLogs:                true,
+				portainer.OperationDockerContainerStats:               true,
+				portainer.OperationDockerContainerAttachWebsocket:     true,
+				portainer.OperationDockerContainerArchive:             true,
+				portainer.OperationDockerContainerCreate:              true,
+				portainer.OperationDockerContainerPrune:               true,
+				portainer.OperationDockerContainerKill:                true,
+				portainer.OperationDockerContainerPause:               true,
+				portainer.OperationDockerContainerUnpause:             true,
+				portainer.OperationDockerContainerRestart:             true,
+				portainer.OperationDockerContainerStart:               true,
+				portainer.OperationDockerContainerStop:                true,
+				portainer.OperationDockerContainerWait:                true,
+				portainer.OperationDockerContainerResize:              true,
+				portainer.OperationDockerContainerAttach:              true,
+				portainer.OperationDockerContainerExec:                true,
+				portainer.OperationDockerContainerRename:              true,
+				portainer.OperationDockerContainerUpdate:              true,
+				portainer.OperationDockerContainerPutContainerArchive: true,
+				portainer.OperationDockerContainerDelete:              true,
+				portainer.OperationDockerImageList:                    true,
+				portainer.OperationDockerImageSearch:                  true,
+				portainer.OperationDockerImageGetAll:                  true,
+				portainer.OperationDockerImageGet:                     true,
+				portainer.OperationDockerImageHistory:                 true,
+				portainer.OperationDockerImageInspect:                 true,
+				portainer.OperationDockerImageLoad:                    true,
+				portainer.OperationDockerImageCreate:                  true,
+				portainer.OperationDockerImagePrune:                   true,
+				portainer.OperationDockerImagePush:                    true,
+				portainer.OperationDockerImageTag:                     true,
+				portainer.OperationDockerImageDelete:                  true,
+				portainer.OperationDockerImageCommit:                  true,
+				portainer.OperationDockerImageBuild:                   true,
+				portainer.OperationDockerNetworkList:                  true,
+				portainer.OperationDockerNetworkInspect:               true,
+				portainer.OperationDockerNetworkCreate:                true,
+				portainer.OperationDockerNetworkConnect:               true,
+				portainer.OperationDockerNetworkDisconnect:            true,
+				portainer.OperationDockerNetworkPrune:                 true,
+				portainer.OperationDockerNetworkDelete:                true,
+				portainer.OperationDockerVolumeList:                   true,
+				portainer.OperationDockerVolumeInspect:                true,
+				portainer.OperationDockerVolumeCreate:                 true,
+				portainer.OperationDockerVolumePrune:                  true,
+				portainer.OperationDockerVolumeDelete:                 true,
+				portainer.OperationDockerExecInspect:                  true,
+				portainer.OperationDockerExecStart:                    true,
+				portainer.OperationDockerExecResize:                   true,
+				portainer.OperationDockerSwarmInspect:                 true,
+				portainer.OperationDockerSwarmUnlockKey:               true,
+				portainer.OperationDockerSwarmInit:                    true,
+				portainer.OperationDockerSwarmJoin:                    true,
+				portainer.OperationDockerSwarmLeave:                   true,
+				portainer.OperationDockerSwarmUpdate:                  true,
+				portainer.OperationDockerSwarmUnlock:                  true,
+				portainer.OperationDockerNodeList:                     true,
+				portainer.OperationDockerNodeInspect:                  true,
+				portainer.OperationDockerNodeUpdate:                   true,
+				portainer.OperationDockerNodeDelete:                   true,
+				portainer.OperationDockerServiceList:                  true,
+				portainer.OperationDockerServiceInspect:               true,
+				portainer.OperationDockerServiceLogs:                  true,
+				portainer.OperationDockerServiceCreate:                true,
+				portainer.OperationDockerServiceUpdate:                true,
+				portainer.OperationDockerServiceDelete:                true,
+				portainer.OperationDockerSecretList:                   true,
+				portainer.OperationDockerSecretInspect:                true,
+				portainer.OperationDockerSecretCreate:                 true,
+				portainer.OperationDockerSecretUpdate:                 true,
+				portainer.OperationDockerSecretDelete:                 true,
+				portainer.OperationDockerConfigList:                   true,
+				portainer.OperationDockerConfigInspect:                true,
+				portainer.OperationDockerConfigCreate:                 true,
+				portainer.OperationDockerConfigUpdate:                 true,
+				portainer.OperationDockerConfigDelete:                 true,
+				portainer.OperationDockerTaskList:                     true,
+				portainer.OperationDockerTaskInspect:                  true,
+				portainer.OperationDockerTaskLogs:                     true,
+				portainer.OperationDockerPluginList:                   true,
+				portainer.OperationDockerPluginPrivileges:             true,
+				portainer.OperationDockerPluginInspect:                true,
+				portainer.OperationDockerPluginPull:                   true,
+				portainer.OperationDockerPluginCreate:                 true,
+				portainer.OperationDockerPluginEnable:                 true,
+				portainer.OperationDockerPluginDisable:                true,
+				portainer.OperationDockerPluginPush:                   true,
+				portainer.OperationDockerPluginUpgrade:                true,
+				portainer.OperationDockerPluginSet:                    true,
+				portainer.OperationDockerPluginDelete:                 true,
+				portainer.OperationDockerSessionStart:                 true,
+				portainer.OperationDockerDistributionInspect:          true,
+				portainer.OperationDockerBuildPrune:                   true,
+				portainer.OperationDockerBuildCancel:                  true,
+				portainer.OperationDockerPing:                         true,
+				portainer.OperationDockerInfo:                         true,
+				portainer.OperationDockerVersion:                      true,
+				portainer.OperationDockerEvents:                       true,
+				portainer.OperationDockerSystem:                       true,
+				portainer.OperationDockerUndefined:                    true,
+				portainer.OperationDockerAgentPing:                    true,
+				portainer.OperationDockerAgentList:                    true,
+				portainer.OperationDockerAgentHostInfo:                true,
+				portainer.OperationDockerAgentBrowseDelete:            true,
+				portainer.OperationDockerAgentBrowseGet:               true,
+				portainer.OperationDockerAgentBrowseList:              true,
+				portainer.OperationDockerAgentBrowsePut:               true,
+				portainer.OperationDockerAgentBrowseRename:            true,
+				portainer.OperationDockerAgentUndefined:               true,
+				portainer.OperationPortainerResourceControlCreate:     true,
+				portainer.OperationPortainerResourceControlUpdate:     true,
+				portainer.OperationPortainerResourceControlDelete:     true,
+				portainer.OperationPortainerStackList:                 true,
+				portainer.OperationPortainerStackInspect:              true,
+				portainer.OperationPortainerStackFile:                 true,
+				portainer.OperationPortainerStackCreate:               true,
+				portainer.OperationPortainerStackMigrate:              true,
+				portainer.OperationPortainerStackUpdate:               true,
+				portainer.OperationPortainerStackDelete:               true,
+				portainer.OperationPortainerWebsocketExec:             true,
+				portainer.OperationPortainerWebhookList:               true,
+				portainer.OperationPortainerWebhookCreate:             true,
+				portainer.OperationPortainerWebhookDelete:             true,
+				portainer.OperationIntegrationStoridgeAdmin:           true,
+				portainer.EndpointResourcesAccess:                     true,
+			},
 		}

 		err = store.RoleService.CreateRole(environmentAdministratorRole)
@@ -93,10 +175,55 @@ func (store *Store) Init() error {
 		}

 		environmentReadOnlyUserRole := &portainer.Role{
-			Name:           "Helpdesk",
-			Description:    "Read-only access of all resources in an endpoint",
-			Priority:       2,
-			Authorizations: portainer.DefaultEndpointAuthorizationsForHelpDeskRole(false),
+			Name:        "Helpdesk",
+			Description: "Read-only access of all resources in an endpoint",
+			Authorizations: map[portainer.Authorization]bool{
+				portainer.OperationDockerContainerArchiveInfo: true,
+				portainer.OperationDockerContainerList:        true,
+				portainer.OperationDockerContainerChanges:     true,
+				portainer.OperationDockerContainerInspect:     true,
+				portainer.OperationDockerContainerTop:         true,
+				portainer.OperationDockerContainerLogs:        true,
+				portainer.OperationDockerContainerStats:       true,
+				portainer.OperationDockerImageList:            true,
+				portainer.OperationDockerImageSearch:          true,
+				portainer.OperationDockerImageGetAll:          true,
+				portainer.OperationDockerImageGet:             true,
+				portainer.OperationDockerImageHistory:         true,
+				portainer.OperationDockerImageInspect:         true,
+				portainer.OperationDockerNetworkList:          true,
+				portainer.OperationDockerNetworkInspect:       true,
+				portainer.OperationDockerVolumeList:           true,
+				portainer.OperationDockerVolumeInspect:        true,
+				portainer.OperationDockerSwarmInspect:         true,
+				portainer.OperationDockerNodeList:             true,
+				portainer.OperationDockerNodeInspect:          true,
+				portainer.OperationDockerServiceList:          true,
+				portainer.OperationDockerServiceInspect:       true,
+				portainer.OperationDockerServiceLogs:          true,
+				portainer.OperationDockerSecretList:           true,
+				portainer.OperationDockerSecretInspect:        true,
+				portainer.OperationDockerConfigList:           true,
+				portainer.OperationDockerConfigInspect:        true,
+				portainer.OperationDockerTaskList:             true,
+				portainer.OperationDockerTaskInspect:          true,
+				portainer.OperationDockerTaskLogs:             true,
+				portainer.OperationDockerPluginList:           true,
+				portainer.OperationDockerDistributionInspect:  true,
+				portainer.OperationDockerPing:                 true,
+				portainer.OperationDockerInfo:                 true,
+				portainer.OperationDockerVersion:              true,
+				portainer.OperationDockerEvents:               true,
+				portainer.OperationDockerSystem:               true,
+				portainer.OperationDockerAgentPing:            true,
+				portainer.OperationDockerAgentList:            true,
+				portainer.OperationDockerAgentHostInfo:        true,
+				portainer.OperationPortainerStackList:         true,
+				portainer.OperationPortainerStackInspect:      true,
+				portainer.OperationPortainerStackFile:         true,
+				portainer.OperationPortainerWebhookList:       true,
+				portainer.EndpointResourcesAccess:             true,
+			},
 		}

 		err = store.RoleService.CreateRole(environmentReadOnlyUserRole)
@@ -105,10 +232,129 @@ func (store *Store) Init() error {
 		}

 		standardUserRole := &portainer.Role{
-			Name:           "Standard user",
-			Description:    "Full control of assigned resources in an endpoint",
-			Priority:       3,
-			Authorizations: portainer.DefaultEndpointAuthorizationsForStandardUserRole(false),
+			Name:        "Standard user",
+			Description: "Full control of assigned resources in an endpoint",
+			Authorizations: map[portainer.Authorization]bool{
+				portainer.OperationDockerContainerArchiveInfo:         true,
+				portainer.OperationDockerContainerList:                true,
+				portainer.OperationDockerContainerExport:              true,
+				portainer.OperationDockerContainerChanges:             true,
+				portainer.OperationDockerContainerInspect:             true,
+				portainer.OperationDockerContainerTop:                 true,
+				portainer.OperationDockerContainerLogs:                true,
+				portainer.OperationDockerContainerStats:               true,
+				portainer.OperationDockerContainerAttachWebsocket:     true,
+				portainer.OperationDockerContainerArchive:             true,
+				portainer.OperationDockerContainerCreate:              true,
+				portainer.OperationDockerContainerKill:                true,
+				portainer.OperationDockerContainerPause:               true,
+				portainer.OperationDockerContainerUnpause:             true,
+				portainer.OperationDockerContainerRestart:             true,
+				portainer.OperationDockerContainerStart:               true,
+				portainer.OperationDockerContainerStop:                true,
+				portainer.OperationDockerContainerWait:                true,
+				portainer.OperationDockerContainerResize:              true,
+				portainer.OperationDockerContainerAttach:              true,
+				portainer.OperationDockerContainerExec:                true,
+				portainer.OperationDockerContainerRename:              true,
+				portainer.OperationDockerContainerUpdate:              true,
+				portainer.OperationDockerContainerPutContainerArchive: true,
+				portainer.OperationDockerContainerDelete:              true,
+				portainer.OperationDockerImageList:                    true,
+				portainer.OperationDockerImageSearch:                  true,
+				portainer.OperationDockerImageGetAll:                  true,
+				portainer.OperationDockerImageGet:                     true,
+				portainer.OperationDockerImageHistory:                 true,
+				portainer.OperationDockerImageInspect:                 true,
+				portainer.OperationDockerImageLoad:                    true,
+				portainer.OperationDockerImageCreate:                  true,
+				portainer.OperationDockerImagePush:                    true,
+				portainer.OperationDockerImageTag:                     true,
+				portainer.OperationDockerImageDelete:                  true,
+				portainer.OperationDockerImageCommit:                  true,
+				portainer.OperationDockerImageBuild:                   true,
+				portainer.OperationDockerNetworkList:                  true,
+				portainer.OperationDockerNetworkInspect:               true,
+				portainer.OperationDockerNetworkCreate:                true,
+				portainer.OperationDockerNetworkConnect:               true,
+				portainer.OperationDockerNetworkDisconnect:            true,
+				portainer.OperationDockerNetworkDelete:                true,
+				portainer.OperationDockerVolumeList:                   true,
+				portainer.OperationDockerVolumeInspect:                true,
+				portainer.OperationDockerVolumeCreate:                 true,
+				portainer.OperationDockerVolumeDelete:                 true,
+				portainer.OperationDockerExecInspect:                  true,
+				portainer.OperationDockerExecStart:                    true,
+				portainer.OperationDockerExecResize:                   true,
+				portainer.OperationDockerSwarmInspect:                 true,
+				portainer.OperationDockerSwarmUnlockKey:               true,
+				portainer.OperationDockerSwarmInit:                    true,
+				portainer.OperationDockerSwarmJoin:                    true,
+				portainer.OperationDockerSwarmLeave:                   true,
+				portainer.OperationDockerSwarmUpdate:                  true,
+				portainer.OperationDockerSwarmUnlock:                  true,
+				portainer.OperationDockerNodeList:                     true,
+				portainer.OperationDockerNodeInspect:                  true,
+				portainer.OperationDockerNodeUpdate:                   true,
+				portainer.OperationDockerNodeDelete:                   true,
+				portainer.OperationDockerServiceList:                  true,
+				portainer.OperationDockerServiceInspect:               true,
+				portainer.OperationDockerServiceLogs:                  true,
+				portainer.OperationDockerServiceCreate:                true,
+				portainer.OperationDockerServiceUpdate:                true,
+				portainer.OperationDockerServiceDelete:                true,
+				portainer.OperationDockerSecretList:                   true,
+				portainer.OperationDockerSecretInspect:                true,
+				portainer.OperationDockerSecretCreate:                 true,
+				portainer.OperationDockerSecretUpdate:                 true,
+				portainer.OperationDockerSecretDelete:                 true,
+				portainer.OperationDockerConfigList:                   true,
+				portainer.OperationDockerConfigInspect:                true,
+				portainer.OperationDockerConfigCreate:                 true,
+				portainer.OperationDockerConfigUpdate:                 true,
+				portainer.OperationDockerConfigDelete:                 true,
+				portainer.OperationDockerTaskList:                     true,
+				portainer.OperationDockerTaskInspect:                  true,
+				portainer.OperationDockerTaskLogs:                     true,
+				portainer.OperationDockerPluginList:                   true,
+				portainer.OperationDockerPluginPrivileges:             true,
+				portainer.OperationDockerPluginInspect:                true,
+				portainer.OperationDockerPluginPull:                   true,
+				portainer.OperationDockerPluginCreate:                 true,
+				portainer.OperationDockerPluginEnable:                 true,
+				portainer.OperationDockerPluginDisable:                true,
+				portainer.OperationDockerPluginPush:                   true,
+				portainer.OperationDockerPluginUpgrade:                true,
+				portainer.OperationDockerPluginSet:                    true,
+				portainer.OperationDockerPluginDelete:                 true,
+				portainer.OperationDockerSessionStart:                 true,
+				portainer.OperationDockerDistributionInspect:          true,
+				portainer.OperationDockerBuildPrune:                   true,
+				portainer.OperationDockerBuildCancel:                  true,
+				portainer.OperationDockerPing:                         true,
+				portainer.OperationDockerInfo:                         true,
+				portainer.OperationDockerVersion:                      true,
+				portainer.OperationDockerEvents:                       true,
+				portainer.OperationDockerSystem:                       true,
+				portainer.OperationDockerUndefined:                    true,
+				portainer.OperationDockerAgentPing:                    true,
+				portainer.OperationDockerAgentList:                    true,
+				portainer.OperationDockerAgentHostInfo:                true,
+				portainer.OperationDockerAgentUndefined:               true,
+				portainer.OperationPortainerResourceControlCreate:     true,
+				portainer.OperationPortainerResourceControlUpdate:     true,
+				portainer.OperationPortainerResourceControlDelete:     true,
+				portainer.OperationPortainerStackList:                 true,
+				portainer.OperationPortainerStackInspect:              true,
+				portainer.OperationPortainerStackFile:                 true,
+				portainer.OperationPortainerStackCreate:               true,
+				portainer.OperationPortainerStackMigrate:              true,
+				portainer.OperationPortainerStackUpdate:               true,
+				portainer.OperationPortainerStackDelete:               true,
+				portainer.OperationPortainerWebsocketExec:             true,
+				portainer.OperationPortainerWebhookList:               true,
+				portainer.OperationPortainerWebhookCreate:             true,
+			},
 		}

 		err = store.RoleService.CreateRole(standardUserRole)
@@ -117,10 +363,54 @@ func (store *Store) Init() error {
 		}

 		readOnlyUserRole := &portainer.Role{
-			Name:           "Read-only user",
-			Description:    "Read-only access of assigned resources in an endpoint",
-			Priority:       4,
-			Authorizations: portainer.DefaultEndpointAuthorizationsForReadOnlyUserRole(false),
+			Name:        "Read-only user",
+			Description: "Read-only access of assigned resources in an endpoint",
+			Authorizations: map[portainer.Authorization]bool{
+				portainer.OperationDockerContainerArchiveInfo: true,
+				portainer.OperationDockerContainerList:        true,
+				portainer.OperationDockerContainerChanges:     true,
+				portainer.OperationDockerContainerInspect:     true,
+				portainer.OperationDockerContainerTop:         true,
+				portainer.OperationDockerContainerLogs:        true,
+				portainer.OperationDockerContainerStats:       true,
+				portainer.OperationDockerImageList:            true,
+				portainer.OperationDockerImageSearch:          true,
+				portainer.OperationDockerImageGetAll:          true,
+				portainer.OperationDockerImageGet:             true,
+				portainer.OperationDockerImageHistory:         true,
+				portainer.OperationDockerImageInspect:         true,
+				portainer.OperationDockerNetworkList:          true,
+				portainer.OperationDockerNetworkInspect:       true,
+				portainer.OperationDockerVolumeList:           true,
+				portainer.OperationDockerVolumeInspect:        true,
+				portainer.OperationDockerSwarmInspect:         true,
+				portainer.OperationDockerNodeList:             true,
+				portainer.OperationDockerNodeInspect:          true,
+				portainer.OperationDockerServiceList:          true,
+				portainer.OperationDockerServiceInspect:       true,
+				portainer.OperationDockerServiceLogs:          true,
+				portainer.OperationDockerSecretList:           true,
+				portainer.OperationDockerSecretInspect:        true,
+				portainer.OperationDockerConfigList:           true,
+				portainer.OperationDockerConfigInspect:        true,
+				portainer.OperationDockerTaskList:             true,
+				portainer.OperationDockerTaskInspect:          true,
+				portainer.OperationDockerTaskLogs:             true,
+				portainer.OperationDockerPluginList:           true,
+				portainer.OperationDockerDistributionInspect:  true,
+				portainer.OperationDockerPing:                 true,
+				portainer.OperationDockerInfo:                 true,
+				portainer.OperationDockerVersion:              true,
+				portainer.OperationDockerEvents:               true,
+				portainer.OperationDockerSystem:               true,
+				portainer.OperationDockerAgentPing:            true,
+				portainer.OperationDockerAgentList:            true,
+				portainer.OperationDockerAgentHostInfo:        true,
+				portainer.OperationPortainerStackList:         true,
+				portainer.OperationPortainerStackInspect:      true,
+				portainer.OperationPortainerStackFile:         true,
+				portainer.OperationPortainerWebhookList:       true,
+			},
 		}

 		err = store.RoleService.CreateRole(readOnlyUserRole)
--- a/api/bolt/internal/db.go
+++ b/api/bolt/internal/db.go
@@ -82,15 +82,13 @@ func DeleteObject(db *bolt.DB, bucketName string, key []byte) error {
 func GetNextIdentifier(db *bolt.DB, bucketName string) int {
 	var identifier int

-	db.Update(func(tx *bolt.Tx) error {
+	db.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))
-		id, err := bucket.NextSequence()
-		if err != nil {
-			return err
-		}
+		id := bucket.Sequence()
 		identifier = int(id)
 		return nil
 	})

+	identifier++
 	return identifier
 }
--- a/api/bolt/migrator/migrate_dbversion14.go
+++ b/api/bolt/migrator/migrate_dbversion14.go
@@ -1,5 +1,11 @@
 package migrator

+import (
+	"strings"
+
+	"github.com/portainer/portainer/api"
+)
+
 func (m *Migrator) updateSettingsToDBVersion15() error {
 	legacySettings, err := m.settingsService.Settings()
 	if err != nil {
@@ -11,6 +17,19 @@ func (m *Migrator) updateSettingsToDBVersion15() error {
 }

 func (m *Migrator) updateTemplatesToVersion15() error {
-	// Removed with the entire template management layer, part of https://github.com/portainer/portainer/issues/3707
+	legacyTemplates, err := m.templateService.Templates()
+	if err != nil {
+		return err
+	}
+
+	for _, template := range legacyTemplates {
+		template.Logo = strings.Replace(template.Logo, "https://portainer.io/images", portainer.AssetsServerURL, -1)
+
+		err = m.templateService.UpdateTemplate(template.ID, &template)
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
--- a/api/bolt/migrator/migrate_dbversion19.go
+++ b/api/bolt/migrator/migrate_dbversion19.go
@@ -7,7 +7,17 @@ import (
 )

 func (m *Migrator) updateUsersToDBVersion20() error {
-	return m.authorizationService.UpdateUsersAuthorizations()
+	authorizationServiceParameters := &portainer.AuthorizationServiceParameters{
+		EndpointService:       m.endpointService,
+		EndpointGroupService:  m.endpointGroupService,
+		RegistryService:       m.registryService,
+		RoleService:           m.roleService,
+		TeamMembershipService: m.teamMembershipService,
+		UserService:           m.userService,
+	}
+
+	authorizationService := portainer.NewAuthorizationService(authorizationServiceParameters)
+	return authorizationService.UpdateUsersAuthorizations()
 }

 func (m *Migrator) updateSettingsToDBVersion20() error {
--- a/api/bolt/migrator/migrate_dbversion20.go
+++ b/api/bolt/migrator/migrate_dbversion20.go
@@ -1,36 +1,15 @@
 package migrator

-import portainer "github.com/portainer/portainer/api"
+import (
+	portainer "github.com/portainer/portainer/api"
+)

-func (m *Migrator) updateResourceControlsToDBVersion22() error {
-	legacyResourceControls, err := m.resourceControlService.ResourceControls()
-	if err != nil {
-		return err
-	}
-
-	for _, resourceControl := range legacyResourceControls {
-		resourceControl.AdministratorsOnly = false
-
-		err := m.resourceControlService.UpdateResourceControl(resourceControl.ID, &resourceControl)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
+func (m *Migrator) updateUsersToDBVersion21() error {
 	legacyUsers, err := m.userService.Users()
 	if err != nil {
 		return err
 	}

-	settings, err := m.settingsService.Settings()
-	if err != nil {
-		return err
-	}
-
 	for _, user := range legacyUsers {
 		user.PortainerAuthorizations = portainer.DefaultPortainerAuthorizations()
 		err = m.userService.UpdateUser(user.ID, &user)
@@ -39,44 +18,5 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 		}
 	}

-	endpointAdministratorRole, err := m.roleService.Role(portainer.RoleID(1))
-	if err != nil {
-		return err
-	}
-	endpointAdministratorRole.Priority = 1
-	endpointAdministratorRole.Authorizations = portainer.DefaultEndpointAuthorizationsForEndpointAdministratorRole()
-
-	err = m.roleService.UpdateRole(endpointAdministratorRole.ID, endpointAdministratorRole)
-
-	helpDeskRole, err := m.roleService.Role(portainer.RoleID(2))
-	if err != nil {
-		return err
-	}
-	helpDeskRole.Priority = 2
-	helpDeskRole.Authorizations = portainer.DefaultEndpointAuthorizationsForHelpDeskRole(settings.AllowVolumeBrowserForRegularUsers)
-
-	err = m.roleService.UpdateRole(helpDeskRole.ID, helpDeskRole)
-
-	standardUserRole, err := m.roleService.Role(portainer.RoleID(3))
-	if err != nil {
-		return err
-	}
-	standardUserRole.Priority = 3
-	standardUserRole.Authorizations = portainer.DefaultEndpointAuthorizationsForStandardUserRole(settings.AllowVolumeBrowserForRegularUsers)
-
-	err = m.roleService.UpdateRole(standardUserRole.ID, standardUserRole)
-
-	readOnlyUserRole, err := m.roleService.Role(portainer.RoleID(4))
-	if err != nil {
-		return err
-	}
-	readOnlyUserRole.Priority = 4
-	readOnlyUserRole.Authorizations = portainer.DefaultEndpointAuthorizationsForReadOnlyUserRole(settings.AllowVolumeBrowserForRegularUsers)
-
-	err = m.roleService.UpdateRole(readOnlyUserRole.ID, readOnlyUserRole)
-	if err != nil {
-		return err
-	}
-
-	return m.authorizationService.UpdateUsersAuthorizations()
+	return nil
 }
--- a/api/bolt/migrator/migrate_dbversion22.go
+++ b/api/bolt/migrator/migrate_dbversion22.go
@@ -1,92 +0,0 @@
-package migrator
-
-import "github.com/portainer/portainer/api"
-
-func (m *Migrator) updateTagsToDBVersion23() error {
-	tags, err := m.tagService.Tags()
-	if err != nil {
-		return err
-	}
-
-	for _, tag := range tags {
-		tag.EndpointGroups = make(map[portainer.EndpointGroupID]bool)
-		tag.Endpoints = make(map[portainer.EndpointID]bool)
-		err = m.tagService.UpdateTag(tag.ID, &tag)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func (m *Migrator) updateEndpointsAndEndpointGroupsToDBVersion23() error {
-	tags, err := m.tagService.Tags()
-	if err != nil {
-		return err
-	}
-
-	tagsNameMap := make(map[string]portainer.Tag)
-	for _, tag := range tags {
-		tagsNameMap[tag.Name] = tag
-	}
-
-	endpoints, err := m.endpointService.Endpoints()
-	if err != nil {
-		return err
-	}
-
-	for _, endpoint := range endpoints {
-		endpointTags := make([]portainer.TagID, 0)
-		for _, tagName := range endpoint.Tags {
-			tag, ok := tagsNameMap[tagName]
-			if ok {
-				endpointTags = append(endpointTags, tag.ID)
-				tag.Endpoints[endpoint.ID] = true
-			}
-		}
-		endpoint.TagIDs = endpointTags
-		err = m.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
-		if err != nil {
-			return err
-		}
-
-		relation := &portainer.EndpointRelation{
-			EndpointID: endpoint.ID,
-			EdgeStacks: map[portainer.EdgeStackID]bool{},
-		}
-
-		err = m.endpointRelationService.CreateEndpointRelation(relation)
-		if err != nil {
-			return err
-		}
-	}
-
-	endpointGroups, err := m.endpointGroupService.EndpointGroups()
-	if err != nil {
-		return err
-	}
-
-	for _, endpointGroup := range endpointGroups {
-		endpointGroupTags := make([]portainer.TagID, 0)
-		for _, tagName := range endpointGroup.Tags {
-			tag, ok := tagsNameMap[tagName]
-			if ok {
-				endpointGroupTags = append(endpointGroupTags, tag.ID)
-				tag.EndpointGroups[endpointGroup.ID] = true
-			}
-		}
-		endpointGroup.TagIDs = endpointGroupTags
-		err = m.endpointGroupService.UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
-		if err != nil {
-			return err
-		}
-	}
-
-	for _, tag := range tagsNameMap {
-		err = m.tagService.UpdateTag(tag.ID, &tag)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
--- a/api/bolt/migrator/migrate_dbversion23.go
+++ b/api/bolt/migrator/migrate_dbversion23.go
@@ -1,18 +0,0 @@
-package migrator
-
-import portainer "github.com/portainer/portainer/api"
-
-func (m *Migrator) updateSettingsToDB24() error {
-	legacySettings, err := m.settingsService.Settings()
-	if err != nil {
-		return err
-	}
-
-	if legacySettings.TemplatesURL == "" {
-		legacySettings.TemplatesURL = portainer.DefaultTemplatesURL
-
-		return m.settingsService.UpdateSettings(legacySettings)
-	}
-
-	return nil
-}
--- a/api/bolt/migrator/migrator.go
+++ b/api/bolt/migrator/migrator.go
@@ -5,7 +5,6 @@ import (
 	"github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/endpoint"
 	"github.com/portainer/portainer/api/bolt/endpointgroup"
-	"github.com/portainer/portainer/api/bolt/endpointrelation"
 	"github.com/portainer/portainer/api/bolt/extension"
 	"github.com/portainer/portainer/api/bolt/registry"
 	"github.com/portainer/portainer/api/bolt/resourcecontrol"
@@ -13,8 +12,8 @@ import (
 	"github.com/portainer/portainer/api/bolt/schedule"
 	"github.com/portainer/portainer/api/bolt/settings"
 	"github.com/portainer/portainer/api/bolt/stack"
-	"github.com/portainer/portainer/api/bolt/tag"
 	"github.com/portainer/portainer/api/bolt/teammembership"
+	"github.com/portainer/portainer/api/bolt/template"
 	"github.com/portainer/portainer/api/bolt/user"
 	"github.com/portainer/portainer/api/bolt/version"
 )
@@ -22,75 +21,70 @@ import (
 type (
 	// Migrator defines a service to migrate data after a Portainer version update.
 	Migrator struct {
-		currentDBVersion        int
-		db                      *bolt.DB
-		endpointGroupService    *endpointgroup.Service
-		endpointService         *endpoint.Service
-		endpointRelationService *endpointrelation.Service
-		extensionService        *extension.Service
-		registryService         *registry.Service
-		resourceControlService  *resourcecontrol.Service
-		roleService             *role.Service
-		scheduleService         *schedule.Service
-		settingsService         *settings.Service
-		stackService            *stack.Service
-		tagService              *tag.Service
-		teamMembershipService   *teammembership.Service
-		userService             *user.Service
-		versionService          *version.Service
-		fileService             portainer.FileService
-		authorizationService    *portainer.AuthorizationService
+		currentDBVersion       int
+		db                     *bolt.DB
+		endpointGroupService   *endpointgroup.Service
+		endpointService        *endpoint.Service
+		extensionService       *extension.Service
+		registryService        *registry.Service
+		resourceControlService *resourcecontrol.Service
+		roleService            *role.Service
+		scheduleService        *schedule.Service
+		settingsService        *settings.Service
+		stackService           *stack.Service
+		teamMembershipService  *teammembership.Service
+		templateService        *template.Service
+		userService            *user.Service
+		versionService         *version.Service
+		fileService            portainer.FileService
 	}

 	// Parameters represents the required parameters to create a new Migrator instance.
 	Parameters struct {
-		DB                      *bolt.DB
-		DatabaseVersion         int
-		EndpointGroupService    *endpointgroup.Service
-		EndpointService         *endpoint.Service
-		EndpointRelationService *endpointrelation.Service
-		ExtensionService        *extension.Service
-		RegistryService         *registry.Service
-		ResourceControlService  *resourcecontrol.Service
-		RoleService             *role.Service
-		ScheduleService         *schedule.Service
-		SettingsService         *settings.Service
-		StackService            *stack.Service
-		TagService              *tag.Service
-		TeamMembershipService   *teammembership.Service
-		UserService             *user.Service
-		VersionService          *version.Service
-		FileService             portainer.FileService
-		AuthorizationService    *portainer.AuthorizationService
+		DB                     *bolt.DB
+		DatabaseVersion        int
+		EndpointGroupService   *endpointgroup.Service
+		EndpointService        *endpoint.Service
+		ExtensionService       *extension.Service
+		RegistryService        *registry.Service
+		ResourceControlService *resourcecontrol.Service
+		RoleService            *role.Service
+		ScheduleService        *schedule.Service
+		SettingsService        *settings.Service
+		StackService           *stack.Service
+		TeamMembershipService  *teammembership.Service
+		TemplateService        *template.Service
+		UserService            *user.Service
+		VersionService         *version.Service
+		FileService            portainer.FileService
 	}
 )

 // NewMigrator creates a new Migrator.
 func NewMigrator(parameters *Parameters) *Migrator {
 	return &Migrator{
-		db:                      parameters.DB,
-		currentDBVersion:        parameters.DatabaseVersion,
-		endpointGroupService:    parameters.EndpointGroupService,
-		endpointService:         parameters.EndpointService,
-		endpointRelationService: parameters.EndpointRelationService,
-		extensionService:        parameters.ExtensionService,
-		registryService:         parameters.RegistryService,
-		resourceControlService:  parameters.ResourceControlService,
-		roleService:             parameters.RoleService,
-		scheduleService:         parameters.ScheduleService,
-		settingsService:         parameters.SettingsService,
-		tagService:              parameters.TagService,
-		teamMembershipService:   parameters.TeamMembershipService,
-		stackService:            parameters.StackService,
-		userService:             parameters.UserService,
-		versionService:          parameters.VersionService,
-		fileService:             parameters.FileService,
-		authorizationService:    parameters.AuthorizationService,
+		db:                     parameters.DB,
+		currentDBVersion:       parameters.DatabaseVersion,
+		endpointGroupService:   parameters.EndpointGroupService,
+		endpointService:        parameters.EndpointService,
+		extensionService:       parameters.ExtensionService,
+		registryService:        parameters.RegistryService,
+		resourceControlService: parameters.ResourceControlService,
+		roleService:            parameters.RoleService,
+		scheduleService:        parameters.ScheduleService,
+		settingsService:        parameters.SettingsService,
+		teamMembershipService:  parameters.TeamMembershipService,
+		templateService:        parameters.TemplateService,
+		stackService:           parameters.StackService,
+		userService:            parameters.UserService,
+		versionService:         parameters.VersionService,
+		fileService:            parameters.FileService,
 	}
 }

 // Migrate checks the database version and migrate the existing data to the most recent data model.
 func (m *Migrator) Migrate() error {
+
 	// Portainer < 1.12
 	if m.currentDBVersion < 1 {
 		err := m.updateAdminUserToDBVersion1()
@@ -293,36 +287,9 @@ func (m *Migrator) Migrate() error {
 		}
 	}

-	// Portainer 1.23.0
-	// DBVersion 21 is missing as it was shipped as via hotfix 1.22.2
-	if m.currentDBVersion < 22 {
-		err := m.updateResourceControlsToDBVersion22()
-		if err != nil {
-			return err
-		}
-
-		err = m.updateUsersAndRolesToDBVersion22()
-		if err != nil {
-			return err
-		}
-	}
-
-	// Portainer 1.24.0
-	if m.currentDBVersion < 23 {
-		err := m.updateTagsToDBVersion23()
-		if err != nil {
-			return err
-		}
-
-		err = m.updateEndpointsAndEndpointGroupsToDBVersion23()
-		if err != nil {
-			return err
-		}
-	}
-
-	// Portainer 2.0
-	if m.currentDBVersion < 24 {
-		err := m.updateSettingsToDB24()
+	// Portainer 1.22.2
+	if m.currentDBVersion < 21 {
+		err := m.updateUsersToDBVersion21()
 		if err != nil {
 			return err
 		}
--- a/api/bolt/resourcecontrol/resourcecontrol.go
+++ b/api/bolt/resourcecontrol/resourcecontrol.go
@@ -42,10 +42,9 @@ func (service *Service) ResourceControl(ID portainer.ResourceControlID) (*portai
 	return &resourceControl, nil
 }

-// ResourceControlByResourceIDAndType returns a ResourceControl object by checking if the resourceID is equal
-// to the main ResourceID or in SubResourceIDs. It also performs a check on the resource type. Return nil
-// if no ResourceControl was found.
-func (service *Service) ResourceControlByResourceIDAndType(resourceID string, resourceType portainer.ResourceControlType) (*portainer.ResourceControl, error) {
+// ResourceControlByResourceID returns a ResourceControl object by checking if the resourceID is equal
+// to the main ResourceID or in SubResourceIDs
+func (service *Service) ResourceControlByResourceID(resourceID string) (*portainer.ResourceControl, error) {
 	var resourceControl *portainer.ResourceControl

 	err := service.db.View(func(tx *bolt.Tx) error {
@@ -59,7 +58,7 @@ func (service *Service) ResourceControlByResourceIDAndType(resourceID string, re
 				return err
 			}

-			if rc.ResourceID == resourceID && rc.Type == resourceType {
+			if rc.ResourceID == resourceID {
 				resourceControl = &rc
 				break
 			}
@@ -72,6 +71,10 @@ func (service *Service) ResourceControlByResourceIDAndType(resourceID string, re
 			}
 		}

+		if resourceControl == nil {
+			return portainer.ErrObjectNotFound
+		}
+
 		return nil
 	})

--- a/api/bolt/tag/tag.go
+++ b/api/bolt/tag/tag.go
@@ -52,19 +52,6 @@ func (service *Service) Tags() ([]portainer.Tag, error) {
 	return tags, err
 }

-// Tag returns a tag by ID.
-func (service *Service) Tag(ID portainer.TagID) (*portainer.Tag, error) {
-	var tag portainer.Tag
-	identifier := internal.Itob(int(ID))
-
-	err := internal.GetObject(service.db, BucketName, identifier, &tag)
-	if err != nil {
-		return nil, err
-	}
-
-	return &tag, nil
-}
-
 // CreateTag creates a new tag.
 func (service *Service) CreateTag(tag *portainer.Tag) error {
 	return service.db.Update(func(tx *bolt.Tx) error {
@@ -82,12 +69,6 @@ func (service *Service) CreateTag(tag *portainer.Tag) error {
 	})
 }

-// UpdateTag updates a tag.
-func (service *Service) UpdateTag(ID portainer.TagID, tag *portainer.Tag) error {
-	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, tag)
-}
-
 // DeleteTag deletes a tag.
 func (service *Service) DeleteTag(ID portainer.TagID) error {
 	identifier := internal.Itob(int(ID))
--- a/api/bolt/edgegroup/edgegroup.go
+++ b/api/bolt/edgegroup/edgegroup.go
@@ -1,17 +1,18 @@
-package edgegroup
+package template

 import (
-	"github.com/boltdb/bolt"
 	"github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/internal"
+
+	"github.com/boltdb/bolt"
 )

 const (
 	// BucketName represents the name of the bucket where this service stores data.
-	BucketName = "edgegroups"
+	BucketName = "templates"
 )

-// Service represents a service for managing Edge group data.
+// Service represents a service for managing endpoint data.
 type Service struct {
 	db *bolt.DB
 }
@@ -28,67 +29,67 @@ func NewService(db *bolt.DB) (*Service, error) {
 	}, nil
 }

-// EdgeGroups return an array containing all the Edge groups.
-func (service *Service) EdgeGroups() ([]portainer.EdgeGroup, error) {
-	var groups = make([]portainer.EdgeGroup, 0)
+// Templates return an array containing all the templates.
+func (service *Service) Templates() ([]portainer.Template, error) {
+	var templates = make([]portainer.Template, 0)

 	err := service.db.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))

 		cursor := bucket.Cursor()
 		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
-			var group portainer.EdgeGroup
-			err := internal.UnmarshalObjectWithJsoniter(v, &group)
+			var template portainer.Template
+			err := internal.UnmarshalObject(v, &template)
 			if err != nil {
 				return err
 			}
-			groups = append(groups, group)
+			templates = append(templates, template)
 		}

 		return nil
 	})

-	return groups, err
+	return templates, err
 }

-// EdgeGroup returns an Edge group by ID.
-func (service *Service) EdgeGroup(ID portainer.EdgeGroupID) (*portainer.EdgeGroup, error) {
-	var group portainer.EdgeGroup
+// Template returns a template by ID.
+func (service *Service) Template(ID portainer.TemplateID) (*portainer.Template, error) {
+	var template portainer.Template
 	identifier := internal.Itob(int(ID))

-	err := internal.GetObject(service.db, BucketName, identifier, &group)
+	err := internal.GetObject(service.db, BucketName, identifier, &template)
 	if err != nil {
 		return nil, err
 	}

-	return &group, nil
+	return &template, nil
 }

-// UpdateEdgeGroup updates an Edge group.
-func (service *Service) UpdateEdgeGroup(ID portainer.EdgeGroupID, group *portainer.EdgeGroup) error {
-	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, group)
-}
-
-// DeleteEdgeGroup deletes an Edge group.
-func (service *Service) DeleteEdgeGroup(ID portainer.EdgeGroupID) error {
-	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
-}
-
-// CreateEdgeGroup assign an ID to a new Edge group and saves it.
-func (service *Service) CreateEdgeGroup(group *portainer.EdgeGroup) error {
+// CreateTemplate creates a new template.
+func (service *Service) CreateTemplate(template *portainer.Template) error {
 	return service.db.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(BucketName))

 		id, _ := bucket.NextSequence()
-		group.ID = portainer.EdgeGroupID(id)
+		template.ID = portainer.TemplateID(id)

-		data, err := internal.MarshalObject(group)
+		data, err := internal.MarshalObject(template)
 		if err != nil {
 			return err
 		}

-		return bucket.Put(internal.Itob(int(group.ID)), data)
+		return bucket.Put(internal.Itob(int(template.ID)), data)
 	})
 }
+
+// UpdateTemplate saves a template.
+func (service *Service) UpdateTemplate(ID portainer.TemplateID, template *portainer.Template) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.db, BucketName, identifier, template)
+}
+
+// DeleteTemplate deletes a template.
+func (service *Service) DeleteTemplate(ID portainer.TemplateID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}
--- a/api/chisel/service.go
+++ b/api/chisel/service.go
@@ -24,19 +24,21 @@ const (
 // It is used to start a reverse tunnel server and to manage the connection status of each tunnel
 // connected to the tunnel server.
 type Service struct {
-	serverFingerprint string
-	serverPort        string
-	tunnelDetailsMap  cmap.ConcurrentMap
-	dataStore         portainer.DataStore
-	snapshotter       portainer.Snapshotter
-	chiselServer      *chserver.Server
+	serverFingerprint   string
+	serverPort          string
+	tunnelDetailsMap    cmap.ConcurrentMap
+	endpointService     portainer.EndpointService
+	tunnelServerService portainer.TunnelServerService
+	snapshotter         portainer.Snapshotter
+	chiselServer        *chserver.Server
 }

 // NewService returns a pointer to a new instance of Service
-func NewService(dataStore portainer.DataStore) *Service {
+func NewService(endpointService portainer.EndpointService, tunnelServerService portainer.TunnelServerService) *Service {
 	return &Service{
-		tunnelDetailsMap: cmap.New(),
-		dataStore:        dataStore,
+		tunnelDetailsMap:    cmap.New(),
+		endpointService:     endpointService,
+		tunnelServerService: tunnelServerService,
 	}
 }

@@ -87,7 +89,7 @@ func (service *Service) StartTunnelServer(addr, port string, snapshotter portain
 func (service *Service) retrievePrivateKeySeed() (string, error) {
 	var serverInfo *portainer.TunnelServerInfo

-	serverInfo, err := service.dataStore.TunnelServer().Info()
+	serverInfo, err := service.tunnelServerService.Info()
 	if err == portainer.ErrObjectNotFound {
 		keySeed := uniuri.NewLen(16)

@@ -95,7 +97,7 @@ func (service *Service) retrievePrivateKeySeed() (string, error) {
 			PrivateKeySeed: keySeed,
 		}

-		err := service.dataStore.TunnelServer().UpdateInfo(serverInfo)
+		err := service.tunnelServerService.UpdateInfo(serverInfo)
 		if err != nil {
 			return "", err
 		}
@@ -171,13 +173,13 @@ func (service *Service) checkTunnels() {
 }

 func (service *Service) snapshotEnvironment(endpointID portainer.EndpointID, tunnelPort int) error {
-	endpoint, err := service.dataStore.Endpoint().Endpoint(endpointID)
+	endpoint, err := service.endpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err != nil {
 		return err
 	}

 	endpointURL := endpoint.URL
-	endpoint.URL = fmt.Sprintf("tcp://127.0.0.1:%d", tunnelPort)
+	endpoint.URL = fmt.Sprintf("tcp://localhost:%d", tunnelPort)
 	snapshot, err := service.snapshotter.CreateSnapshot(endpoint)
 	if err != nil {
 		return err
@@ -185,5 +187,5 @@ func (service *Service) snapshotEnvironment(endpointID portainer.EndpointID, tun

 	endpoint.Snapshots = []portainer.Snapshot{*snapshot}
 	endpoint.URL = endpointURL
-	return service.dataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
+	return service.endpointService.UpdateEndpoint(endpoint.ID, endpoint)
 }
--- a/api/chisel/tunnel.go
+++ b/api/chisel/tunnel.go
@@ -97,7 +97,7 @@ func (service *Service) SetTunnelStatusToRequired(endpointID portainer.EndpointI
 	tunnel := service.GetTunnelDetails(endpointID)

 	if tunnel.Port == 0 {
-		endpoint, err := service.dataStore.Endpoint().Endpoint(endpointID)
+		endpoint, err := service.endpointService.Endpoint(endpointID)
 		if err != nil {
 			return err
 		}
--- a/api/cli/cli.go
+++ b/api/cli/cli.go
@@ -1,7 +1,6 @@
 package cli

 import (
-	"log"
 	"time"

 	"github.com/portainer/portainer/api"
@@ -19,7 +18,11 @@ type Service struct{}
 const (
 	errInvalidEndpointProtocol       = portainer.Error("Invalid endpoint protocol: Portainer only supports unix://, npipe:// or tcp://")
 	errSocketOrNamedPipeNotFound     = portainer.Error("Unable to locate Unix socket or named pipe")
+	errEndpointsFileNotFound         = portainer.Error("Unable to locate external endpoints file")
+	errTemplateFileNotFound          = portainer.Error("Unable to locate template file on disk")
+	errInvalidSyncInterval           = portainer.Error("Invalid synchronization interval")
 	errInvalidSnapshotInterval       = portainer.Error("Invalid snapshot interval")
+	errEndpointExcludeExternal       = portainer.Error("Cannot use the -H flag mutually with --external-endpoints")
 	errNoAuthExcludeAdminPassword    = portainer.Error("Cannot use --no-auth with --admin-password or --admin-password-file")
 	errAdminPassExcludeAdminPassFile = portainer.Error("Cannot use --admin-password with --admin-password-file")
 )
@@ -35,7 +38,8 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 		Assets:            kingpin.Flag("assets", "Path to the assets").Default(defaultAssetsDirectory).Short('a').String(),
 		Data:              kingpin.Flag("data", "Path to the folder where the data is stored").Default(defaultDataDirectory).Short('d').String(),
 		EndpointURL:       kingpin.Flag("host", "Endpoint URL").Short('H').String(),
-		NoAuth:            kingpin.Flag("no-auth", "Disable authentication (deprecated)").Default(defaultNoAuth).Bool(),
+		ExternalEndpoints: kingpin.Flag("external-endpoints", "Path to a file defining available endpoints").String(),
+		NoAuth:            kingpin.Flag("no-auth", "Disable authentication").Default(defaultNoAuth).Bool(),
 		NoAnalytics:       kingpin.Flag("no-analytics", "Disable Analytics in app").Default(defaultNoAnalytics).Bool(),
 		TLS:               kingpin.Flag("tlsverify", "TLS support").Default(defaultTLS).Bool(),
 		TLSSkipVerify:     kingpin.Flag("tlsskipverify", "Disable TLS server verification").Default(defaultTLSSkipVerify).Bool(),
@@ -45,12 +49,15 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 		SSL:               kingpin.Flag("ssl", "Secure Portainer instance using SSL").Default(defaultSSL).Bool(),
 		SSLCert:           kingpin.Flag("sslcert", "Path to the SSL certificate used to secure the Portainer instance").Default(defaultSSLCertPath).String(),
 		SSLKey:            kingpin.Flag("sslkey", "Path to the SSL key used to secure the Portainer instance").Default(defaultSSLKeyPath).String(),
+		SyncInterval:      kingpin.Flag("sync-interval", "Duration between each synchronization via the external endpoints source").Default(defaultSyncInterval).String(),
+		Snapshot:          kingpin.Flag("snapshot", "Start a background job to create endpoint snapshots").Default(defaultSnapshot).Bool(),
 		SnapshotInterval:  kingpin.Flag("snapshot-interval", "Duration between each endpoint snapshot job").Default(defaultSnapshotInterval).String(),
 		AdminPassword:     kingpin.Flag("admin-password", "Hashed admin password").String(),
 		AdminPasswordFile: kingpin.Flag("admin-password-file", "Path to the file containing the password for the admin user").String(),
 		Labels:            pairs(kingpin.Flag("hide-label", "Hide containers with a specific label in the UI").Short('l')),
 		Logo:              kingpin.Flag("logo", "URL for the logo displayed in the UI").String(),
 		Templates:         kingpin.Flag("templates", "URL to the templates definitions.").Short('t').String(),
+		TemplateFile:      kingpin.Flag("template-file", "Path to the templates (app) definitions on the filesystem").Default(defaultTemplateFile).String(),
 	}

 	kingpin.Parse()
@@ -69,9 +76,26 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 // ValidateFlags validates the values of the flags.
 func (*Service) ValidateFlags(flags *portainer.CLIFlags) error {

-	displayDeprecationWarnings(flags)
+	if *flags.EndpointURL != "" && *flags.ExternalEndpoints != "" {
+		return errEndpointExcludeExternal
+	}

-	err := validateEndpointURL(*flags.EndpointURL)
+	err := validateTemplateFile(*flags.TemplateFile)
+	if err != nil {
+		return err
+	}
+
+	err = validateEndpointURL(*flags.EndpointURL)
+	if err != nil {
+		return err
+	}
+
+	err = validateExternalEndpoints(*flags.ExternalEndpoints)
+	if err != nil {
+		return err
+	}
+
+	err = validateSyncInterval(*flags.SyncInterval)
 	if err != nil {
 		return err
 	}
@@ -92,12 +116,6 @@ func (*Service) ValidateFlags(flags *portainer.CLIFlags) error {
 	return nil
 }

-func displayDeprecationWarnings(flags *portainer.CLIFlags) {
-	if *flags.NoAuth {
-		log.Println("Warning: the --no-auth flag is deprecated and will likely be removed in a future version of Portainer.")
-	}
-}
-
 func validateEndpointURL(endpointURL string) error {
 	if endpointURL != "" {
 		if !strings.HasPrefix(endpointURL, "unix://") && !strings.HasPrefix(endpointURL, "tcp://") && !strings.HasPrefix(endpointURL, "npipe://") {
@@ -118,6 +136,38 @@ func validateEndpointURL(endpointURL string) error {
 	return nil
 }

+func validateExternalEndpoints(externalEndpoints string) error {
+	if externalEndpoints != "" {
+		if _, err := os.Stat(externalEndpoints); err != nil {
+			if os.IsNotExist(err) {
+				return errEndpointsFileNotFound
+			}
+			return err
+		}
+	}
+	return nil
+}
+
+func validateTemplateFile(templateFile string) error {
+	if _, err := os.Stat(templateFile); err != nil {
+		if os.IsNotExist(err) {
+			return errTemplateFileNotFound
+		}
+		return err
+	}
+	return nil
+}
+
+func validateSyncInterval(syncInterval string) error {
+	if syncInterval != defaultSyncInterval {
+		_, err := time.ParseDuration(syncInterval)
+		if err != nil {
+			return errInvalidSyncInterval
+		}
+	}
+	return nil
+}
+
 func validateSnapshotInterval(snapshotInterval string) error {
 	if snapshotInterval != defaultSnapshotInterval {
 		_, err := time.ParseDuration(snapshotInterval)
--- a/api/cli/defaults.go
+++ b/api/cli/defaults.go
@@ -18,5 +18,8 @@ const (
 	defaultSSL                 = "false"
 	defaultSSLCertPath         = "/certs/portainer.crt"
 	defaultSSLKeyPath          = "/certs/portainer.key"
+	defaultSyncInterval        = "60s"
+	defaultSnapshot            = "true"
 	defaultSnapshotInterval    = "5m"
+	defaultTemplateFile        = "/templates.json"
 )
--- a/api/cli/defaults_windows.go
+++ b/api/cli/defaults_windows.go
@@ -16,5 +16,8 @@ const (
 	defaultSSL                 = "false"
 	defaultSSLCertPath         = "C:\\certs\\portainer.crt"
 	defaultSSLKeyPath          = "C:\\certs\\portainer.key"
+	defaultSyncInterval        = "60s"
+	defaultSnapshot            = "true"
 	defaultSnapshotInterval    = "5m"
+	defaultTemplateFile        = "/templates.json"
 )
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -1,6 +1,7 @@
 package main

 import (
+	"encoding/json"
 	"log"
 	"os"
 	"strings"
@@ -25,13 +26,13 @@ import (
 )

 func initCLI() *portainer.CLIFlags {
-	var cliService portainer.CLIService = &cli.Service{}
-	flags, err := cliService.ParseFlags(portainer.APIVersion)
+	var cli portainer.CLIService = &cli.Service{}
+	flags, err := cli.ParseFlags(portainer.APIVersion)
 	if err != nil {
 		log.Fatal(err)
 	}

-	err = cliService.ValidateFlags(flags)
+	err = cli.ValidateFlags(flags)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -46,7 +47,7 @@ func initFileService(dataStorePath string) portainer.FileService {
 	return fileService
 }

-func initDataStore(dataStorePath string, fileService portainer.FileService) portainer.DataStore {
+func initStore(dataStorePath string, fileService portainer.FileService) *bolt.Store {
 	store, err := bolt.NewStore(dataStorePath, fileService)
 	if err != nil {
 		log.Fatal(err)
@@ -116,13 +117,13 @@ func initJobScheduler() portainer.JobScheduler {
 	return cron.NewJobScheduler()
 }

-func loadSnapshotSystemSchedule(jobScheduler portainer.JobScheduler, snapshotter portainer.Snapshotter, dataStore portainer.DataStore) error {
-	settings, err := dataStore.Settings().Settings()
+func loadSnapshotSystemSchedule(jobScheduler portainer.JobScheduler, snapshotter portainer.Snapshotter, scheduleService portainer.ScheduleService, endpointService portainer.EndpointService, settingsService portainer.SettingsService) error {
+	settings, err := settingsService.Settings()
 	if err != nil {
 		return err
 	}

-	schedules, err := dataStore.Schedule().SchedulesByJobType(portainer.SnapshotJobType)
+	schedules, err := scheduleService.SchedulesByJobType(portainer.SnapshotJobType)
 	if err != nil {
 		return err
 	}
@@ -131,7 +132,7 @@ func loadSnapshotSystemSchedule(jobScheduler portainer.JobScheduler, snapshotter
 	if len(schedules) == 0 {
 		snapshotJob := &portainer.SnapshotJob{}
 		snapshotSchedule = &portainer.Schedule{
-			ID:             portainer.ScheduleID(dataStore.Schedule().GetNextIdentifier()),
+			ID:             portainer.ScheduleID(scheduleService.GetNextIdentifier()),
 			Name:           "system_snapshot",
 			CronExpression: "@every " + settings.SnapshotInterval,
 			Recurring:      true,
@@ -143,7 +144,7 @@ func loadSnapshotSystemSchedule(jobScheduler portainer.JobScheduler, snapshotter
 		snapshotSchedule = &schedules[0]
 	}

-	snapshotJobContext := cron.NewSnapshotJobContext(dataStore, snapshotter)
+	snapshotJobContext := cron.NewSnapshotJobContext(endpointService, snapshotter)
 	snapshotJobRunner := cron.NewSnapshotJobRunner(snapshotSchedule, snapshotJobContext)

 	err = jobScheduler.ScheduleJob(snapshotJobRunner)
@@ -152,13 +153,52 @@ func loadSnapshotSystemSchedule(jobScheduler portainer.JobScheduler, snapshotter
 	}

 	if len(schedules) == 0 {
-		return dataStore.Schedule().CreateSchedule(snapshotSchedule)
+		return scheduleService.CreateSchedule(snapshotSchedule)
 	}
 	return nil
 }

-func loadSchedulesFromDatabase(jobScheduler portainer.JobScheduler, jobService portainer.JobService, dataStore portainer.DataStore, fileService portainer.FileService, reverseTunnelService portainer.ReverseTunnelService) error {
-	schedules, err := dataStore.Schedule().Schedules()
+func loadEndpointSyncSystemSchedule(jobScheduler portainer.JobScheduler, scheduleService portainer.ScheduleService, endpointService portainer.EndpointService, flags *portainer.CLIFlags) error {
+	if *flags.ExternalEndpoints == "" {
+		return nil
+	}
+
+	log.Println("Using external endpoint definition. Endpoint management via the API will be disabled.")
+
+	schedules, err := scheduleService.SchedulesByJobType(portainer.EndpointSyncJobType)
+	if err != nil {
+		return err
+	}
+
+	if len(schedules) != 0 {
+		return nil
+	}
+
+	endpointSyncJob := &portainer.EndpointSyncJob{}
+
+	endpointSyncSchedule := &portainer.Schedule{
+		ID:              portainer.ScheduleID(scheduleService.GetNextIdentifier()),
+		Name:            "system_endpointsync",
+		CronExpression:  "@every " + *flags.SyncInterval,
+		Recurring:       true,
+		JobType:         portainer.EndpointSyncJobType,
+		EndpointSyncJob: endpointSyncJob,
+		Created:         time.Now().Unix(),
+	}
+
+	endpointSyncJobContext := cron.NewEndpointSyncJobContext(endpointService, *flags.ExternalEndpoints)
+	endpointSyncJobRunner := cron.NewEndpointSyncJobRunner(endpointSyncSchedule, endpointSyncJobContext)
+
+	err = jobScheduler.ScheduleJob(endpointSyncJobRunner)
+	if err != nil {
+		return err
+	}
+
+	return scheduleService.CreateSchedule(endpointSyncSchedule)
+}
+
+func loadSchedulesFromDatabase(jobScheduler portainer.JobScheduler, jobService portainer.JobService, scheduleService portainer.ScheduleService, endpointService portainer.EndpointService, fileService portainer.FileService, reverseTunnelService portainer.ReverseTunnelService) error {
+	schedules, err := scheduleService.Schedules()
 	if err != nil {
 		return err
 	}
@@ -166,7 +206,7 @@ func loadSchedulesFromDatabase(jobScheduler portainer.JobScheduler, jobService p
 	for _, schedule := range schedules {

 		if schedule.JobType == portainer.ScriptExecutionJobType {
-			jobContext := cron.NewScriptExecutionJobContext(jobService, dataStore, fileService)
+			jobContext := cron.NewScriptExecutionJobContext(jobService, endpointService, fileService)
 			jobRunner := cron.NewScriptExecutionJobRunner(&schedule, jobContext)

 			err = jobScheduler.ScheduleJob(jobRunner)
@@ -186,32 +226,120 @@ func loadSchedulesFromDatabase(jobScheduler portainer.JobScheduler, jobService p
 	return nil
 }

-func initStatus(flags *portainer.CLIFlags) *portainer.Status {
+func initStatus(endpointManagement, snapshot bool, flags *portainer.CLIFlags) *portainer.Status {
 	return &portainer.Status{
-		Analytics:      !*flags.NoAnalytics,
-		Authentication: !*flags.NoAuth,
-		Version:        portainer.APIVersion,
+		Analytics:          !*flags.NoAnalytics,
+		Authentication:     !*flags.NoAuth,
+		EndpointManagement: endpointManagement,
+		Snapshot:           snapshot,
+		Version:            portainer.APIVersion,
 	}
 }

-func updateSettingsFromFlags(dataStore portainer.DataStore, flags *portainer.CLIFlags) error {
-	settings, err := dataStore.Settings().Settings()
+func initDockerHub(dockerHubService portainer.DockerHubService) error {
+	_, err := dockerHubService.DockerHub()
+	if err == portainer.ErrObjectNotFound {
+		dockerhub := &portainer.DockerHub{
+			Authentication: false,
+			Username:       "",
+			Password:       "",
+		}
+		return dockerHubService.UpdateDockerHub(dockerhub)
+	} else if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func initSettings(settingsService portainer.SettingsService, flags *portainer.CLIFlags) error {
+	_, err := settingsService.Settings()
+	if err == portainer.ErrObjectNotFound {
+		settings := &portainer.Settings{
+			LogoURL:              *flags.Logo,
+			AuthenticationMethod: portainer.AuthenticationInternal,
+			LDAPSettings: portainer.LDAPSettings{
+				AutoCreateUsers: true,
+				TLSConfig:       portainer.TLSConfiguration{},
+				SearchSettings: []portainer.LDAPSearchSettings{
+					portainer.LDAPSearchSettings{},
+				},
+				GroupSearchSettings: []portainer.LDAPGroupSearchSettings{
+					portainer.LDAPGroupSearchSettings{},
+				},
+			},
+			OAuthSettings:                      portainer.OAuthSettings{},
+			AllowBindMountsForRegularUsers:     true,
+			AllowPrivilegedModeForRegularUsers: true,
+			AllowVolumeBrowserForRegularUsers:  false,
+			EnableHostManagementFeatures:       false,
+			SnapshotInterval:                   *flags.SnapshotInterval,
+			EdgeAgentCheckinInterval:           portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
+		}
+
+		if *flags.Templates != "" {
+			settings.TemplatesURL = *flags.Templates
+		}
+
+		if *flags.Labels != nil {
+			settings.BlackListedLabels = *flags.Labels
+		} else {
+			settings.BlackListedLabels = make([]portainer.Pair, 0)
+		}
+
+		return settingsService.UpdateSettings(settings)
+	} else if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func initTemplates(templateService portainer.TemplateService, fileService portainer.FileService, templateURL, templateFile string) error {
+	if templateURL != "" {
+		log.Printf("Portainer started with the --templates flag. Using external templates, template management will be disabled.")
+		return nil
+	}
+
+	existingTemplates, err := templateService.Templates()
 	if err != nil {
 		return err
 	}

-	settings.LogoURL = *flags.Logo
-	settings.SnapshotInterval = *flags.SnapshotInterval
-
-	if *flags.Templates != "" {
-		settings.TemplatesURL = *flags.Templates
+	if len(existingTemplates) != 0 {
+		log.Printf("Templates already registered inside the database. Skipping template import.")
+		return nil
 	}

-	if *flags.Labels != nil {
-		settings.BlackListedLabels = *flags.Labels
+	templatesJSON, err := fileService.GetFileContent(templateFile)
+	if err != nil {
+		log.Println("Unable to retrieve template definitions via filesystem")
+		return err
 	}

-	return dataStore.Settings().UpdateSettings(settings)
+	var templates []portainer.Template
+	err = json.Unmarshal(templatesJSON, &templates)
+	if err != nil {
+		log.Println("Unable to parse templates file. Please review your template definition file.")
+		return err
+	}
+
+	for _, template := range templates {
+		err := templateService.CreateTemplate(&template)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func retrieveFirstEndpointFromDatabase(endpointService portainer.EndpointService) *portainer.Endpoint {
+	endpoints, err := endpointService.Endpoints()
+	if err != nil {
+		log.Fatal(err)
+	}
+	return &endpoints[0]
 }

 func loadAndParseKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
@@ -243,7 +371,7 @@ func initKeyPair(fileService portainer.FileService, signatureService portainer.D
 	return generateAndStoreKeyPair(fileService, signatureService)
 }

-func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore portainer.DataStore, snapshotter portainer.Snapshotter) error {
+func createTLSSecuredEndpoint(flags *portainer.CLIFlags, endpointService portainer.EndpointService, snapshotter portainer.Snapshotter) error {
 	tlsConfiguration := portainer.TLSConfiguration{
 		TLS:           *flags.TLS,
 		TLSSkipVerify: *flags.TLSSkipVerify,
@@ -257,7 +385,7 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore portainer.Dat
 		tlsConfiguration.TLS = true
 	}

-	endpointID := dataStore.Endpoint().GetNextIdentifier()
+	endpointID := endpointService.GetNextIdentifier()
 	endpoint := &portainer.Endpoint{
 		ID:                 portainer.EndpointID(endpointID),
 		Name:               "primary",
@@ -268,7 +396,7 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore portainer.Dat
 		UserAccessPolicies: portainer.UserAccessPolicies{},
 		TeamAccessPolicies: portainer.TeamAccessPolicies{},
 		Extensions:         []portainer.EndpointExtension{},
-		TagIDs:             []portainer.TagID{},
+		Tags:               []string{},
 		Status:             portainer.EndpointStatusUp,
 		Snapshots:          []portainer.Snapshot{},
 	}
@@ -289,10 +417,10 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore portainer.Dat
 		}
 	}

-	return snapshotAndPersistEndpoint(endpoint, dataStore, snapshotter)
+	return snapshotAndPersistEndpoint(endpoint, endpointService, snapshotter)
 }

-func createUnsecuredEndpoint(endpointURL string, dataStore portainer.DataStore, snapshotter portainer.Snapshotter) error {
+func createUnsecuredEndpoint(endpointURL string, endpointService portainer.EndpointService, snapshotter portainer.Snapshotter) error {
 	if strings.HasPrefix(endpointURL, "tcp://") {
 		_, err := client.ExecutePingOperation(endpointURL, nil)
 		if err != nil {
@@ -300,7 +428,7 @@ func createUnsecuredEndpoint(endpointURL string, dataStore portainer.DataStore,
 		}
 	}

-	endpointID := dataStore.Endpoint().GetNextIdentifier()
+	endpointID := endpointService.GetNextIdentifier()
 	endpoint := &portainer.Endpoint{
 		ID:                 portainer.EndpointID(endpointID),
 		Name:               "primary",
@@ -311,15 +439,15 @@ func createUnsecuredEndpoint(endpointURL string, dataStore portainer.DataStore,
 		UserAccessPolicies: portainer.UserAccessPolicies{},
 		TeamAccessPolicies: portainer.TeamAccessPolicies{},
 		Extensions:         []portainer.EndpointExtension{},
-		TagIDs:             []portainer.TagID{},
+		Tags:               []string{},
 		Status:             portainer.EndpointStatusUp,
 		Snapshots:          []portainer.Snapshot{},
 	}

-	return snapshotAndPersistEndpoint(endpoint, dataStore, snapshotter)
+	return snapshotAndPersistEndpoint(endpoint, endpointService, snapshotter)
 }

-func snapshotAndPersistEndpoint(endpoint *portainer.Endpoint, dataStore portainer.DataStore, snapshotter portainer.Snapshotter) error {
+func snapshotAndPersistEndpoint(endpoint *portainer.Endpoint, endpointService portainer.EndpointService, snapshotter portainer.Snapshotter) error {
 	snapshot, err := snapshotter.CreateSnapshot(endpoint)
 	endpoint.Status = portainer.EndpointStatusUp
 	if err != nil {
@@ -330,15 +458,15 @@ func snapshotAndPersistEndpoint(endpoint *portainer.Endpoint, dataStore portaine
 		endpoint.Snapshots = []portainer.Snapshot{*snapshot}
 	}

-	return dataStore.Endpoint().CreateEndpoint(endpoint)
+	return endpointService.CreateEndpoint(endpoint)
 }

-func initEndpoint(flags *portainer.CLIFlags, dataStore portainer.DataStore, snapshotter portainer.Snapshotter) error {
+func initEndpoint(flags *portainer.CLIFlags, endpointService portainer.EndpointService, snapshotter portainer.Snapshotter) error {
 	if *flags.EndpointURL == "" {
 		return nil
 	}

-	endpoints, err := dataStore.Endpoint().Endpoints()
+	endpoints, err := endpointService.Endpoints()
 	if err != nil {
 		return err
 	}
@@ -349,31 +477,46 @@ func initEndpoint(flags *portainer.CLIFlags, dataStore portainer.DataStore, snap
 	}

 	if *flags.TLS || *flags.TLSSkipVerify {
-		return createTLSSecuredEndpoint(flags, dataStore, snapshotter)
+		return createTLSSecuredEndpoint(flags, endpointService, snapshotter)
 	}
-	return createUnsecuredEndpoint(*flags.EndpointURL, dataStore, snapshotter)
+	return createUnsecuredEndpoint(*flags.EndpointURL, endpointService, snapshotter)
 }

 func initJobService(dockerClientFactory *docker.ClientFactory) portainer.JobService {
 	return docker.NewJobService(dockerClientFactory)
 }

-func initExtensionManager(fileService portainer.FileService, dataStore portainer.DataStore) (portainer.ExtensionManager, error) {
-	extensionManager := exec.NewExtensionManager(fileService, dataStore)
+func initExtensionManager(fileService portainer.FileService, extensionService portainer.ExtensionService) (portainer.ExtensionManager, error) {
+	extensionManager := exec.NewExtensionManager(fileService, extensionService)

-	err := extensionManager.StartExtensions()
+	extensions, err := extensionService.Extensions()
 	if err != nil {
 		return nil, err
 	}

+	for _, extension := range extensions {
+		err := extensionManager.EnableExtension(&extension, extension.License.LicenseKey)
+		if err != nil {
+			log.Printf("Unable to enable extension: %s [extension: %s]", err.Error(), extension.Name)
+			extension.Enabled = false
+			extension.License.Valid = false
+		}
+
+		err = extensionService.Persist(&extension)
+		if err != nil {
+			return nil, err
+		}
+
+	}
+
 	return extensionManager, nil
 }

-func terminateIfNoAdminCreated(dataStore portainer.DataStore) {
+func terminateIfNoAdminCreated(userService portainer.UserService) {
 	timer1 := time.NewTimer(5 * time.Minute)
 	<-timer1.C

-	users, err := dataStore.User().UsersByRole(portainer.AdministratorRole)
+	users, err := userService.UsersByRole(portainer.AdministratorRole)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -389,8 +532,8 @@ func main() {

 	fileService := initFileService(*flags.Data)

-	dataStore := initDataStore(*flags.Data, fileService)
-	defer dataStore.Close()
+	store := initStore(*flags.Data, fileService)
+	defer store.Close()

 	jwtService := initJWTService(!*flags.NoAuth)

@@ -407,12 +550,12 @@ func main() {
 		log.Fatal(err)
 	}

-	extensionManager, err := initExtensionManager(fileService, dataStore)
+	extensionManager, err := initExtensionManager(fileService, store.ExtensionService)
 	if err != nil {
 		log.Fatal(err)
 	}

-	reverseTunnelService := chisel.NewService(dataStore)
+	reverseTunnelService := chisel.NewService(store.EndpointService, store.TunnelServerService)

 	clientFactory := initClientFactory(digitalSignatureService, reverseTunnelService)

@@ -420,6 +563,11 @@ func main() {

 	snapshotter := initSnapshotter(clientFactory)

+	endpointManagement := true
+	if *flags.ExternalEndpoints != "" {
+		endpointManagement = false
+	}
+
 	swarmStackManager, err := initSwarmStackManager(*flags.Assets, *flags.Data, digitalSignatureService, fileService, reverseTunnelService)
 	if err != nil {
 		log.Fatal(err)
@@ -427,30 +575,45 @@ func main() {

 	composeStackManager := initComposeStackManager(*flags.Data, reverseTunnelService)

-	if dataStore.IsNew() {
-		err = updateSettingsFromFlags(dataStore, flags)
+	err = initTemplates(store.TemplateService, fileService, *flags.Templates, *flags.TemplateFile)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = initSettings(store.SettingsService, flags)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	jobScheduler := initJobScheduler()
+
+	err = loadSchedulesFromDatabase(jobScheduler, jobService, store.ScheduleService, store.EndpointService, fileService, reverseTunnelService)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = loadEndpointSyncSystemSchedule(jobScheduler, store.ScheduleService, store.EndpointService, flags)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if *flags.Snapshot {
+		err = loadSnapshotSystemSchedule(jobScheduler, snapshotter, store.ScheduleService, store.EndpointService, store.SettingsService)
 		if err != nil {
 			log.Fatal(err)
 		}
 	}

-	jobScheduler := initJobScheduler()
-
-	err = loadSchedulesFromDatabase(jobScheduler, jobService, dataStore, fileService, reverseTunnelService)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	err = loadSnapshotSystemSchedule(jobScheduler, snapshotter, dataStore)
-	if err != nil {
-		log.Fatal(err)
-	}
-
 	jobScheduler.Start()

-	applicationStatus := initStatus(flags)
+	err = initDockerHub(store.DockerHubService)
+	if err != nil {
+		log.Fatal(err)
+	}

-	err = initEndpoint(flags, dataStore, snapshotter)
+	applicationStatus := initStatus(endpointManagement, *flags.Snapshot, flags)
+
+	err = initEndpoint(flags, store.EndpointService, snapshotter)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -470,20 +633,20 @@ func main() {
 	}

 	if adminPasswordHash != "" {
-		users, err := dataStore.User().UsersByRole(portainer.AdministratorRole)
+		users, err := store.UserService.UsersByRole(portainer.AdministratorRole)
 		if err != nil {
 			log.Fatal(err)
 		}

 		if len(users) == 0 {
-			log.Println("Created admin user with the given password.")
+			log.Printf("Creating admin user with password hash %s", adminPasswordHash)
 			user := &portainer.User{
 				Username:                "admin",
 				Role:                    portainer.AdministratorRole,
 				Password:                adminPasswordHash,
 				PortainerAuthorizations: portainer.DefaultPortainerAuthorizations(),
 			}
-			err := dataStore.User().CreateUser(user)
+			err := store.UserService.CreateUser(user)
 			if err != nil {
 				log.Fatal(err)
 			}
@@ -493,7 +656,7 @@ func main() {
 	}

 	if !*flags.NoAuth {
-		go terminateIfNoAdminCreated(dataStore)
+		go terminateIfNoAdminCreated(store.UserService)
 	}

 	err = reverseTunnelService.StartTunnelServer(*flags.TunnelAddr, *flags.TunnelPort, snapshotter)
@@ -502,28 +665,44 @@ func main() {
 	}

 	var server portainer.Server = &http.Server{
-		ReverseTunnelService: reverseTunnelService,
-		Status:               applicationStatus,
-		BindAddress:          *flags.Addr,
-		AssetsPath:           *flags.Assets,
-		AuthDisabled:         *flags.NoAuth,
-		DataStore:            dataStore,
-		SwarmStackManager:    swarmStackManager,
-		ComposeStackManager:  composeStackManager,
-		ExtensionManager:     extensionManager,
-		CryptoService:        cryptoService,
-		JWTService:           jwtService,
-		FileService:          fileService,
-		LDAPService:          ldapService,
-		GitService:           gitService,
-		SignatureService:     digitalSignatureService,
-		JobScheduler:         jobScheduler,
-		Snapshotter:          snapshotter,
-		SSL:                  *flags.SSL,
-		SSLCert:              *flags.SSLCert,
-		SSLKey:               *flags.SSLKey,
-		DockerClientFactory:  clientFactory,
-		JobService:           jobService,
+		ReverseTunnelService:   reverseTunnelService,
+		Status:                 applicationStatus,
+		BindAddress:            *flags.Addr,
+		AssetsPath:             *flags.Assets,
+		AuthDisabled:           *flags.NoAuth,
+		EndpointManagement:     endpointManagement,
+		RoleService:            store.RoleService,
+		UserService:            store.UserService,
+		TeamService:            store.TeamService,
+		TeamMembershipService:  store.TeamMembershipService,
+		EndpointService:        store.EndpointService,
+		EndpointGroupService:   store.EndpointGroupService,
+		ExtensionService:       store.ExtensionService,
+		ResourceControlService: store.ResourceControlService,
+		SettingsService:        store.SettingsService,
+		RegistryService:        store.RegistryService,
+		DockerHubService:       store.DockerHubService,
+		StackService:           store.StackService,
+		ScheduleService:        store.ScheduleService,
+		TagService:             store.TagService,
+		TemplateService:        store.TemplateService,
+		WebhookService:         store.WebhookService,
+		SwarmStackManager:      swarmStackManager,
+		ComposeStackManager:    composeStackManager,
+		ExtensionManager:       extensionManager,
+		CryptoService:          cryptoService,
+		JWTService:             jwtService,
+		FileService:            fileService,
+		LDAPService:            ldapService,
+		GitService:             gitService,
+		SignatureService:       digitalSignatureService,
+		JobScheduler:           jobScheduler,
+		Snapshotter:            snapshotter,
+		SSL:                    *flags.SSL,
+		SSLCert:                *flags.SSLCert,
+		SSLKey:                 *flags.SSLKey,
+		DockerClientFactory:    clientFactory,
+		JobService:             jobService,
 	}

 	log.Printf("Starting Portainer %s on %s", portainer.APIVersion, *flags.Addr)
--- a/api/cron/job_endpoint_sync.go
+++ b/api/cron/job_endpoint_sync.go
@@ -0,0 +1,214 @@
+package cron
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"log"
+	"strings"
+
+	"github.com/portainer/portainer/api"
+)
+
+// EndpointSyncJobRunner is used to run a EndpointSyncJob
+type EndpointSyncJobRunner struct {
+	schedule *portainer.Schedule
+	context  *EndpointSyncJobContext
+}
+
+// EndpointSyncJobContext represents the context of execution of a EndpointSyncJob
+type EndpointSyncJobContext struct {
+	endpointService  portainer.EndpointService
+	endpointFilePath string
+}
+
+// NewEndpointSyncJobContext returns a new context that can be used to execute a EndpointSyncJob
+func NewEndpointSyncJobContext(endpointService portainer.EndpointService, endpointFilePath string) *EndpointSyncJobContext {
+	return &EndpointSyncJobContext{
+		endpointService:  endpointService,
+		endpointFilePath: endpointFilePath,
+	}
+}
+
+// NewEndpointSyncJobRunner returns a new runner that can be scheduled
+func NewEndpointSyncJobRunner(schedule *portainer.Schedule, context *EndpointSyncJobContext) *EndpointSyncJobRunner {
+	return &EndpointSyncJobRunner{
+		schedule: schedule,
+		context:  context,
+	}
+}
+
+type synchronization struct {
+	endpointsToCreate []*portainer.Endpoint
+	endpointsToUpdate []*portainer.Endpoint
+	endpointsToDelete []*portainer.Endpoint
+}
+
+type fileEndpoint struct {
+	Name          string `json:"Name"`
+	URL           string `json:"URL"`
+	TLS           bool   `json:"TLS,omitempty"`
+	TLSSkipVerify bool   `json:"TLSSkipVerify,omitempty"`
+	TLSCACert     string `json:"TLSCACert,omitempty"`
+	TLSCert       string `json:"TLSCert,omitempty"`
+	TLSKey        string `json:"TLSKey,omitempty"`
+}
+
+// GetSchedule returns the schedule associated to the runner
+func (runner *EndpointSyncJobRunner) GetSchedule() *portainer.Schedule {
+	return runner.schedule
+}
+
+// Run triggers the execution of the endpoint synchronization process.
+func (runner *EndpointSyncJobRunner) Run() {
+	data, err := ioutil.ReadFile(runner.context.endpointFilePath)
+	if endpointSyncError(err) {
+		return
+	}
+
+	var fileEndpoints []fileEndpoint
+	err = json.Unmarshal(data, &fileEndpoints)
+	if endpointSyncError(err) {
+		return
+	}
+
+	if len(fileEndpoints) == 0 {
+		log.Println("background job error (endpoint synchronization). External endpoint source is empty")
+		return
+	}
+
+	storedEndpoints, err := runner.context.endpointService.Endpoints()
+	if endpointSyncError(err) {
+		return
+	}
+
+	convertedFileEndpoints := convertFileEndpoints(fileEndpoints)
+
+	sync := prepareSyncData(storedEndpoints, convertedFileEndpoints)
+	if sync.requireSync() {
+		err = runner.context.endpointService.Synchronize(sync.endpointsToCreate, sync.endpointsToUpdate, sync.endpointsToDelete)
+		if endpointSyncError(err) {
+			return
+		}
+		log.Printf("Endpoint synchronization ended. [created: %v] [updated: %v] [deleted: %v]", len(sync.endpointsToCreate), len(sync.endpointsToUpdate), len(sync.endpointsToDelete))
+	}
+}
+
+func endpointSyncError(err error) bool {
+	if err != nil {
+		log.Printf("background job error (endpoint synchronization). Unable to synchronize endpoints (err=%s)\n", err)
+		return true
+	}
+	return false
+}
+
+func isValidEndpoint(endpoint *portainer.Endpoint) bool {
+	if endpoint.Name != "" && endpoint.URL != "" {
+		if !strings.HasPrefix(endpoint.URL, "unix://") && !strings.HasPrefix(endpoint.URL, "tcp://") {
+			return false
+		}
+		return true
+	}
+	return false
+}
+
+func convertFileEndpoints(fileEndpoints []fileEndpoint) []portainer.Endpoint {
+	convertedEndpoints := make([]portainer.Endpoint, 0)
+
+	for _, e := range fileEndpoints {
+		endpoint := portainer.Endpoint{
+			Name:      e.Name,
+			URL:       e.URL,
+			TLSConfig: portainer.TLSConfiguration{},
+		}
+		if e.TLS {
+			endpoint.TLSConfig.TLS = true
+			endpoint.TLSConfig.TLSSkipVerify = e.TLSSkipVerify
+			endpoint.TLSConfig.TLSCACertPath = e.TLSCACert
+			endpoint.TLSConfig.TLSCertPath = e.TLSCert
+			endpoint.TLSConfig.TLSKeyPath = e.TLSKey
+		}
+		convertedEndpoints = append(convertedEndpoints, endpoint)
+	}
+
+	return convertedEndpoints
+}
+
+func endpointExists(endpoint *portainer.Endpoint, endpoints []portainer.Endpoint) int {
+	for idx, v := range endpoints {
+		if endpoint.Name == v.Name && isValidEndpoint(&v) {
+			return idx
+		}
+	}
+	return -1
+}
+
+func mergeEndpointIfRequired(original, updated *portainer.Endpoint) *portainer.Endpoint {
+	var endpoint *portainer.Endpoint
+	if original.URL != updated.URL || original.TLSConfig.TLS != updated.TLSConfig.TLS ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSSkipVerify != updated.TLSConfig.TLSSkipVerify) ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSCACertPath != updated.TLSConfig.TLSCACertPath) ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSCertPath != updated.TLSConfig.TLSCertPath) ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSKeyPath != updated.TLSConfig.TLSKeyPath) {
+		endpoint = original
+		endpoint.URL = updated.URL
+		if updated.TLSConfig.TLS {
+			endpoint.TLSConfig.TLS = true
+			endpoint.TLSConfig.TLSSkipVerify = updated.TLSConfig.TLSSkipVerify
+			endpoint.TLSConfig.TLSCACertPath = updated.TLSConfig.TLSCACertPath
+			endpoint.TLSConfig.TLSCertPath = updated.TLSConfig.TLSCertPath
+			endpoint.TLSConfig.TLSKeyPath = updated.TLSConfig.TLSKeyPath
+		} else {
+			endpoint.TLSConfig.TLS = false
+			endpoint.TLSConfig.TLSSkipVerify = false
+			endpoint.TLSConfig.TLSCACertPath = ""
+			endpoint.TLSConfig.TLSCertPath = ""
+			endpoint.TLSConfig.TLSKeyPath = ""
+		}
+	}
+	return endpoint
+}
+
+func (sync synchronization) requireSync() bool {
+	if len(sync.endpointsToCreate) != 0 || len(sync.endpointsToUpdate) != 0 || len(sync.endpointsToDelete) != 0 {
+		return true
+	}
+	return false
+}
+
+func prepareSyncData(storedEndpoints, fileEndpoints []portainer.Endpoint) *synchronization {
+	endpointsToCreate := make([]*portainer.Endpoint, 0)
+	endpointsToUpdate := make([]*portainer.Endpoint, 0)
+	endpointsToDelete := make([]*portainer.Endpoint, 0)
+
+	for idx := range storedEndpoints {
+		fidx := endpointExists(&storedEndpoints[idx], fileEndpoints)
+		if fidx != -1 {
+			endpoint := mergeEndpointIfRequired(&storedEndpoints[idx], &fileEndpoints[fidx])
+			if endpoint != nil {
+				log.Printf("New definition for a stored endpoint found in file, updating database. [name: %v] [url: %v]\n", endpoint.Name, endpoint.URL)
+				endpointsToUpdate = append(endpointsToUpdate, endpoint)
+			}
+		} else {
+			log.Printf("Stored endpoint not found in file (definition might be invalid), removing from database. [name: %v] [url: %v]", storedEndpoints[idx].Name, storedEndpoints[idx].URL)
+			endpointsToDelete = append(endpointsToDelete, &storedEndpoints[idx])
+		}
+	}
+
+	for idx, endpoint := range fileEndpoints {
+		if !isValidEndpoint(&endpoint) {
+			log.Printf("Invalid file endpoint definition, skipping. [name: %v] [url: %v]", endpoint.Name, endpoint.URL)
+			continue
+		}
+		sidx := endpointExists(&fileEndpoints[idx], storedEndpoints)
+		if sidx == -1 {
+			log.Printf("File endpoint not found in database, adding to database. [name: %v] [url: %v]", fileEndpoints[idx].Name, fileEndpoints[idx].URL)
+			endpointsToCreate = append(endpointsToCreate, &fileEndpoints[idx])
+		}
+	}
+
+	return &synchronization{
+		endpointsToCreate: endpointsToCreate,
+		endpointsToUpdate: endpointsToUpdate,
+		endpointsToDelete: endpointsToDelete,
+	}
+}
--- a/api/cron/job_script_execution.go
+++ b/api/cron/job_script_execution.go
@@ -16,17 +16,17 @@ type ScriptExecutionJobRunner struct {

 // ScriptExecutionJobContext represents the context of execution of a ScriptExecutionJob
 type ScriptExecutionJobContext struct {
-	dataStore   portainer.DataStore
-	jobService  portainer.JobService
-	fileService portainer.FileService
+	jobService      portainer.JobService
+	endpointService portainer.EndpointService
+	fileService     portainer.FileService
 }

 // NewScriptExecutionJobContext returns a new context that can be used to execute a ScriptExecutionJob
-func NewScriptExecutionJobContext(jobService portainer.JobService, dataStore portainer.DataStore, fileService portainer.FileService) *ScriptExecutionJobContext {
+func NewScriptExecutionJobContext(jobService portainer.JobService, endpointService portainer.EndpointService, fileService portainer.FileService) *ScriptExecutionJobContext {
 	return &ScriptExecutionJobContext{
-		jobService:  jobService,
-		dataStore:   dataStore,
-		fileService: fileService,
+		jobService:      jobService,
+		endpointService: endpointService,
+		fileService:     fileService,
 	}
 }

@@ -56,7 +56,7 @@ func (runner *ScriptExecutionJobRunner) Run() {

 	targets := make([]*portainer.Endpoint, 0)
 	for _, endpointID := range runner.schedule.ScriptExecutionJob.Endpoints {
-		endpoint, err := runner.context.dataStore.Endpoint().Endpoint(endpointID)
+		endpoint, err := runner.context.endpointService.Endpoint(endpointID)
 		if err != nil {
 			log.Printf("scheduled job error (script execution). Unable to retrieve information about endpoint (id=%d) (err=%s)\n", endpointID, err)
 			return
--- a/api/cron/job_snapshot.go
+++ b/api/cron/job_snapshot.go
@@ -14,15 +14,15 @@ type SnapshotJobRunner struct {

 // SnapshotJobContext represents the context of execution of a SnapshotJob
 type SnapshotJobContext struct {
-	dataStore   portainer.DataStore
-	snapshotter portainer.Snapshotter
+	endpointService portainer.EndpointService
+	snapshotter     portainer.Snapshotter
 }

 // NewSnapshotJobContext returns a new context that can be used to execute a SnapshotJob
-func NewSnapshotJobContext(dataStore portainer.DataStore, snapshotter portainer.Snapshotter) *SnapshotJobContext {
+func NewSnapshotJobContext(endpointService portainer.EndpointService, snapshotter portainer.Snapshotter) *SnapshotJobContext {
 	return &SnapshotJobContext{
-		dataStore:   dataStore,
-		snapshotter: snapshotter,
+		endpointService: endpointService,
+		snapshotter:     snapshotter,
 	}
 }

@@ -46,20 +46,20 @@ func (runner *SnapshotJobRunner) GetSchedule() *portainer.Schedule {
 // retrieve the latest version of the endpoint right after a snapshot.
 func (runner *SnapshotJobRunner) Run() {
 	go func() {
-		endpoints, err := runner.context.dataStore.Endpoint().Endpoints()
+		endpoints, err := runner.context.endpointService.Endpoints()
 		if err != nil {
 			log.Printf("background schedule error (endpoint snapshot). Unable to retrieve endpoint list (err=%s)\n", err)
 			return
 		}

 		for _, endpoint := range endpoints {
-			if endpoint.Type == portainer.EdgeAgentEnvironment {
+			if endpoint.Type == portainer.AzureEnvironment || endpoint.Type == portainer.EdgeAgentEnvironment {
 				continue
 			}

 			snapshot, snapshotError := runner.context.snapshotter.CreateSnapshot(&endpoint)

-			latestEndpointReference, err := runner.context.dataStore.Endpoint().Endpoint(endpoint.ID)
+			latestEndpointReference, err := runner.context.endpointService.Endpoint(endpoint.ID)
 			if latestEndpointReference == nil {
 				log.Printf("background schedule error (endpoint snapshot). Endpoint not found inside the database anymore (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
 				continue
@@ -75,7 +75,7 @@ func (runner *SnapshotJobRunner) Run() {
 				latestEndpointReference.Snapshots = []portainer.Snapshot{*snapshot}
 			}

-			err = runner.context.dataStore.Endpoint().UpdateEndpoint(latestEndpointReference.ID, latestEndpointReference)
+			err = runner.context.endpointService.UpdateEndpoint(latestEndpointReference.ID, latestEndpointReference)
 			if err != nil {
 				log.Printf("background schedule error (endpoint snapshot). Unable to update endpoint (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
 				return
--- a/api/cron/scheduler.go
+++ b/api/cron/scheduler.go
@@ -2,7 +2,7 @@ package cron

 import (
 	"github.com/portainer/portainer/api"
-	"github.com/robfig/cron/v3"
+	"github.com/robfig/cron"
 )

 // JobScheduler represents a service for managing crons
--- a/api/docker/client.go
+++ b/api/docker/client.go
@@ -7,14 +7,13 @@ import (
 	"time"

 	"github.com/docker/docker/client"
-	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/crypto"
 )

 const (
 	unsupportedEnvironmentType  = portainer.Error("Environment not supported")
 	defaultDockerRequestTimeout = 60
-	dockerClientVersion         = "1.37"
 )

 // ClientFactory is used to create Docker clients
@@ -35,7 +34,9 @@ func NewClientFactory(signatureService portainer.DigitalSignatureService, revers
 // a specific endpoint configuration. The nodeName parameter can be used
 // with an agent enabled endpoint to target a specific node in an agent cluster.
 func (factory *ClientFactory) CreateClient(endpoint *portainer.Endpoint, nodeName string) (*client.Client, error) {
-	if endpoint.Type == portainer.AgentOnDockerEnvironment {
+	if endpoint.Type == portainer.AzureEnvironment {
+		return nil, unsupportedEnvironmentType
+	} else if endpoint.Type == portainer.AgentOnDockerEnvironment {
 		return createAgentClient(endpoint, factory.signatureService, nodeName)
 	} else if endpoint.Type == portainer.EdgeAgentEnvironment {
 		return createEdgeClient(endpoint, factory.reverseTunnelService, nodeName)
@@ -50,7 +51,7 @@ func (factory *ClientFactory) CreateClient(endpoint *portainer.Endpoint, nodeNam
 func createLocalClient(endpoint *portainer.Endpoint) (*client.Client, error) {
 	return client.NewClientWithOpts(
 		client.WithHost(endpoint.URL),
-		client.WithVersion(dockerClientVersion),
+		client.WithVersion(portainer.SupportedDockerAPIVersion),
 	)
 }

@@ -62,7 +63,7 @@ func createTCPClient(endpoint *portainer.Endpoint) (*client.Client, error) {

 	return client.NewClientWithOpts(
 		client.WithHost(endpoint.URL),
-		client.WithVersion(dockerClientVersion),
+		client.WithVersion(portainer.SupportedDockerAPIVersion),
 		client.WithHTTPClient(httpCli),
 	)
 }
@@ -79,11 +80,11 @@ func createEdgeClient(endpoint *portainer.Endpoint, reverseTunnelService portain
 	}

 	tunnel := reverseTunnelService.GetTunnelDetails(endpoint.ID)
-	endpointURL := fmt.Sprintf("http://127.0.0.1:%d", tunnel.Port)
+	endpointURL := fmt.Sprintf("http://localhost:%d", tunnel.Port)

 	return client.NewClientWithOpts(
 		client.WithHost(endpointURL),
-		client.WithVersion(dockerClientVersion),
+		client.WithVersion(portainer.SupportedDockerAPIVersion),
 		client.WithHTTPClient(httpCli),
 		client.WithHTTPHeaders(headers),
 	)
@@ -111,7 +112,7 @@ func createAgentClient(endpoint *portainer.Endpoint, signatureService portainer.

 	return client.NewClientWithOpts(
 		client.WithHost(endpoint.URL),
-		client.WithVersion(dockerClientVersion),
+		client.WithVersion(portainer.SupportedDockerAPIVersion),
 		client.WithHTTPClient(httpCli),
 		client.WithHTTPHeaders(headers),
 	)
--- a/api/docker/snapshot.go
+++ b/api/docker/snapshot.go
@@ -3,7 +3,6 @@ package docker
 import (
 	"context"
 	"log"
-	"strings"
 	"time"

 	"github.com/docker/docker/api/types"
@@ -127,8 +126,6 @@ func snapshotContainers(snapshot *portainer.Snapshot, cli *client.Client) error

 	runningContainers := 0
 	stoppedContainers := 0
-	healthyContainers := 0
-	unhealthyContainers := 0
 	stacks := make(map[string]struct{})
 	for _, container := range containers {
 		if container.State == "exited" {
@@ -137,12 +134,6 @@ func snapshotContainers(snapshot *portainer.Snapshot, cli *client.Client) error
 			runningContainers++
 		}

-		if strings.Contains(container.Status, "(healthy)") {
-			healthyContainers++
-		} else if strings.Contains(container.Status, "(unhealthy)") {
-			unhealthyContainers++
-		}
-
 		for k, v := range container.Labels {
 			if k == "com.docker.compose.project" {
 				stacks[v] = struct{}{}
@@ -152,8 +143,6 @@ func snapshotContainers(snapshot *portainer.Snapshot, cli *client.Client) error

 	snapshot.RunningContainerCount = runningContainers
 	snapshot.StoppedContainerCount = stoppedContainers
-	snapshot.HealthyContainerCount = healthyContainers
-	snapshot.UnhealthyContainerCount = unhealthyContainers
 	snapshot.StackCount += len(stacks)
 	snapshot.SnapshotRaw.Containers = containers
 	return nil
--- a/api/edgegroup.go
+++ b/api/edgegroup.go
@@ -1,54 +0,0 @@
-package portainer
-
-// EdgeGroupRelatedEndpoints returns a list of endpoints related to this Edge group
-func EdgeGroupRelatedEndpoints(edgeGroup *EdgeGroup, endpoints []Endpoint, endpointGroups []EndpointGroup) []EndpointID {
-	if !edgeGroup.Dynamic {
-		return edgeGroup.Endpoints
-	}
-
-	endpointIDs := []EndpointID{}
-	for _, endpoint := range endpoints {
-		if endpoint.Type != EdgeAgentEnvironment {
-			continue
-		}
-
-		var endpointGroup EndpointGroup
-		for _, group := range endpointGroups {
-			if endpoint.GroupID == group.ID {
-				endpointGroup = group
-				break
-			}
-		}
-
-		if edgeGroupRelatedToEndpoint(edgeGroup, &endpoint, &endpointGroup) {
-			endpointIDs = append(endpointIDs, endpoint.ID)
-		}
-	}
-
-	return endpointIDs
-}
-
-// edgeGroupRelatedToEndpoint returns true is edgeGroup is associated with endpoint
-func edgeGroupRelatedToEndpoint(edgeGroup *EdgeGroup, endpoint *Endpoint, endpointGroup *EndpointGroup) bool {
-	if !edgeGroup.Dynamic {
-		for _, endpointID := range edgeGroup.Endpoints {
-			if endpoint.ID == endpointID {
-				return true
-			}
-		}
-		return false
-	}
-
-	endpointTags := TagSet(endpoint.TagIDs)
-	if endpointGroup.TagIDs != nil {
-		endpointTags = TagUnion(endpointTags, TagSet(endpointGroup.TagIDs))
-	}
-	edgeGroupTags := TagSet(edgeGroup.TagIDs)
-
-	if edgeGroup.PartialMatch {
-		intersection := TagIntersection(endpointTags, edgeGroupTags)
-		return len(intersection) != 0
-	}
-
-	return TagContains(edgeGroupTags, endpointTags)
-}
--- a/api/edgestack.go
+++ b/api/edgestack.go
@@ -1,27 +0,0 @@
-package portainer
-
-import "errors"
-
-// EdgeStackRelatedEndpoints returns a list of endpoints related to this Edge stack
-func EdgeStackRelatedEndpoints(edgeGroupIDs []EdgeGroupID, endpoints []Endpoint, endpointGroups []EndpointGroup, edgeGroups []EdgeGroup) ([]EndpointID, error) {
-	edgeStackEndpoints := []EndpointID{}
-
-	for _, edgeGroupID := range edgeGroupIDs {
-		var edgeGroup *EdgeGroup
-
-		for _, group := range edgeGroups {
-			if group.ID == edgeGroupID {
-				edgeGroup = &group
-				break
-			}
-		}
-
-		if edgeGroup == nil {
-			return nil, errors.New("Edge group was not found")
-		}
-
-		edgeStackEndpoints = append(edgeStackEndpoints, EdgeGroupRelatedEndpoints(edgeGroup, endpoints, endpointGroups)...)
-	}
-
-	return edgeStackEndpoints, nil
-}
--- a/api/endpoint.go
+++ b/api/endpoint.go
@@ -1,25 +0,0 @@
-package portainer
-
-// EndpointRelatedEdgeStacks returns a list of Edge stacks related to this Endpoint
-func EndpointRelatedEdgeStacks(endpoint *Endpoint, endpointGroup *EndpointGroup, edgeGroups []EdgeGroup, edgeStacks []EdgeStack) []EdgeStackID {
-	relatedEdgeGroupsSet := map[EdgeGroupID]bool{}
-
-	for _, edgeGroup := range edgeGroups {
-		if edgeGroupRelatedToEndpoint(&edgeGroup, endpoint, endpointGroup) {
-			relatedEdgeGroupsSet[edgeGroup.ID] = true
-		}
-	}
-
-	relatedEdgeStacks := []EdgeStackID{}
-	for _, edgeStack := range edgeStacks {
-		for _, edgeGroupID := range edgeStack.EdgeGroups {
-			if relatedEdgeGroupsSet[edgeGroupID] {
-				relatedEdgeStacks = append(relatedEdgeStacks, edgeStack.ID)
-				break
-			}
-		}
-	}
-
-	return relatedEdgeStacks
-
-}
--- a/api/errors.go
+++ b/api/errors.go
@@ -39,6 +39,11 @@ const (
 	ErrEndpointAccessDenied = Error("Access denied to endpoint")
 )

+// Azure environment errors
+const (
+	ErrAzureInvalidCredentials = Error("Invalid Azure credentials")
+)
+
 // Endpoint group errors.
 const (
 	ErrCannotRemoveDefaultGroup = Error("Cannot remove the default endpoint group")
--- a/api/exec/extension.go
+++ b/api/exec/extension.go
@@ -4,26 +4,20 @@ import (
 	"bytes"
 	"encoding/json"
 	"errors"
-	"fmt"
 	"log"
-	"os"
 	"os/exec"
 	"path"
-	"regexp"
 	"runtime"
 	"strconv"
 	"strings"
 	"time"

-	"github.com/coreos/go-semver/semver"
-
 	"github.com/orcaman/concurrent-map"
 	"github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/client"
 )

-var extensionDownloadBaseURL = portainer.AssetsServerURL + "/extensions/"
-var extensionVersionRegexp = regexp.MustCompile(`\d+(\.\d+)+`)
+var extensionDownloadBaseURL = "https://portainer-io-assets.sfo2.digitaloceanspaces.com/extensions/"

 var extensionBinaryMap = map[portainer.ExtensionID]string{
 	portainer.RegistryManagementExtension:  "extension-registry-management",
@@ -34,17 +28,17 @@ var extensionBinaryMap = map[portainer.ExtensionID]string{
 // ExtensionManager represents a service used to
 // manage extension processes.
 type ExtensionManager struct {
-	processes   cmap.ConcurrentMap
-	fileService portainer.FileService
-	dataStore   portainer.DataStore
+	processes        cmap.ConcurrentMap
+	fileService      portainer.FileService
+	extensionService portainer.ExtensionService
 }

 // NewExtensionManager returns a pointer to an ExtensionManager
-func NewExtensionManager(fileService portainer.FileService, dataStore portainer.DataStore) *ExtensionManager {
+func NewExtensionManager(fileService portainer.FileService, extensionService portainer.ExtensionService) *ExtensionManager {
 	return &ExtensionManager{
-		processes:   cmap.New(),
-		fileService: fileService,
-		dataStore:   dataStore,
+		processes:        cmap.New(),
+		fileService:      fileService,
+		extensionService: extensionService,
 	}
 }

@@ -53,11 +47,20 @@ func processKey(ID portainer.ExtensionID) string {
 }

 func buildExtensionURL(extension *portainer.Extension) string {
-	return fmt.Sprintf("%s%s-%s-%s-%s.zip", extensionDownloadBaseURL, extensionBinaryMap[extension.ID], runtime.GOOS, runtime.GOARCH, extension.Version)
+	extensionURL := extensionDownloadBaseURL
+	extensionURL += extensionBinaryMap[extension.ID]
+	extensionURL += "-" + runtime.GOOS + "-" + runtime.GOARCH
+	extensionURL += "-" + extension.Version
+	extensionURL += ".zip"
+	return extensionURL
 }

 func buildExtensionPath(binaryPath string, extension *portainer.Extension) string {
-	extensionFilename := fmt.Sprintf("%s-%s-%s-%s", extensionBinaryMap[extension.ID], runtime.GOOS, runtime.GOARCH, extension.Version)
+
+	extensionFilename := extensionBinaryMap[extension.ID]
+	extensionFilename += "-" + runtime.GOOS + "-" + runtime.GOARCH
+	extensionFilename += "-" + extension.Version
+
 	if runtime.GOOS == "windows" {
 		extensionFilename += ".exe"
 	}
@@ -70,20 +73,11 @@ func buildExtensionPath(binaryPath string, extension *portainer.Extension) strin
 }

 // FetchExtensionDefinitions will fetch the list of available
-// extension definitions from the official Portainer assets server.
-// If it cannot retrieve the data from the Internet it will fallback to the locally cached
-// manifest file.
+// extension definitions from the official Portainer assets server
 func (manager *ExtensionManager) FetchExtensionDefinitions() ([]portainer.Extension, error) {
-	var extensionData []byte
-
-	extensionData, err := client.Get(portainer.ExtensionDefinitionsURL, 5)
+	extensionData, err := client.Get(portainer.ExtensionDefinitionsURL, 30)
 	if err != nil {
-		log.Printf("[WARN] [exec,extensions] [message: unable to retrieve extensions manifest via Internet. Extensions will be retrieved from local cache and might not be up to date] [err: %s]", err)
-
-		extensionData, err = manager.fileService.GetFileContent(portainer.LocalExtensionManifestFile)
-		if err != nil {
-			return nil, err
-		}
+		return nil, err
 	}

 	var extensions []portainer.Extension
@@ -95,37 +89,6 @@ func (manager *ExtensionManager) FetchExtensionDefinitions() ([]portainer.Extens
 	return extensions, nil
 }

-// InstallExtension will install the extension from an archive. It will extract the extension version number from
-// the archive file name first and return an error if the file name is not valid (cannot find extension version).
-// It will then extract the archive and execute the EnableExtension function to enable the extension.
-// Since we're missing information about this extension (stored on Portainer.io server) we need to assume
-// default information based on the extension ID.
-func (manager *ExtensionManager) InstallExtension(extension *portainer.Extension, licenseKey string, archiveFileName string, extensionArchive []byte) error {
-	extensionVersion := extensionVersionRegexp.FindString(archiveFileName)
-	if extensionVersion == "" {
-		return errors.New("invalid extension archive filename: unable to retrieve extension version")
-	}
-
-	err := manager.fileService.ExtractExtensionArchive(extensionArchive)
-	if err != nil {
-		return err
-	}
-
-	switch extension.ID {
-	case portainer.RegistryManagementExtension:
-		extension.Name = "Registry Manager"
-	case portainer.OAuthAuthenticationExtension:
-		extension.Name = "External Authentication"
-	case portainer.RBACExtension:
-		extension.Name = "Role-Based Access Control"
-	}
-	extension.ShortDescription = "Extension enabled offline"
-	extension.Version = extensionVersion
-	extension.Available = true
-
-	return manager.EnableExtension(extension, licenseKey)
-}
-
 // EnableExtension will check for the existence of the extension binary on the filesystem
 // first. If it does not exist, it will download it from the official Portainer assets server.
 // After installing the binary on the filesystem, it will execute the binary in license check
@@ -182,61 +145,6 @@ func (manager *ExtensionManager) DisableExtension(extension *portainer.Extension
 	return manager.fileService.RemoveDirectory(extensionBinaryPath)
 }

-// StartExtensions will retrieve the extensions definitions from the Internet and check if a new version of each
-// extension is available. If so, it will automatically install the new version of the extension. If no update is
-// available it will simply start the extension.
-// The purpose of this function is to be ran at startup, as such most of the error handling won't block the program execution
-// and will log warning messages instead.
-func (manager *ExtensionManager) StartExtensions() error {
-	extensions, err := manager.dataStore.Extension().Extensions()
-	if err != nil {
-		return err
-	}
-
-	definitions, err := manager.FetchExtensionDefinitions()
-	if err != nil {
-		log.Printf("[WARN] [exec,extensions] [message: unable to retrieve extension information from Internet. Skipping extensions update check.] [err: %s]", err)
-		return nil
-	}
-
-	return manager.updateAndStartExtensions(extensions, definitions)
-}
-
-func (manager *ExtensionManager) updateAndStartExtensions(extensions []portainer.Extension, definitions []portainer.Extension) error {
-	for _, definition := range definitions {
-		for _, extension := range extensions {
-			if extension.ID == definition.ID {
-				definitionVersion := semver.New(definition.Version)
-				extensionVersion := semver.New(extension.Version)
-
-				if extensionVersion.LessThan(*definitionVersion) {
-					log.Printf("[INFO] [exec,extensions] [message: new version detected, updating extension] [extension: %s] [current_version: %s] [available_version: %s]", extension.Name, extension.Version, definition.Version)
-					err := manager.UpdateExtension(&extension, definition.Version)
-					if err != nil {
-						log.Printf("[WARN] [exec,extensions] [message: unable to update extension automatically] [extension: %s] [current_version: %s] [available_version: %s] [err: %s]", extension.Name, extension.Version, definition.Version, err)
-					}
-				} else {
-					err := manager.EnableExtension(&extension, extension.License.LicenseKey)
-					if err != nil {
-						log.Printf("[WARN] [exec,extensions] [message: unable to start extension] [extension: %s] [err: %s]", extension.Name, err)
-						extension.Enabled = false
-						extension.License.Valid = false
-					}
-				}
-
-				err := manager.dataStore.Extension().Persist(&extension)
-				if err != nil {
-					return err
-				}
-
-				break
-			}
-		}
-	}
-
-	return nil
-}
-
 // UpdateExtension will download the new extension binary from the official Portainer assets
 // server, disable the previous extension via DisableExtension, trigger a license check
 // and then start the extension process and add it to the processes map
@@ -287,7 +195,7 @@ func validateLicense(binaryPath, licenseKey string) ([]string, error) {
 	err := licenseCheckProcess.Run()
 	if err != nil {
 		log.Printf("[DEBUG] [exec,extension] [message: unable to run extension process] [err: %s]", err)
-		return nil, errors.New("invalid extension license key")
+		return nil, errors.New("Invalid extension license key")
 	}

 	output := string(cmdOutput.Bytes())
@@ -297,12 +205,8 @@ func validateLicense(binaryPath, licenseKey string) ([]string, error) {

 func (manager *ExtensionManager) startExtensionProcess(extension *portainer.Extension, binaryPath string) error {
 	extensionProcess := exec.Command(binaryPath, "-license", extension.License.LicenseKey)
-	extensionProcess.Stdout = os.Stdout
-	extensionProcess.Stderr = os.Stderr
-
 	err := extensionProcess.Start()
 	if err != nil {
-		log.Printf("[DEBUG] [exec,extension] [message: unable to start extension process] [err: %s]", err)
 		return err
 	}

--- a/api/exec/swarm_stack.go
+++ b/api/exec/swarm_stack.go
@@ -123,7 +123,7 @@ func (manager *SwarmStackManager) prepareDockerCommandAndArgs(binaryPath, dataPa
 	endpointURL := endpoint.URL
 	if endpoint.Type == portainer.EdgeAgentEnvironment {
 		tunnel := manager.reverseTunnelService.GetTunnelDetails(endpoint.ID)
-		endpointURL = fmt.Sprintf("tcp://127.0.0.1:%d", tunnel.Port)
+		endpointURL = fmt.Sprintf("tcp://localhost:%d", tunnel.Port)
 	}

 	args = append(args, "-H", endpointURL)
--- a/api/filesystem/filesystem.go
+++ b/api/filesystem/filesystem.go
@@ -29,8 +29,6 @@ const (
 	ComposeStorePath = "compose"
 	// ComposeFileDefaultName represents the default name of a compose file.
 	ComposeFileDefaultName = "docker-compose.yml"
-	// EdgeStackStorePath represents the subfolder where edge stack files are stored in the file store folder.
-	EdgeStackStorePath = "edge_stacks"
 	// PrivateKeyFile represents the name on disk of the file containing the private key.
 	PrivateKeyFile = "portainer.key"
 	// PublicKeyFile represents the name on disk of the file containing the public key.
@@ -89,7 +87,12 @@ func (service *Service) GetBinaryFolder() string {
 // ExtractExtensionArchive extracts the content of an extension archive
 // specified as raw data into the binary store on the filesystem
 func (service *Service) ExtractExtensionArchive(data []byte) error {
-	return archive.UnzipArchive(data, path.Join(service.fileStorePath, BinaryStorePath))
+	err := archive.UnzipArchive(data, path.Join(service.fileStorePath, BinaryStorePath))
+	if err != nil {
+		return err
+	}
+
+	return nil
 }

 // RemoveDirectory removes a directory on the filesystem.
@@ -123,32 +126,6 @@ func (service *Service) StoreStackFileFromBytes(stackIdentifier, fileName string
 	return path.Join(service.fileStorePath, stackStorePath), nil
 }

-// GetEdgeStackProjectPath returns the absolute path on the FS for a edge stack based
-// on its identifier.
-func (service *Service) GetEdgeStackProjectPath(edgeStackIdentifier string) string {
-	return path.Join(service.fileStorePath, EdgeStackStorePath, edgeStackIdentifier)
-}
-
-// StoreEdgeStackFileFromBytes creates a subfolder in the EdgeStackStorePath and stores a new file from bytes.
-// It returns the path to the folder where the file is stored.
-func (service *Service) StoreEdgeStackFileFromBytes(edgeStackIdentifier, fileName string, data []byte) (string, error) {
-	stackStorePath := path.Join(EdgeStackStorePath, edgeStackIdentifier)
-	err := service.createDirectoryInStore(stackStorePath)
-	if err != nil {
-		return "", err
-	}
-
-	composeFilePath := path.Join(stackStorePath, fileName)
-	r := bytes.NewReader(data)
-
-	err = service.createFileInStore(composeFilePath, r)
-	if err != nil {
-		return "", err
-	}
-
-	return path.Join(service.fileStorePath, stackStorePath), nil
-}
-
 // StoreRegistryManagementFileFromBytes creates a subfolder in the
 // ExtensionRegistryManagementStorePath and stores a new file from bytes.
 // It returns the path to the folder where the file is stored.
--- a/api/go.mod
+++ b/api/go.mod
@@ -1,37 +0,0 @@
-module github.com/portainer/portainer/api
-
-go 1.13
-
-require (
-	github.com/Microsoft/go-winio v0.4.14
-	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a
-	github.com/boltdb/bolt v1.3.1
-	github.com/containerd/containerd v1.3.1 // indirect
-	github.com/coreos/go-semver v0.3.0
-	github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9
-	github.com/dgrijalva/jwt-go v3.2.0+incompatible
-	github.com/docker/cli v0.0.0-20191126203649-54d085b857e9
-	github.com/docker/docker v0.0.0-00010101000000-000000000000
-	github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814
-	github.com/go-ldap/ldap/v3 v3.1.8
-	github.com/gofrs/uuid v3.2.0+incompatible
-	github.com/gorilla/mux v1.7.3
-	github.com/gorilla/securecookie v1.1.1
-	github.com/gorilla/websocket v1.4.1
-	github.com/imdario/mergo v0.3.8 // indirect
-	github.com/jpillora/chisel v0.0.0-20190724232113-f3a8df20e389
-	github.com/json-iterator/go v1.1.8
-	github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c
-	github.com/mattn/go-shellwords v1.0.6 // indirect
-	github.com/mitchellh/mapstructure v1.1.2 // indirect
-	github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6
-	github.com/portainer/libcompose v0.5.3
-	github.com/portainer/libcrypto v0.0.0-20190723020515-23ebe86ab2c2
-	github.com/portainer/libhttp v0.0.0-20190806161843-ba068f58be33
-	github.com/robfig/cron/v3 v3.0.0
-	golang.org/x/crypto v0.0.0-20191128160524-b544559bb6d1
-	gopkg.in/alecthomas/kingpin.v2 v2.2.6
-	gopkg.in/src-d/go-git.v4 v4.13.1
-)
-
-replace github.com/docker/docker => github.com/docker/engine v1.4.2-0.20200204220554-5f6d6f3f2203
--- a/api/go.sum
+++ b/api/go.sum
@@ -1,279 +0,0 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
-github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/Microsoft/go-winio v0.3.8 h1:dvxbxtpTIjdAbx2OtL26p4eq0iEvys/U5yrsTJb3NZI=
-github.com/Microsoft/go-winio v0.3.8/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
-github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+qxleU=
-github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
-github.com/Microsoft/hcsshim v0.8.6 h1:ZfF0+zZeYdzMIVMZHKtDKJvLHj76XCuVae/jNkjj0IA=
-github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
-github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 h1:uSoVVbwJiQipAclBbw+8quDsfcvFjOpI5iCf4p/cqCs=
-github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc h1:cAKDfWh5VpdgMhJosfJnn5/FoN2SRZ4p7fJNX58YPaU=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf h1:qet1QNfXsQxTZqLG4oE62mJzwPIB8+Tee4RNCL9ulrY=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2 h1:axBiC50cNZOs7ygH5BgQp4N+aYrZ2DNpWZ1KG3VOSOM=
-github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2/go.mod h1:jnzFpU88PccN/tPPhCpnNU8mZphvKxYM9lLNkd8e+os=
-github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
-github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
-github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
-github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA=
-github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
-github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
-github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/boltdb/bolt v1.3.1 h1:JQmyP4ZBrce+ZQu0dY660FMfatumYDLun9hBCUVIkF4=
-github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/containerd/containerd v1.3.1 h1:LdbWxLhkAIxGO7h3mATHkyav06WuDs/yTWxIljJOTks=
-github.com/containerd/containerd v1.3.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc h1:TP+534wVlf61smEIq1nwLLAjQVEK2EADoW3CX9AuT+8=
-github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
-github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
-github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9 h1:74lLNRzvsdIlkTgfDSMuaPjBr4cf6k7pwQQANm/yLKU=
-github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9/go.mod h1:GgB8SF9nRG+GqaDtLcwJZsQFhcogVCJ79j4EdT0c2V4=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/docker/cli v0.0.0-20190711175710-5b38d82aa076/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/cli v0.0.0-20191126203649-54d085b857e9 h1:Q6D6b2iRKhvtL3Wj9p0SyPOvUDJ1ht62mbiBoNJ3Aus=
-github.com/docker/cli v0.0.0-20191126203649-54d085b857e9/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug=
-github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker-credential-helpers v0.6.3 h1:zI2p9+1NQYdnG6sMU26EX4aVGlqbInSQxQXLvzJ4RPQ=
-github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
-github.com/docker/engine v1.4.2-0.20200204220554-5f6d6f3f2203 h1:QeBh8wW8pIZKlXxlMOQ8hSCMdJA+2Z/bD/iDyCAS8XU=
-github.com/docker/engine v1.4.2-0.20200204220554-5f6d6f3f2203/go.mod h1:3CPr2caMgTHxxIAZgEMd3uLYPDlRvPqCpyeRf6ncPcY=
-github.com/docker/go-connections v0.3.0 h1:3lOnM9cSzgGwx8VfK/NGOW5fLQ0GjIlCkaktF+n1M6o=
-github.com/docker/go-connections v0.3.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
-github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82 h1:X0fj836zx99zFu83v/M79DuBn84IL/Syx1SY6Y5ZEMA=
-github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
-github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
-github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4=
-github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
-github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
-github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
-github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
-github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
-github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814 h1:gWvniJ4GbFfkf700kykAImbLiEMU0Q3QN9hQ26Js1pU=
-github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814/go.mod h1:secRm32Ro77eD23BmPVbgLbWN+JWDw7pJszenjxI4bI=
-github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0=
-github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
-github.com/go-asn1-ber/asn1-ber v1.3.1 h1:gvPdv/Hr++TRFCl0UbPFHC54P9N9jgsRPnmnr419Uck=
-github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-ldap/ldap/v3 v3.1.8 h1:5vU/2jOh9HqprwXp8aF915s9p6Z8wmbSEVF7/gdTFhM=
-github.com/go-ldap/ldap/v3 v3.1.8/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q=
-github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
-github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/gofrs/uuid v3.2.0+incompatible h1:y12jRkkFxsd7GpqdSZ+/KCs/fJbqpEXSGd4+jfEaewE=
-github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/gogo/protobuf v1.1.1 h1:72R+M5VuhED/KujmZVcIquuo8mBgX4oVda//DQb3PXo=
-github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
-github.com/gorilla/mux v0.0.0-20160317213430-0eeaf8392f5b/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
-github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw=
-github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
-github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
-github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
-github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
-github.com/gorilla/websocket v1.4.1 h1:q7AeDBpnBk8AogcD4DSag/Ukw/KV+YhzLj2bP5HvKCM=
-github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ=
-github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
-github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
-github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
-github.com/jpillora/ansi v0.0.0-20170202005112-f496b27cd669 h1:l5rH/CnVVu+HPxjtxjM90nHrm4nov3j3RF9/62UjgLs=
-github.com/jpillora/ansi v0.0.0-20170202005112-f496b27cd669/go.mod h1:kOeLNvjNBGSV3uYtFjvb72+fnZCMFJF1XDvRIjdom0g=
-github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0=
-github.com/jpillora/chisel v0.0.0-20190724232113-f3a8df20e389 h1:K3JsoRqX6C4gmTvY4jqtFGCfK8uToj9DMahciJaoWwE=
-github.com/jpillora/chisel v0.0.0-20190724232113-f3a8df20e389/go.mod h1:wHQUFFnFySoqdAOzjHkTvb4DsVM1h/73PS9l2vnioRM=
-github.com/jpillora/requestlog v0.0.0-20181015073026-df8817be5f82 h1:7ufdyC3aMxFcCv+ABZy/dmIVGKFoGNBCqOgLYPIckD8=
-github.com/jpillora/requestlog v0.0.0-20181015073026-df8817be5f82/go.mod h1:w8buj+yNfmLEP0ENlbG/FRnK6bVmuhqXnukYCs9sDvY=
-github.com/jpillora/sizestr v0.0.0-20160130011556-e2ea2fa42fb9 h1:0c9jcgBtHRtDU//jTrcCgWG6UHjMZytiq/3WhraNgUM=
-github.com/jpillora/sizestr v0.0.0-20160130011556-e2ea2fa42fb9/go.mod h1:1ffp+CRe0eAwwRb0/BownUAjMBsmTLwgAvRbfj9dRwE=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok=
-github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
-github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd h1:Coekwdh0v2wtGp9Gmz1Ze3eVRAWJMLokvN3QjdzCHLY=
-github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
-github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c h1:N7A4JCA2G+j5fuFxCsJqjFU/sZe0mj8H0sSoSwbaikw=
-github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c/go.mod h1:Nn5wlyECw3iJrzi0AhIWg+AJUb4PlRQVW4/3XHH1LZA=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
-github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pty v0.0.0-20150511174710-5cf931ef8f76/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/mattn/go-shellwords v1.0.6 h1:9Jok5pILi5S1MnDirGVTufYGtksUs/V2BWUP3ZkeUUI=
-github.com/mattn/go-shellwords v1.0.6/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
-github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
-github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
-github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
-github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c h1:nXxl5PrvVm2L/wCy8dQu6DMTwH4oIuGN8GJDAlqDdVE=
-github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
-github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420 h1:Yu3681ykYHDfLoI6XVjL4JWmkE+3TX9yfIWwRCh1kFM=
-github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
-github.com/opencontainers/image-spec v0.0.0-20170515205857-f03dbe35d449 h1:Aq8iG72akPb/kszE7ksZ5ldV+JYPYii/KZOxlpJF07s=
-github.com/opencontainers/image-spec v0.0.0-20170515205857-f03dbe35d449/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/runc v0.0.0-20161109192122-51371867a01c h1:iOMba/KmaXgSX5PFKu1u6s+DZXiq+EzPayawa76w6aA=
-github.com/opencontainers/runc v0.0.0-20161109192122-51371867a01c/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
-github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6 h1:lNCW6THrCKBiJBpz8kbVGjC7MgdCGKwuvBgc7LoD6sw=
-github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI=
-github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/portainer/libcompose v0.5.3 h1:tE4WcPuGvo+NKeDkDWpwNavNLZ5GHIJ4RvuZXsI9uI8=
-github.com/portainer/libcompose v0.5.3/go.mod h1:7SKd/ho69rRKHDFSDUwkbMcol2TMKU5OslDsajr8Ro8=
-github.com/portainer/libcrypto v0.0.0-20190723020515-23ebe86ab2c2 h1:0PfgGLys9yHr4rtnirg0W0Cjvv6/DzxBIZk5sV59208=
-github.com/portainer/libcrypto v0.0.0-20190723020515-23ebe86ab2c2/go.mod h1:/wIeGwJOMYc1JplE/OvYMO5korce39HddIfI8VKGyAM=
-github.com/portainer/libhttp v0.0.0-20190806161843-ba068f58be33 h1:H8HR2dHdBf8HANSkUyVw4o8+4tegGcd+zyKZ3e599II=
-github.com/portainer/libhttp v0.0.0-20190806161843-ba068f58be33/go.mod h1:Y2TfgviWI4rT2qaOTHr+hq6MdKIE5YjgQAu7qwptTV0=
-github.com/portainer/portainer v0.10.1 h1:I8K345CjGWfUGsVA8c8/gqamwLCC6CIAjxZXSklAFq0=
-github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
-github.com/prometheus/client_golang v1.1.0 h1:BQ53HtBmfOitExawJ6LokA4x8ov/z0SYYb0+HxJfRI8=
-github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
-github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90 h1:S/YWwWx/RA8rT8tKFRuGUZhuA90OyIBpPCXkcbwU8DE=
-github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.6.0 h1:kRhiuYSXR3+uv2IbVbZhUxK5zVD/2pp3Gd2PpvPkpEo=
-github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
-github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.3 h1:CTwfnzjQ+8dS6MhHHu4YswVAD99sL2wjPqP+VkURmKE=
-github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
-github.com/robfig/cron/v3 v3.0.0 h1:kQ6Cb7aHOHTSzNVNEhmp8EcWKLb4CbiMW9h9VyIhO4E=
-github.com/robfig/cron/v3 v3.0.0/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
-github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
-github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
-github.com/sirupsen/logrus v1.2.0 h1:juTguoYk5qI21pwyTXY3B3Y5cOTH3ZUyZCg1v/mihuo=
-github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k=
-github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
-github.com/src-d/gcfg v1.4.0 h1:xXbNR5AlLSA315x2UO+fTSSAXCDf+Ar38/6oyGbDKQ4=
-github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce h1:fb190+cK2Xz/dvi9Hv8eCYJYvIGUTN2/KLq1pT6CjEc=
-github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4=
-github.com/urfave/cli v1.21.0/go.mod h1:lxDj6qX9Q6lWQxIrbrT0nwecwUtRnhVZAJjJZrVUZZQ=
-github.com/xanzy/ssh-agent v0.2.1 h1:TCbipTQL2JiiCprBWx9frJ2eJlCYT00NmctrHxVAr70=
-github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4=
-github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
-github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
-github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
-github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
-github.com/xeipuuv/gojsonschema v1.1.0 h1:ngVtJC9TY/lg0AA/1k48FYhBrhRoFlEmWzsehpNAaZg=
-github.com/xeipuuv/gojsonschema v1.1.0/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
-golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181015023909-0c41d7ab0a0e/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20191128160524-b544559bb6d1 h1:anGSYQpPhQwXlwsu5wmfq0nWkCNaMEMUwAv13Y92hd8=
-golang.org/x/crypto v0.0.0-20191128160524-b544559bb6d1/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/net v0.0.0-20181017193950-04a2e542c03f/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190724013045-ca1201d0de80 h1:Ao/3l156eZf2AW5wK8a7/smtodRU+gha3+BeqJ69lRk=
-golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181019160139-8e24a49d80f8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3 h1:4y9KwBHBgBNwDbtu44R5o1fdOCQUEXhbk/P4A9WmJq0=
-golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190729092621-ff9f1409240a/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8 h1:Nw54tB0rB7hY/N0NQvRW8DG4Yk3Q6T9cu9RcFQDu1tc=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/grpc v1.22.1 h1:/7cs52RnTJmD43s3uxzlq2U7nqVTd/37viQwMrMNlOM=
-google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/src-d/go-billy.v4 v4.3.2 h1:0SQA1pRztfTFx2miS8sA97XvooFeNOmvUenF4o0EcVg=
-gopkg.in/src-d/go-billy.v4 v4.3.2/go.mod h1:nDjArDMp+XMs1aFAESLRjfGSgfvoYN0hDfzEk0GjC98=
-gopkg.in/src-d/go-git-fixtures.v3 v3.5.0 h1:ivZFOIltbce2Mo8IjzUHAFoq/IylO9WHhNOAJK+LsJg=
-gopkg.in/src-d/go-git-fixtures.v3 v3.5.0/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzWYqTe3rJR56Ac7g=
-gopkg.in/src-d/go-git.v4 v4.13.1 h1:SRtFyV8Kxc0UP7aCHcijOMQGPxHSmMOPrzulQWolkYE=
-gopkg.in/src-d/go-git.v4 v4.13.1/go.mod h1:nx5NYcxdKxq5fpltdHnPa2Exj4Sx0EclMWZQbYDu2z8=
-gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
-gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
-gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/api/http/client/client.go
+++ b/api/http/client/client.go
@@ -2,9 +2,11 @@ package client

 import (
 	"crypto/tls"
+	"encoding/json"
+	"fmt"
 	"io/ioutil"
-	"log"
 	"net/http"
+	"net/url"
 	"strings"
 	"time"

@@ -16,6 +18,55 @@ const (
 	defaultHTTPTimeout       = 5
 )

+// HTTPClient represents a client to send HTTP requests.
+type HTTPClient struct {
+	*http.Client
+}
+
+// NewHTTPClient is used to build a new HTTPClient.
+func NewHTTPClient() *HTTPClient {
+	return &HTTPClient{
+		&http.Client{
+			Timeout: time.Second * time.Duration(defaultHTTPTimeout),
+		},
+	}
+}
+
+// AzureAuthenticationResponse represents an Azure API authentication response.
+type AzureAuthenticationResponse struct {
+	AccessToken string `json:"access_token"`
+	ExpiresOn   string `json:"expires_on"`
+}
+
+// ExecuteAzureAuthenticationRequest is used to execute an authentication request
+// against the Azure API. It re-uses the same http.Client.
+func (client *HTTPClient) ExecuteAzureAuthenticationRequest(credentials *portainer.AzureCredentials) (*AzureAuthenticationResponse, error) {
+	loginURL := fmt.Sprintf("https://login.microsoftonline.com/%s/oauth2/token", credentials.TenantID)
+	params := url.Values{
+		"grant_type":    {"client_credentials"},
+		"client_id":     {credentials.ApplicationID},
+		"client_secret": {credentials.AuthenticationKey},
+		"resource":      {"https://management.azure.com/"},
+	}
+
+	response, err := client.PostForm(loginURL, params)
+	if err != nil {
+		return nil, err
+	}
+
+	if response.StatusCode != http.StatusOK {
+		return nil, portainer.ErrAzureInvalidCredentials
+	}
+
+	var token AzureAuthenticationResponse
+	err = json.NewDecoder(response.Body).Decode(&token)
+	if err != nil {
+		return nil, err
+	}
+
+	return &token, nil
+}
+
 // Get executes a simple HTTP GET to the specified URL and returns
 // the content of the response body. Timeout can be specified via the timeout parameter,
 // will default to defaultHTTPTimeout if set to 0.
@@ -36,7 +87,6 @@ func Get(url string, timeout int) ([]byte, error) {
 	defer response.Body.Close()

 	if response.StatusCode != http.StatusOK {
-		log.Printf("[ERROR] [http,client] [message: unexpected status code] [status_code: %d]", response.StatusCode)
 		return nil, errInvalidResponseStatus
 	}

--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@@ -42,12 +42,12 @@ func (handler *Handler) authenticate(w http.ResponseWriter, r *http.Request) *ht
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
 	}

-	settings, err := handler.DataStore.Settings().Settings()
+	settings, err := handler.SettingsService.Settings()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
 	}

-	u, err := handler.DataStore.User().UserByUsername(payload.Username)
+	u, err := handler.UserService.UserByUsername(payload.Username)
 	if err != nil && err != portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
 	}
@@ -79,11 +79,6 @@ func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.
 		log.Printf("Warning: unable to automatically add user into teams: %s\n", err.Error())
 	}

-	err = handler.AuthorizationService.UpdateUsersAuthorizations()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update user authorizations", err}
-	}
-
 	return handler.writeToken(w, user)
 }

@@ -108,7 +103,7 @@ func (handler *Handler) authenticateLDAPAndCreateUser(w http.ResponseWriter, use
 		PortainerAuthorizations: portainer.DefaultPortainerAuthorizations(),
 	}

-	err = handler.DataStore.User().CreateUser(user)
+	err = handler.UserService.CreateUser(user)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
 	}
@@ -118,11 +113,6 @@ func (handler *Handler) authenticateLDAPAndCreateUser(w http.ResponseWriter, use
 		log.Printf("Warning: unable to automatically add user into teams: %s\n", err.Error())
 	}

-	err = handler.AuthorizationService.UpdateUsersAuthorizations()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update user authorizations", err}
-	}
-
 	return handler.writeToken(w, user)
 }

@@ -146,7 +136,7 @@ func (handler *Handler) persistAndWriteToken(w http.ResponseWriter, tokenData *p
 }

 func (handler *Handler) addUserIntoTeams(user *portainer.User, settings *portainer.LDAPSettings) error {
-	teams, err := handler.DataStore.Team().Teams()
+	teams, err := handler.TeamService.Teams()
 	if err != nil {
 		return err
 	}
@@ -156,7 +146,7 @@ func (handler *Handler) addUserIntoTeams(user *portainer.User, settings *portain
 		return err
 	}

-	userMemberships, err := handler.DataStore.TeamMembership().TeamMembershipsByUserID(user.ID)
+	userMemberships, err := handler.TeamMembershipService.TeamMembershipsByUserID(user.ID)
 	if err != nil {
 		return err
 	}
@@ -174,13 +164,12 @@ func (handler *Handler) addUserIntoTeams(user *portainer.User, settings *portain
 				Role:   portainer.TeamMember,
 			}

-			err := handler.DataStore.TeamMembership().CreateTeamMembership(membership)
+			err := handler.TeamMembershipService.CreateTeamMembership(membership)
 			if err != nil {
 				return err
 			}
 		}
 	}
-
 	return nil
 }

--- a/api/http/handler/auth/authenticate_oauth.go
+++ b/api/http/handler/auth/authenticate_oauth.go
@@ -78,7 +78,7 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
 	}

-	settings, err := handler.DataStore.Settings().Settings()
+	settings, err := handler.SettingsService.Settings()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
 	}
@@ -87,7 +87,7 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not enabled", portainer.Error("OAuth authentication is not enabled")}
 	}

-	extension, err := handler.DataStore.Extension().Extension(portainer.OAuthAuthenticationExtension)
+	extension, err := handler.ExtensionService.Extension(portainer.OAuthAuthenticationExtension)
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Oauth authentication extension is not enabled", err}
 	} else if err != nil {
@@ -100,7 +100,7 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate through OAuth", portainer.ErrUnauthorized}
 	}

-	user, err := handler.DataStore.User().UserByUsername(username)
+	user, err := handler.UserService.UserByUsername(username)
 	if err != nil && err != portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
 	}
@@ -116,7 +116,7 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 			PortainerAuthorizations: portainer.DefaultPortainerAuthorizations(),
 		}

-		err = handler.DataStore.User().CreateUser(user)
+		err = handler.UserService.CreateUser(user)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
 		}
@@ -128,16 +128,11 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 				Role:   portainer.TeamMember,
 			}

-			err = handler.DataStore.TeamMembership().CreateTeamMembership(membership)
+			err = handler.TeamMembershipService.CreateTeamMembership(membership)
 			if err != nil {
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist team membership inside the database", err}
 			}
 		}
-
-		err = handler.AuthorizationService.UpdateUsersAuthorizations()
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update user authorizations", err}
-		}
 	}

 	return handler.writeToken(w, user)
--- a/api/http/handler/auth/handler.go
+++ b/api/http/handler/auth/handler.go
@@ -11,6 +11,8 @@ import (
 )

 const (
+	// ErrInvalidCredentials is an error raised when credentials for a user are invalid
+	ErrInvalidCredentials = portainer.Error("Invalid credentials")
 	// ErrAuthDisabled is an error raised when trying to access the authentication endpoints
 	// when the server has been started with the --no-auth flag
 	ErrAuthDisabled = portainer.Error("Authentication is disabled")
@@ -19,13 +21,19 @@ const (
 // Handler is the HTTP handler used to handle authentication operations.
 type Handler struct {
 	*mux.Router
-	authDisabled         bool
-	DataStore            portainer.DataStore
-	CryptoService        portainer.CryptoService
-	JWTService           portainer.JWTService
-	LDAPService          portainer.LDAPService
-	ProxyManager         *proxy.Manager
-	AuthorizationService *portainer.AuthorizationService
+	authDisabled          bool
+	UserService           portainer.UserService
+	CryptoService         portainer.CryptoService
+	JWTService            portainer.JWTService
+	LDAPService           portainer.LDAPService
+	SettingsService       portainer.SettingsService
+	TeamService           portainer.TeamService
+	TeamMembershipService portainer.TeamMembershipService
+	ExtensionService      portainer.ExtensionService
+	EndpointService       portainer.EndpointService
+	EndpointGroupService  portainer.EndpointGroupService
+	RoleService           portainer.RoleService
+	ProxyManager          *proxy.Manager
 }

 // NewHandler creates a handler to manage authentication operations.
--- a/api/http/handler/dockerhub/dockerhub_inspect.go
+++ b/api/http/handler/dockerhub/dockerhub_inspect.go
@@ -9,7 +9,7 @@ import (

 // GET request on /api/dockerhub
 func (handler *Handler) dockerhubInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	dockerhub, err := handler.DataStore.DockerHub().DockerHub()
+	dockerhub, err := handler.DockerHubService.DockerHub()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve DockerHub details from the database", err}
 	}
--- a/api/http/handler/dockerhub/dockerhub_update.go
+++ b/api/http/handler/dockerhub/dockerhub_update.go
@@ -43,7 +43,7 @@ func (handler *Handler) dockerhubUpdate(w http.ResponseWriter, r *http.Request)
 		dockerhub.Password = payload.Password
 	}

-	err = handler.DataStore.DockerHub().UpdateDockerHub(dockerhub)
+	err = handler.DockerHubService.UpdateDockerHub(dockerhub)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the Dockerhub changes inside the database", err}
 	}
--- a/api/http/handler/dockerhub/handler.go
+++ b/api/http/handler/dockerhub/handler.go
@@ -16,7 +16,7 @@ func hideFields(dockerHub *portainer.DockerHub) {
 // Handler is the HTTP handler used to handle DockerHub operations.
 type Handler struct {
 	*mux.Router
-	DataStore portainer.DataStore
+	DockerHubService portainer.DockerHubService
 }

 // NewHandler creates a handler to manage Dockerhub operations.
--- a/api/http/handler/edgegroups/associated_endpoints.go
+++ b/api/http/handler/edgegroups/associated_endpoints.go
@@ -1,104 +0,0 @@
-package edgegroups
-
-import (
-	"github.com/portainer/portainer/api"
-)
-
-type endpointSetType map[portainer.EndpointID]bool
-
-func (handler *Handler) getEndpointsByTags(tagIDs []portainer.TagID, partialMatch bool) ([]portainer.EndpointID, error) {
-	if len(tagIDs) == 0 {
-		return []portainer.EndpointID{}, nil
-	}
-
-	endpoints, err := handler.DataStore.Endpoint().Endpoints()
-	if err != nil {
-		return nil, err
-	}
-
-	groupEndpoints := mapEndpointGroupToEndpoints(endpoints)
-
-	tags := []portainer.Tag{}
-	for _, tagID := range tagIDs {
-		tag, err := handler.DataStore.Tag().Tag(tagID)
-		if err != nil {
-			return nil, err
-		}
-		tags = append(tags, *tag)
-	}
-
-	setsOfEndpoints := mapTagsToEndpoints(tags, groupEndpoints)
-
-	var endpointSet endpointSetType
-	if partialMatch {
-		endpointSet = setsUnion(setsOfEndpoints)
-	} else {
-		endpointSet = setsIntersection(setsOfEndpoints)
-	}
-
-	results := []portainer.EndpointID{}
-	for _, endpoint := range endpoints {
-		if _, ok := endpointSet[endpoint.ID]; ok && endpoint.Type == portainer.EdgeAgentEnvironment {
-			results = append(results, endpoint.ID)
-		}
-	}
-
-	return results, nil
-}
-
-func mapEndpointGroupToEndpoints(endpoints []portainer.Endpoint) map[portainer.EndpointGroupID]endpointSetType {
-	groupEndpoints := map[portainer.EndpointGroupID]endpointSetType{}
-	for _, endpoint := range endpoints {
-		groupID := endpoint.GroupID
-		if groupEndpoints[groupID] == nil {
-			groupEndpoints[groupID] = endpointSetType{}
-		}
-		groupEndpoints[groupID][endpoint.ID] = true
-	}
-	return groupEndpoints
-}
-
-func mapTagsToEndpoints(tags []portainer.Tag, groupEndpoints map[portainer.EndpointGroupID]endpointSetType) []endpointSetType {
-	sets := []endpointSetType{}
-	for _, tag := range tags {
-		set := tag.Endpoints
-		for groupID := range tag.EndpointGroups {
-			for endpointID := range groupEndpoints[groupID] {
-				set[endpointID] = true
-			}
-		}
-		sets = append(sets, set)
-	}
-
-	return sets
-}
-
-func setsIntersection(sets []endpointSetType) endpointSetType {
-	if len(sets) == 0 {
-		return endpointSetType{}
-	}
-
-	intersectionSet := sets[0]
-
-	for _, set := range sets {
-		for endpointID := range intersectionSet {
-			if !set[endpointID] {
-				delete(intersectionSet, endpointID)
-			}
-		}
-	}
-
-	return intersectionSet
-}
-
-func setsUnion(sets []endpointSetType) endpointSetType {
-	unionSet := endpointSetType{}
-
-	for _, set := range sets {
-		for endpointID := range set {
-			unionSet[endpointID] = true
-		}
-	}
-
-	return unionSet
-}
--- a/api/http/handler/edgegroups/edgegroup_create.go
+++ b/api/http/handler/edgegroups/edgegroup_create.go
@@ -1,83 +0,0 @@
-package edgegroups
-
-import (
-	"net/http"
-
-	"github.com/asaskevich/govalidator"
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-)
-
-type edgeGroupCreatePayload struct {
-	Name         string
-	Dynamic      bool
-	TagIDs       []portainer.TagID
-	Endpoints    []portainer.EndpointID
-	PartialMatch bool
-}
-
-func (payload *edgeGroupCreatePayload) Validate(r *http.Request) error {
-	if govalidator.IsNull(payload.Name) {
-		return portainer.Error("Invalid Edge group name")
-	}
-	if payload.Dynamic && (payload.TagIDs == nil || len(payload.TagIDs) == 0) {
-		return portainer.Error("TagIDs is mandatory for a dynamic Edge group")
-	}
-	if !payload.Dynamic && (payload.Endpoints == nil || len(payload.Endpoints) == 0) {
-		return portainer.Error("Endpoints is mandatory for a static Edge group")
-	}
-	return nil
-}
-
-func (handler *Handler) edgeGroupCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	var payload edgeGroupCreatePayload
-	err := request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
-	}
-
-	edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Edge groups from the database", err}
-	}
-
-	for _, edgeGroup := range edgeGroups {
-		if edgeGroup.Name == payload.Name {
-			return &httperror.HandlerError{http.StatusBadRequest, "Edge group name must be unique", portainer.Error("Edge group name must be unique")}
-		}
-	}
-
-	edgeGroup := &portainer.EdgeGroup{
-		Name:         payload.Name,
-		Dynamic:      payload.Dynamic,
-		TagIDs:       []portainer.TagID{},
-		Endpoints:    []portainer.EndpointID{},
-		PartialMatch: payload.PartialMatch,
-	}
-
-	if edgeGroup.Dynamic {
-		edgeGroup.TagIDs = payload.TagIDs
-	} else {
-		endpointIDs := []portainer.EndpointID{}
-		for _, endpointID := range payload.Endpoints {
-			endpoint, err := handler.DataStore.Endpoint().Endpoint(endpointID)
-			if err != nil {
-				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoint from the database", err}
-			}
-
-			if endpoint.Type == portainer.EdgeAgentEnvironment {
-				endpointIDs = append(endpointIDs, endpoint.ID)
-			}
-		}
-		edgeGroup.Endpoints = endpointIDs
-	}
-
-	err = handler.DataStore.EdgeGroup().CreateEdgeGroup(edgeGroup)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the Edge group inside the database", err}
-	}
-
-	return response.JSON(w, edgeGroup)
-}
--- a/api/http/handler/edgegroups/edgegroup_delete.go
+++ b/api/http/handler/edgegroups/edgegroup_delete.go
@@ -1,45 +0,0 @@
-package edgegroups
-
-import (
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	portainer "github.com/portainer/portainer/api"
-)
-
-func (handler *Handler) edgeGroupDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeGroupID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Edge group identifier route variable", err}
-	}
-
-	_, err = handler.DataStore.EdgeGroup().EdgeGroup(portainer.EdgeGroupID(edgeGroupID))
-	if err == portainer.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an Edge group with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an Edge group with the specified identifier inside the database", err}
-	}
-
-	edgeStacks, err := handler.DataStore.EdgeStack().EdgeStacks()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Edge stacks from the database", err}
-	}
-
-	for _, edgeStack := range edgeStacks {
-		for _, groupID := range edgeStack.EdgeGroups {
-			if groupID == portainer.EdgeGroupID(edgeGroupID) {
-				return &httperror.HandlerError{http.StatusForbidden, "Edge group is used by an Edge stack", portainer.Error("Edge group is used by an Edge stack")}
-			}
-		}
-	}
-
-	err = handler.DataStore.EdgeGroup().DeleteEdgeGroup(portainer.EdgeGroupID(edgeGroupID))
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove the Edge group from the database", err}
-	}
-
-	return response.Empty(w)
-
-}
--- a/api/http/handler/edgegroups/edgegroup_inspect.go
+++ b/api/http/handler/edgegroups/edgegroup_inspect.go
@@ -1,35 +0,0 @@
-package edgegroups
-
-import (
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-)
-
-func (handler *Handler) edgeGroupInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeGroupID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Edge group identifier route variable", err}
-	}
-
-	edgeGroup, err := handler.DataStore.EdgeGroup().EdgeGroup(portainer.EdgeGroupID(edgeGroupID))
-	if err == portainer.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an Edge group with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an Edge group with the specified identifier inside the database", err}
-	}
-
-	if edgeGroup.Dynamic {
-		endpoints, err := handler.getEndpointsByTags(edgeGroup.TagIDs, edgeGroup.PartialMatch)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints and endpoint groups for Edge group", err}
-		}
-
-		edgeGroup.Endpoints = endpoints
-	}
-
-	return response.JSON(w, edgeGroup)
-}
--- a/api/http/handler/edgegroups/edgegroup_list.go
+++ b/api/http/handler/edgegroups/edgegroup_list.go
@@ -1,55 +0,0 @@
-package edgegroups
-
-import (
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-)
-
-type decoratedEdgeGroup struct {
-	portainer.EdgeGroup
-	HasEdgeStack bool `json:"HasEdgeStack"`
-}
-
-func (handler *Handler) edgeGroupList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Edge groups from the database", err}
-	}
-
-	edgeStacks, err := handler.DataStore.EdgeStack().EdgeStacks()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Edge stacks from the database", err}
-	}
-
-	usedEdgeGroups := make(map[portainer.EdgeGroupID]bool)
-
-	for _, stack := range edgeStacks {
-		for _, groupID := range stack.EdgeGroups {
-			usedEdgeGroups[groupID] = true
-		}
-	}
-
-	decoratedEdgeGroups := []decoratedEdgeGroup{}
-	for _, orgEdgeGroup := range edgeGroups {
-		edgeGroup := decoratedEdgeGroup{
-			EdgeGroup: orgEdgeGroup,
-		}
-		if edgeGroup.Dynamic {
-			endpoints, err := handler.getEndpointsByTags(edgeGroup.TagIDs, edgeGroup.PartialMatch)
-			if err != nil {
-				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints and endpoint groups for Edge group", err}
-			}
-
-			edgeGroup.Endpoints = endpoints
-		}
-
-		edgeGroup.HasEdgeStack = usedEdgeGroups[edgeGroup.ID]
-
-		decoratedEdgeGroups = append(decoratedEdgeGroups, edgeGroup)
-	}
-
-	return response.JSON(w, decoratedEdgeGroups)
-}
--- a/api/http/handler/edgegroups/edgegroup_update.go
+++ b/api/http/handler/edgegroups/edgegroup_update.go
@@ -1,154 +0,0 @@
-package edgegroups
-
-import (
-	"net/http"
-
-	"github.com/asaskevich/govalidator"
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	portainer "github.com/portainer/portainer/api"
-)
-
-type edgeGroupUpdatePayload struct {
-	Name         string
-	Dynamic      bool
-	TagIDs       []portainer.TagID
-	Endpoints    []portainer.EndpointID
-	PartialMatch *bool
-}
-
-func (payload *edgeGroupUpdatePayload) Validate(r *http.Request) error {
-	if govalidator.IsNull(payload.Name) {
-		return portainer.Error("Invalid Edge group name")
-	}
-	if payload.Dynamic && (payload.TagIDs == nil || len(payload.TagIDs) == 0) {
-		return portainer.Error("TagIDs is mandatory for a dynamic Edge group")
-	}
-	if !payload.Dynamic && (payload.Endpoints == nil || len(payload.Endpoints) == 0) {
-		return portainer.Error("Endpoints is mandatory for a static Edge group")
-	}
-	return nil
-}
-
-func (handler *Handler) edgeGroupUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeGroupID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Edge group identifier route variable", err}
-	}
-
-	var payload edgeGroupUpdatePayload
-	err = request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
-	}
-
-	edgeGroup, err := handler.DataStore.EdgeGroup().EdgeGroup(portainer.EdgeGroupID(edgeGroupID))
-	if err == portainer.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an Edge group with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an Edge group with the specified identifier inside the database", err}
-	}
-
-	if payload.Name != "" {
-		edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Edge groups from the database", err}
-		}
-		for _, edgeGroup := range edgeGroups {
-			if edgeGroup.Name == payload.Name && edgeGroup.ID != portainer.EdgeGroupID(edgeGroupID) {
-				return &httperror.HandlerError{http.StatusBadRequest, "Edge group name must be unique", portainer.Error("Edge group name must be unique")}
-			}
-		}
-
-		edgeGroup.Name = payload.Name
-	}
-	endpoints, err := handler.DataStore.Endpoint().Endpoints()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from database", err}
-	}
-
-	endpointGroups, err := handler.DataStore.EndpointGroup().EndpointGroups()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoint groups from database", err}
-	}
-
-	oldRelatedEndpoints := portainer.EdgeGroupRelatedEndpoints(edgeGroup, endpoints, endpointGroups)
-
-	edgeGroup.Dynamic = payload.Dynamic
-	if edgeGroup.Dynamic {
-		edgeGroup.TagIDs = payload.TagIDs
-	} else {
-		endpointIDs := []portainer.EndpointID{}
-		for _, endpointID := range payload.Endpoints {
-			endpoint, err := handler.DataStore.Endpoint().Endpoint(endpointID)
-			if err != nil {
-				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoint from the database", err}
-			}
-
-			if endpoint.Type == portainer.EdgeAgentEnvironment {
-				endpointIDs = append(endpointIDs, endpoint.ID)
-			}
-		}
-		edgeGroup.Endpoints = endpointIDs
-	}
-
-	if payload.PartialMatch != nil {
-		edgeGroup.PartialMatch = *payload.PartialMatch
-	}
-
-	err = handler.DataStore.EdgeGroup().UpdateEdgeGroup(edgeGroup.ID, edgeGroup)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist Edge group changes inside the database", err}
-	}
-
-	newRelatedEndpoints := portainer.EdgeGroupRelatedEndpoints(edgeGroup, endpoints, endpointGroups)
-	endpointsToUpdate := append(newRelatedEndpoints, oldRelatedEndpoints...)
-
-	for _, endpointID := range endpointsToUpdate {
-		err = handler.updateEndpoint(endpointID)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist Endpoint relation changes inside the database", err}
-		}
-	}
-
-	return response.JSON(w, edgeGroup)
-}
-
-func (handler *Handler) updateEndpoint(endpointID portainer.EndpointID) error {
-	relation, err := handler.DataStore.EndpointRelation().EndpointRelation(endpointID)
-	if err != nil {
-		return err
-	}
-
-	endpoint, err := handler.DataStore.Endpoint().Endpoint(endpointID)
-	if err != nil {
-		return err
-	}
-
-	endpointGroup, err := handler.DataStore.EndpointGroup().EndpointGroup(endpoint.GroupID)
-	if err != nil {
-		return err
-	}
-
-	edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
-	if err != nil {
-		return err
-	}
-
-	edgeStacks, err := handler.DataStore.EdgeStack().EdgeStacks()
-	if err != nil {
-		return err
-	}
-
-	edgeStackSet := map[portainer.EdgeStackID]bool{}
-
-	endpointEdgeStacks := portainer.EndpointRelatedEdgeStacks(endpoint, endpointGroup, edgeGroups, edgeStacks)
-	for _, edgeStackID := range endpointEdgeStacks {
-		edgeStackSet[edgeStackID] = true
-	}
-
-	relation.EdgeStacks = edgeStackSet
-
-	return handler.DataStore.EndpointRelation().UpdateEndpointRelation(endpoint.ID, relation)
-}
--- a/api/http/handler/edgegroups/handler.go
+++ b/api/http/handler/edgegroups/handler.go
@@ -1,34 +0,0 @@
-package edgegroups
-
-import (
-	"net/http"
-
-	"github.com/gorilla/mux"
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/security"
-)
-
-// Handler is the HTTP handler used to handle endpoint group operations.
-type Handler struct {
-	*mux.Router
-	DataStore portainer.DataStore
-}
-
-// NewHandler creates a handler to manage endpoint group operations.
-func NewHandler(bouncer *security.RequestBouncer) *Handler {
-	h := &Handler{
-		Router: mux.NewRouter(),
-	}
-	h.Handle("/edge_groups",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeGroupCreate))).Methods(http.MethodPost)
-	h.Handle("/edge_groups",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeGroupList))).Methods(http.MethodGet)
-	h.Handle("/edge_groups/{id}",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeGroupInspect))).Methods(http.MethodGet)
-	h.Handle("/edge_groups/{id}",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeGroupUpdate))).Methods(http.MethodPut)
-	h.Handle("/edge_groups/{id}",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeGroupDelete))).Methods(http.MethodDelete)
-	return h
-}
--- a/api/http/handler/edgestacks/edgestack_create.go
+++ b/api/http/handler/edgestacks/edgestack_create.go
@@ -1,289 +0,0 @@
-package edgestacks
-
-import (
-	"errors"
-	"net/http"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/asaskevich/govalidator"
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/filesystem"
-)
-
-// POST request on /api/endpoint_groups
-func (handler *Handler) edgeStackCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	method, err := request.RetrieveQueryParameter(r, "method", false)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid query parameter: method", err}
-	}
-
-	edgeStack, err := handler.createSwarmStack(method, r)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create Edge stack", err}
-	}
-
-	endpoints, err := handler.DataStore.Endpoint().Endpoints()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from database", err}
-	}
-
-	endpointGroups, err := handler.DataStore.EndpointGroup().EndpointGroups()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoint groups from database", err}
-	}
-
-	edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge groups from database", err}
-	}
-
-	relatedEndpoints, err := portainer.EdgeStackRelatedEndpoints(edgeStack.EdgeGroups, endpoints, endpointGroups, edgeGroups)
-
-	for _, endpointID := range relatedEndpoints {
-		relation, err := handler.DataStore.EndpointRelation().EndpointRelation(endpointID)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find endpoint relation in database", err}
-		}
-
-		relation.EdgeStacks[edgeStack.ID] = true
-
-		err = handler.DataStore.EndpointRelation().UpdateEndpointRelation(endpointID, relation)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint relation in database", err}
-		}
-	}
-
-	return response.JSON(w, edgeStack)
-}
-
-func (handler *Handler) createSwarmStack(method string, r *http.Request) (*portainer.EdgeStack, error) {
-	switch method {
-	case "string":
-		return handler.createSwarmStackFromFileContent(r)
-	case "repository":
-		return handler.createSwarmStackFromGitRepository(r)
-	case "file":
-		return handler.createSwarmStackFromFileUpload(r)
-	}
-	return nil, errors.New("Invalid value for query parameter: method. Value must be one of: string, repository or file")
-}
-
-type swarmStackFromFileContentPayload struct {
-	Name             string
-	StackFileContent string
-	EdgeGroups       []portainer.EdgeGroupID
-}
-
-func (payload *swarmStackFromFileContentPayload) Validate(r *http.Request) error {
-	if govalidator.IsNull(payload.Name) {
-		return portainer.Error("Invalid stack name")
-	}
-	if govalidator.IsNull(payload.StackFileContent) {
-		return portainer.Error("Invalid stack file content")
-	}
-	if payload.EdgeGroups == nil || len(payload.EdgeGroups) == 0 {
-		return portainer.Error("Edge Groups are mandatory for an Edge stack")
-	}
-	return nil
-}
-
-func (handler *Handler) createSwarmStackFromFileContent(r *http.Request) (*portainer.EdgeStack, error) {
-	var payload swarmStackFromFileContentPayload
-	err := request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return nil, err
-	}
-
-	err = handler.validateUniqueName(payload.Name)
-	if err != nil {
-		return nil, err
-	}
-
-	stackID := handler.DataStore.EdgeStack().GetNextIdentifier()
-	stack := &portainer.EdgeStack{
-		ID:           portainer.EdgeStackID(stackID),
-		Name:         payload.Name,
-		EntryPoint:   filesystem.ComposeFileDefaultName,
-		CreationDate: time.Now().Unix(),
-		EdgeGroups:   payload.EdgeGroups,
-		Status:       make(map[portainer.EndpointID]portainer.EdgeStackStatus),
-		Version:      1,
-	}
-
-	stackFolder := strconv.Itoa(int(stack.ID))
-	projectPath, err := handler.FileService.StoreEdgeStackFileFromBytes(stackFolder, stack.EntryPoint, []byte(payload.StackFileContent))
-	if err != nil {
-		return nil, err
-	}
-	stack.ProjectPath = projectPath
-
-	err = handler.DataStore.EdgeStack().CreateEdgeStack(stack)
-	if err != nil {
-		return nil, err
-	}
-
-	return stack, nil
-}
-
-type swarmStackFromGitRepositoryPayload struct {
-	Name                        string
-	RepositoryURL               string
-	RepositoryReferenceName     string
-	RepositoryAuthentication    bool
-	RepositoryUsername          string
-	RepositoryPassword          string
-	ComposeFilePathInRepository string
-	EdgeGroups                  []portainer.EdgeGroupID
-}
-
-func (payload *swarmStackFromGitRepositoryPayload) Validate(r *http.Request) error {
-	if govalidator.IsNull(payload.Name) {
-		return portainer.Error("Invalid stack name")
-	}
-	if govalidator.IsNull(payload.RepositoryURL) || !govalidator.IsURL(payload.RepositoryURL) {
-		return portainer.Error("Invalid repository URL. Must correspond to a valid URL format")
-	}
-	if payload.RepositoryAuthentication && (govalidator.IsNull(payload.RepositoryUsername) || govalidator.IsNull(payload.RepositoryPassword)) {
-		return portainer.Error("Invalid repository credentials. Username and password must be specified when authentication is enabled")
-	}
-	if govalidator.IsNull(payload.ComposeFilePathInRepository) {
-		payload.ComposeFilePathInRepository = filesystem.ComposeFileDefaultName
-	}
-	if payload.EdgeGroups == nil || len(payload.EdgeGroups) == 0 {
-		return portainer.Error("Edge Groups are mandatory for an Edge stack")
-	}
-	return nil
-}
-
-func (handler *Handler) createSwarmStackFromGitRepository(r *http.Request) (*portainer.EdgeStack, error) {
-	var payload swarmStackFromGitRepositoryPayload
-	err := request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return nil, err
-	}
-
-	err = handler.validateUniqueName(payload.Name)
-	if err != nil {
-		return nil, err
-	}
-
-	stackID := handler.DataStore.EdgeStack().GetNextIdentifier()
-	stack := &portainer.EdgeStack{
-		ID:           portainer.EdgeStackID(stackID),
-		Name:         payload.Name,
-		EntryPoint:   payload.ComposeFilePathInRepository,
-		CreationDate: time.Now().Unix(),
-		EdgeGroups:   payload.EdgeGroups,
-		Status:       make(map[portainer.EndpointID]portainer.EdgeStackStatus),
-		Version:      1,
-	}
-
-	projectPath := handler.FileService.GetEdgeStackProjectPath(strconv.Itoa(int(stack.ID)))
-	stack.ProjectPath = projectPath
-
-	gitCloneParams := &cloneRepositoryParameters{
-		url:            payload.RepositoryURL,
-		referenceName:  payload.RepositoryReferenceName,
-		path:           projectPath,
-		authentication: payload.RepositoryAuthentication,
-		username:       payload.RepositoryUsername,
-		password:       payload.RepositoryPassword,
-	}
-
-	err = handler.cloneGitRepository(gitCloneParams)
-	if err != nil {
-		return nil, err
-	}
-
-	err = handler.DataStore.EdgeStack().CreateEdgeStack(stack)
-	if err != nil {
-		return nil, err
-	}
-
-	return stack, nil
-}
-
-type swarmStackFromFileUploadPayload struct {
-	Name             string
-	StackFileContent []byte
-	EdgeGroups       []portainer.EdgeGroupID
-}
-
-func (payload *swarmStackFromFileUploadPayload) Validate(r *http.Request) error {
-	name, err := request.RetrieveMultiPartFormValue(r, "Name", false)
-	if err != nil {
-		return portainer.Error("Invalid stack name")
-	}
-	payload.Name = name
-
-	composeFileContent, _, err := request.RetrieveMultiPartFormFile(r, "file")
-	if err != nil {
-		return portainer.Error("Invalid Compose file. Ensure that the Compose file is uploaded correctly")
-	}
-	payload.StackFileContent = composeFileContent
-
-	var edgeGroups []portainer.EdgeGroupID
-	err = request.RetrieveMultiPartFormJSONValue(r, "EdgeGroups", &edgeGroups, false)
-	if err != nil || len(edgeGroups) == 0 {
-		return portainer.Error("Edge Groups are mandatory for an Edge stack")
-	}
-	payload.EdgeGroups = edgeGroups
-	return nil
-}
-
-func (handler *Handler) createSwarmStackFromFileUpload(r *http.Request) (*portainer.EdgeStack, error) {
-	payload := &swarmStackFromFileUploadPayload{}
-	err := payload.Validate(r)
-	if err != nil {
-		return nil, err
-	}
-
-	err = handler.validateUniqueName(payload.Name)
-	if err != nil {
-		return nil, err
-	}
-
-	stackID := handler.DataStore.EdgeStack().GetNextIdentifier()
-	stack := &portainer.EdgeStack{
-		ID:           portainer.EdgeStackID(stackID),
-		Name:         payload.Name,
-		EntryPoint:   filesystem.ComposeFileDefaultName,
-		CreationDate: time.Now().Unix(),
-		EdgeGroups:   payload.EdgeGroups,
-		Status:       make(map[portainer.EndpointID]portainer.EdgeStackStatus),
-		Version:      1,
-	}
-
-	stackFolder := strconv.Itoa(int(stack.ID))
-	projectPath, err := handler.FileService.StoreEdgeStackFileFromBytes(stackFolder, stack.EntryPoint, []byte(payload.StackFileContent))
-	if err != nil {
-		return nil, err
-	}
-	stack.ProjectPath = projectPath
-
-	err = handler.DataStore.EdgeStack().CreateEdgeStack(stack)
-	if err != nil {
-		return nil, err
-	}
-
-	return stack, nil
-}
-
-func (handler *Handler) validateUniqueName(name string) error {
-	edgeStacks, err := handler.DataStore.EdgeStack().EdgeStacks()
-	if err != nil {
-		return err
-	}
-
-	for _, stack := range edgeStacks {
-		if strings.EqualFold(stack.Name, name) {
-			return portainer.Error("Edge stack name must be unique")
-		}
-	}
-	return nil
-}
--- a/api/http/handler/edgestacks/edgestack_delete.go
+++ b/api/http/handler/edgestacks/edgestack_delete.go
@@ -1,62 +0,0 @@
-package edgestacks
-
-import (
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-)
-
-func (handler *Handler) edgeStackDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeStackID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid edge stack identifier route variable", err}
-	}
-
-	edgeStack, err := handler.DataStore.EdgeStack().EdgeStack(portainer.EdgeStackID(edgeStackID))
-	if err == portainer.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an edge stack with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an edge stack with the specified identifier inside the database", err}
-	}
-
-	err = handler.DataStore.EdgeStack().DeleteEdgeStack(portainer.EdgeStackID(edgeStackID))
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove the edge stack from the database", err}
-	}
-
-	endpoints, err := handler.DataStore.Endpoint().Endpoints()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from database", err}
-	}
-
-	endpointGroups, err := handler.DataStore.EndpointGroup().EndpointGroups()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoint groups from database", err}
-	}
-
-	edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge groups from database", err}
-	}
-
-	relatedEndpoints, err := portainer.EdgeStackRelatedEndpoints(edgeStack.EdgeGroups, endpoints, endpointGroups, edgeGroups)
-
-	for _, endpointID := range relatedEndpoints {
-		relation, err := handler.DataStore.EndpointRelation().EndpointRelation(endpointID)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find endpoint relation in database", err}
-		}
-
-		delete(relation.EdgeStacks, edgeStack.ID)
-
-		err = handler.DataStore.EndpointRelation().UpdateEndpointRelation(endpointID, relation)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint relation in database", err}
-		}
-	}
-
-	return response.Empty(w)
-}
--- a/api/http/handler/edgestacks/edgestack_file.go
+++ b/api/http/handler/edgestacks/edgestack_file.go
@@ -1,37 +0,0 @@
-package edgestacks
-
-import (
-	"net/http"
-	"path"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-)
-
-type stackFileResponse struct {
-	StackFileContent string `json:"StackFileContent"`
-}
-
-// GET request on /api/edge_stacks/:id/file
-func (handler *Handler) edgeStackFile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	stackID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid edge stack identifier route variable", err}
-	}
-
-	stack, err := handler.DataStore.EdgeStack().EdgeStack(portainer.EdgeStackID(stackID))
-	if err == portainer.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an edge stack with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an edge stack with the specified identifier inside the database", err}
-	}
-
-	stackFileContent, err := handler.FileService.GetFileContent(path.Join(stack.ProjectPath, stack.EntryPoint))
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Compose file from disk", err}
-	}
-
-	return response.JSON(w, &stackFileResponse{StackFileContent: string(stackFileContent)})
-}
--- a/api/http/handler/edgestacks/edgestack_inspect.go
+++ b/api/http/handler/edgestacks/edgestack_inspect.go
@@ -1,26 +0,0 @@
-package edgestacks
-
-import (
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-)
-
-func (handler *Handler) edgeStackInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeStackID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid edge stack identifier route variable", err}
-	}
-
-	edgeStack, err := handler.DataStore.EdgeStack().EdgeStack(portainer.EdgeStackID(edgeStackID))
-	if err == portainer.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an edge stack with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an edge stack with the specified identifier inside the database", err}
-	}
-
-	return response.JSON(w, edgeStack)
-}
--- a/api/http/handler/edgestacks/edgestack_list.go
+++ b/api/http/handler/edgestacks/edgestack_list.go
@@ -1,17 +0,0 @@
-package edgestacks
-
-import (
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/response"
-)
-
-func (handler *Handler) edgeStackList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeStacks, err := handler.DataStore.EdgeStack().EdgeStacks()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge stacks from the database", err}
-	}
-
-	return response.JSON(w, edgeStacks)
-}
--- a/api/http/handler/edgestacks/edgestack_status_update.go
+++ b/api/http/handler/edgestacks/edgestack_status_update.go
@@ -1,76 +0,0 @@
-package edgestacks
-
-import (
-	"net/http"
-
-	"github.com/asaskevich/govalidator"
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-)
-
-type updateStatusPayload struct {
-	Error      string
-	Status     *portainer.EdgeStackStatusType
-	EndpointID *portainer.EndpointID
-}
-
-func (payload *updateStatusPayload) Validate(r *http.Request) error {
-	if payload.Status == nil {
-		return portainer.Error("Invalid status")
-	}
-	if payload.EndpointID == nil {
-		return portainer.Error("Invalid EndpointID")
-	}
-	if *payload.Status == portainer.StatusError && govalidator.IsNull(payload.Error) {
-		return portainer.Error("Error message is mandatory when status is error")
-	}
-	return nil
-}
-
-func (handler *Handler) edgeStackStatusUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	stackID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid stack identifier route variable", err}
-	}
-
-	stack, err := handler.DataStore.EdgeStack().EdgeStack(portainer.EdgeStackID(stackID))
-	if err == portainer.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a stack with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a stack with the specified identifier inside the database", err}
-	}
-
-	var payload updateStatusPayload
-	err = request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
-	}
-
-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(*payload.EndpointID))
-	if err == portainer.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
-	}
-
-	err = handler.requestBouncer.AuthorizedEdgeEndpointOperation(r, endpoint)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
-	}
-
-	stack.Status[*payload.EndpointID] = portainer.EdgeStackStatus{
-		Type:       *payload.Status,
-		Error:      payload.Error,
-		EndpointID: *payload.EndpointID,
-	}
-
-	err = handler.DataStore.EdgeStack().UpdateEdgeStack(stack.ID, stack)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the stack changes inside the database", err}
-	}
-
-	return response.JSON(w, stack)
-
-}
--- a/api/http/handler/edgestacks/edgestack_update.go
+++ b/api/http/handler/edgestacks/edgestack_update.go
@@ -1,156 +0,0 @@
-package edgestacks
-
-import (
-	"net/http"
-	"strconv"
-
-	"github.com/asaskevich/govalidator"
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-)
-
-type updateEdgeStackPayload struct {
-	StackFileContent string
-	Version          *int
-	Prune            *bool
-	EdgeGroups       []portainer.EdgeGroupID
-}
-
-func (payload *updateEdgeStackPayload) Validate(r *http.Request) error {
-	if govalidator.IsNull(payload.StackFileContent) {
-		return portainer.Error("Invalid stack file content")
-	}
-	if payload.EdgeGroups != nil && len(payload.EdgeGroups) == 0 {
-		return portainer.Error("Edge Groups are mandatory for an Edge stack")
-	}
-	return nil
-}
-
-func (handler *Handler) edgeStackUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	stackID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid stack identifier route variable", err}
-	}
-
-	stack, err := handler.DataStore.EdgeStack().EdgeStack(portainer.EdgeStackID(stackID))
-	if err == portainer.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a stack with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a stack with the specified identifier inside the database", err}
-	}
-
-	var payload updateEdgeStackPayload
-	err = request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
-	}
-
-	if payload.EdgeGroups != nil {
-		endpoints, err := handler.DataStore.Endpoint().Endpoints()
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from database", err}
-		}
-
-		endpointGroups, err := handler.DataStore.EndpointGroup().EndpointGroups()
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoint groups from database", err}
-		}
-
-		edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge groups from database", err}
-		}
-
-		oldRelated, err := portainer.EdgeStackRelatedEndpoints(stack.EdgeGroups, endpoints, endpointGroups, edgeGroups)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge stack related endpoints from database", err}
-		}
-
-		newRelated, err := portainer.EdgeStackRelatedEndpoints(payload.EdgeGroups, endpoints, endpointGroups, edgeGroups)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge stack related endpoints from database", err}
-		}
-
-		oldRelatedSet := EndpointSet(oldRelated)
-		newRelatedSet := EndpointSet(newRelated)
-
-		endpointsToRemove := map[portainer.EndpointID]bool{}
-		for endpointID := range oldRelatedSet {
-			if !newRelatedSet[endpointID] {
-				endpointsToRemove[endpointID] = true
-			}
-		}
-
-		for endpointID := range endpointsToRemove {
-			relation, err := handler.DataStore.EndpointRelation().EndpointRelation(endpointID)
-			if err != nil {
-				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find endpoint relation in database", err}
-			}
-
-			delete(relation.EdgeStacks, stack.ID)
-
-			err = handler.DataStore.EndpointRelation().UpdateEndpointRelation(endpointID, relation)
-			if err != nil {
-				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint relation in database", err}
-			}
-		}
-
-		endpointsToAdd := map[portainer.EndpointID]bool{}
-		for endpointID := range newRelatedSet {
-			if !oldRelatedSet[endpointID] {
-				endpointsToAdd[endpointID] = true
-			}
-		}
-
-		for endpointID := range endpointsToAdd {
-			relation, err := handler.DataStore.EndpointRelation().EndpointRelation(endpointID)
-			if err != nil {
-				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find endpoint relation in database", err}
-			}
-
-			relation.EdgeStacks[stack.ID] = true
-
-			err = handler.DataStore.EndpointRelation().UpdateEndpointRelation(endpointID, relation)
-			if err != nil {
-				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint relation in database", err}
-			}
-		}
-
-		stack.EdgeGroups = payload.EdgeGroups
-
-	}
-
-	if payload.Prune != nil {
-		stack.Prune = *payload.Prune
-	}
-
-	stackFolder := strconv.Itoa(int(stack.ID))
-	_, err = handler.FileService.StoreEdgeStackFileFromBytes(stackFolder, stack.EntryPoint, []byte(payload.StackFileContent))
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist updated Compose file on disk", err}
-	}
-
-	if payload.Version != nil && *payload.Version != stack.Version {
-		stack.Version = *payload.Version
-		stack.Status = map[portainer.EndpointID]portainer.EdgeStackStatus{}
-	}
-
-	err = handler.DataStore.EdgeStack().UpdateEdgeStack(stack.ID, stack)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the stack changes inside the database", err}
-	}
-
-	return response.JSON(w, stack)
-}
-
-func EndpointSet(endpointIDs []portainer.EndpointID) map[portainer.EndpointID]bool {
-	set := map[portainer.EndpointID]bool{}
-
-	for _, endpointID := range endpointIDs {
-		set[endpointID] = true
-	}
-
-	return set
-}
--- a/api/http/handler/edgestacks/git.go
+++ b/api/http/handler/edgestacks/git.go
@@ -1,17 +0,0 @@
-package edgestacks
-
-type cloneRepositoryParameters struct {
-	url            string
-	referenceName  string
-	path           string
-	authentication bool
-	username       string
-	password       string
-}
-
-func (handler *Handler) cloneGitRepository(parameters *cloneRepositoryParameters) error {
-	if parameters.authentication {
-		return handler.GitService.ClonePrivateRepositoryWithBasicAuth(parameters.url, parameters.referenceName, parameters.path, parameters.username, parameters.password)
-	}
-	return handler.GitService.ClonePublicRepository(parameters.url, parameters.referenceName, parameters.path)
-}
--- a/api/http/handler/edgestacks/handler.go
+++ b/api/http/handler/edgestacks/handler.go
@@ -1,42 +0,0 @@
-package edgestacks
-
-import (
-	"net/http"
-
-	"github.com/gorilla/mux"
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/security"
-)
-
-// Handler is the HTTP handler used to handle endpoint group operations.
-type Handler struct {
-	*mux.Router
-	requestBouncer *security.RequestBouncer
-	DataStore      portainer.DataStore
-	FileService    portainer.FileService
-	GitService     portainer.GitService
-}
-
-// NewHandler creates a handler to manage endpoint group operations.
-func NewHandler(bouncer *security.RequestBouncer) *Handler {
-	h := &Handler{
-		Router:         mux.NewRouter(),
-		requestBouncer: bouncer,
-	}
-	h.Handle("/edge_stacks",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeStackCreate))).Methods(http.MethodPost)
-	h.Handle("/edge_stacks",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeStackList))).Methods(http.MethodGet)
-	h.Handle("/edge_stacks/{id}",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeStackInspect))).Methods(http.MethodGet)
-	h.Handle("/edge_stacks/{id}",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeStackUpdate))).Methods(http.MethodPut)
-	h.Handle("/edge_stacks/{id}",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeStackDelete))).Methods(http.MethodDelete)
-	h.Handle("/edge_stacks/{id}/file",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeStackFile))).Methods(http.MethodGet)
-	h.Handle("/edge_stacks/{id}/status",
-		bouncer.PublicAccess(httperror.LoggerHandler(h.edgeStackStatusUpdate))).Methods(http.MethodPut)
-	return h
-}
--- a/api/http/handler/edgetemplates/edgetemplate_list.go
+++ b/api/http/handler/edgetemplates/edgetemplate_list.go
@@ -1,52 +0,0 @@
-package edgetemplates
-
-import (
-	"encoding/json"
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/client"
-)
-
-type templateFileFormat struct {
-	Version   string               `json:"version"`
-	Templates []portainer.Template `json:"templates"`
-}
-
-// GET request on /api/edgetemplates
-func (handler *Handler) edgeTemplateList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	settings, err := handler.DataStore.Settings().Settings()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
-	}
-
-	url := portainer.DefaultTemplatesURL
-	if settings.TemplatesURL != "" {
-		url = settings.TemplatesURL
-	}
-
-	var templateData []byte
-	templateData, err = client.Get(url, 10)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve external templates", err}
-	}
-
-	var templateFile templateFileFormat
-
-	err = json.Unmarshal(templateData, &templateFile)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to parse template file", err}
-	}
-
-	filteredTemplates := make([]portainer.Template, 0)
-
-	for _, template := range templateFile.Templates {
-		if template.Type == portainer.EdgeStackTemplate {
-			filteredTemplates = append(filteredTemplates, template)
-		}
-	}
-
-	return response.JSON(w, filteredTemplates)
-}
--- a/api/http/handler/edgetemplates/handler.go
+++ b/api/http/handler/edgetemplates/handler.go
@@ -1,31 +0,0 @@
-package edgetemplates
-
-import (
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-
-	"github.com/gorilla/mux"
-	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/security"
-)
-
-// Handler is the HTTP handler used to handle edge endpoint operations.
-type Handler struct {
-	*mux.Router
-	requestBouncer *security.RequestBouncer
-	DataStore      portainer.DataStore
-}
-
-// NewHandler creates a handler to manage endpoint operations.
-func NewHandler(bouncer *security.RequestBouncer) *Handler {
-	h := &Handler{
-		Router:         mux.NewRouter(),
-		requestBouncer: bouncer,
-	}
-
-	h.Handle("/edge_templates",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeTemplateList))).Methods(http.MethodGet)
-
-	return h
-}
--- a/api/http/handler/endpointedge/endpoint_edgestack_inspect.go
+++ b/api/http/handler/endpointedge/endpoint_edgestack_inspect.go
@@ -1,60 +0,0 @@
-package endpointedge
-
-import (
-	"net/http"
-	"path"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	portainer "github.com/portainer/portainer/api"
-)
-
-type configResponse struct {
-	Prune            bool
-	StackFileContent string
-	Name             string
-}
-
-// GET request on api/endpoints/:id/edge/stacks/:stackId
-func (handler *Handler) endpointEdgeStackInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
-	}
-
-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
-	if err == portainer.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
-	}
-
-	err = handler.requestBouncer.AuthorizedEdgeEndpointOperation(r, endpoint)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
-	}
-
-	edgeStackID, err := request.RetrieveNumericRouteVariableValue(r, "stackId")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid edge stack identifier route variable", err}
-	}
-
-	edgeStack, err := handler.DataStore.EdgeStack().EdgeStack(portainer.EdgeStackID(edgeStackID))
-	if err == portainer.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an edge stack with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an edge stack with the specified identifier inside the database", err}
-	}
-
-	stackFileContent, err := handler.FileService.GetFileContent(path.Join(edgeStack.ProjectPath, edgeStack.EntryPoint))
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Compose file from disk", err}
-	}
-
-	return response.JSON(w, configResponse{
-		Prune:            edgeStack.Prune,
-		StackFileContent: string(stackFileContent),
-		Name:             edgeStack.Name,
-	})
-}
--- a/api/http/handler/endpointedge/handler.go
+++ b/api/http/handler/endpointedge/handler.go
@@ -1,32 +0,0 @@
-package endpointedge
-
-import (
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-
-	"github.com/gorilla/mux"
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/security"
-)
-
-// Handler is the HTTP handler used to handle edge endpoint operations.
-type Handler struct {
-	*mux.Router
-	requestBouncer *security.RequestBouncer
-	DataStore      portainer.DataStore
-	FileService    portainer.FileService
-}
-
-// NewHandler creates a handler to manage endpoint operations.
-func NewHandler(bouncer *security.RequestBouncer) *Handler {
-	h := &Handler{
-		Router:         mux.NewRouter(),
-		requestBouncer: bouncer,
-	}
-
-	h.Handle("/{id}/edge/stacks/{stackId}",
-		bouncer.PublicAccess(httperror.LoggerHandler(h.endpointEdgeStackInspect))).Methods(http.MethodGet)
-
-	return h
-}
--- a/api/http/handler/endpointgroups/endpointgroup_create.go
+++ b/api/http/handler/endpointgroups/endpointgroup_create.go
@@ -14,15 +14,15 @@ type endpointGroupCreatePayload struct {
 	Name                string
 	Description         string
 	AssociatedEndpoints []portainer.EndpointID
-	TagIDs              []portainer.TagID
+	Tags                []string
 }

 func (payload *endpointGroupCreatePayload) Validate(r *http.Request) error {
 	if govalidator.IsNull(payload.Name) {
 		return portainer.Error("Invalid endpoint group name")
 	}
-	if payload.TagIDs == nil {
-		payload.TagIDs = []portainer.TagID{}
+	if payload.Tags == nil {
+		payload.Tags = []string{}
 	}
 	return nil
 }
@@ -40,15 +40,15 @@ func (handler *Handler) endpointGroupCreate(w http.ResponseWriter, r *http.Reque
 		Description:        payload.Description,
 		UserAccessPolicies: portainer.UserAccessPolicies{},
 		TeamAccessPolicies: portainer.TeamAccessPolicies{},
-		TagIDs:             payload.TagIDs,
+		Tags:               payload.Tags,
 	}

-	err = handler.DataStore.EndpointGroup().CreateEndpointGroup(endpointGroup)
+	err = handler.EndpointGroupService.CreateEndpointGroup(endpointGroup)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the endpoint group inside the database", err}
 	}

-	endpoints, err := handler.DataStore.Endpoint().Endpoints()
+	endpoints, err := handler.EndpointService.Endpoints()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from the database", err}
 	}
@@ -58,34 +58,15 @@ func (handler *Handler) endpointGroupCreate(w http.ResponseWriter, r *http.Reque
 			if endpoint.ID == id {
 				endpoint.GroupID = endpointGroup.ID

-				err := handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, &endpoint)
+				err := handler.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
 				if err != nil {
 					return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update endpoint", err}
 				}

-				err = handler.updateEndpointRelations(&endpoint, endpointGroup)
-				if err != nil {
-					return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint relations changes inside the database", err}
-				}
-
 				break
 			}
 		}
 	}

-	for _, tagID := range endpointGroup.TagIDs {
-		tag, err := handler.DataStore.Tag().Tag(tagID)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve tag from the database", err}
-		}
-
-		tag.EndpointGroups[endpointGroup.ID] = true
-
-		err = handler.DataStore.Tag().UpdateTag(tagID, tag)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist tag changes inside the database", err}
-		}
-	}
-
 	return response.JSON(w, endpointGroup)
 }
--- a/api/http/handler/endpointgroups/endpointgroup_delete.go
+++ b/api/http/handler/endpointgroups/endpointgroup_delete.go
@@ -20,19 +20,19 @@ func (handler *Handler) endpointGroupDelete(w http.ResponseWriter, r *http.Reque
 		return &httperror.HandlerError{http.StatusForbidden, "Unable to remove the default 'Unassigned' group", portainer.ErrCannotRemoveDefaultGroup}
 	}

-	endpointGroup, err := handler.DataStore.EndpointGroup().EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
+	_, err = handler.EndpointGroupService.EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint group with the specified identifier inside the database", err}
 	} else if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint group with the specified identifier inside the database", err}
 	}

-	err = handler.DataStore.EndpointGroup().DeleteEndpointGroup(portainer.EndpointGroupID(endpointGroupID))
+	err = handler.EndpointGroupService.DeleteEndpointGroup(portainer.EndpointGroupID(endpointGroupID))
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove the endpoint group from the database", err}
 	}

-	endpoints, err := handler.DataStore.Endpoint().Endpoints()
+	endpoints, err := handler.EndpointService.Endpoints()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from the database", err}
 	}
@@ -42,15 +42,10 @@ func (handler *Handler) endpointGroupDelete(w http.ResponseWriter, r *http.Reque
 		if endpoint.GroupID == portainer.EndpointGroupID(endpointGroupID) {
 			updateAuthorizations = true
 			endpoint.GroupID = portainer.EndpointGroupID(1)
-			err = handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, &endpoint)
+			err = handler.EndpointService.UpdateEndpoint(endpoint.ID, &endpoint)
 			if err != nil {
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update endpoint", err}
 			}
-
-			err = handler.updateEndpointRelations(&endpoint, nil)
-			if err != nil {
-				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint relations changes inside the database", err}
-			}
 		}
 	}

@@ -61,19 +56,5 @@ func (handler *Handler) endpointGroupDelete(w http.ResponseWriter, r *http.Reque
 		}
 	}

-	for _, tagID := range endpointGroup.TagIDs {
-		tag, err := handler.DataStore.Tag().Tag(tagID)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve tag from the database", err}
-		}
-
-		delete(tag.EndpointGroups, endpointGroup.ID)
-
-		err = handler.DataStore.Tag().UpdateTag(tagID, tag)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist tag changes inside the database", err}
-		}
-	}
-
 	return response.Empty(w)
 }
--- a/api/http/handler/endpointgroups/endpointgroup_endpoint_add.go
+++ b/api/http/handler/endpointgroups/endpointgroup_endpoint_add.go
@@ -21,14 +21,14 @@ func (handler *Handler) endpointGroupAddEndpoint(w http.ResponseWriter, r *http.
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
 	}

-	endpointGroup, err := handler.DataStore.EndpointGroup().EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
+	endpointGroup, err := handler.EndpointGroupService.EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint group with the specified identifier inside the database", err}
 	} else if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint group with the specified identifier inside the database", err}
 	}

-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
 	} else if err != nil {
@@ -37,15 +37,10 @@ func (handler *Handler) endpointGroupAddEndpoint(w http.ResponseWriter, r *http.

 	endpoint.GroupID = endpointGroup.ID

-	err = handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
+	err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint changes inside the database", err}
 	}

-	err = handler.updateEndpointRelations(endpoint, endpointGroup)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint relations changes inside the database", err}
-	}
-
 	return response.Empty(w)
 }
--- a/api/http/handler/endpointgroups/endpointgroup_endpoint_delete.go
+++ b/api/http/handler/endpointgroups/endpointgroup_endpoint_delete.go
@@ -21,14 +21,14 @@ func (handler *Handler) endpointGroupDeleteEndpoint(w http.ResponseWriter, r *ht
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
 	}

-	_, err = handler.DataStore.EndpointGroup().EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
+	_, err = handler.EndpointGroupService.EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint group with the specified identifier inside the database", err}
 	} else if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint group with the specified identifier inside the database", err}
 	}

-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
 	} else if err != nil {
@@ -37,15 +37,10 @@ func (handler *Handler) endpointGroupDeleteEndpoint(w http.ResponseWriter, r *ht

 	endpoint.GroupID = portainer.EndpointGroupID(1)

-	err = handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
+	err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint changes inside the database", err}
 	}

-	err = handler.updateEndpointRelations(endpoint, nil)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint relations changes inside the database", err}
-	}
-
 	return response.Empty(w)
 }
--- a/api/http/handler/endpointgroups/endpointgroup_inspect.go
+++ b/api/http/handler/endpointgroups/endpointgroup_inspect.go
@@ -16,7 +16,7 @@ func (handler *Handler) endpointGroupInspect(w http.ResponseWriter, r *http.Requ
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint group identifier route variable", err}
 	}

-	endpointGroup, err := handler.DataStore.EndpointGroup().EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
+	endpointGroup, err := handler.EndpointGroupService.EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint group with the specified identifier inside the database", err}
 	} else if err != nil {
--- a/api/http/handler/endpointgroups/endpointgroup_list.go
+++ b/api/http/handler/endpointgroups/endpointgroup_list.go
@@ -10,7 +10,7 @@ import (

 // GET request on /api/endpoint_groups
 func (handler *Handler) endpointGroupList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	endpointGroups, err := handler.DataStore.EndpointGroup().EndpointGroups()
+	endpointGroups, err := handler.EndpointGroupService.EndpointGroups()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoint groups from the database", err}
 	}
--- a/api/http/handler/endpointgroups/endpointgroup_update.go
+++ b/api/http/handler/endpointgroups/endpointgroup_update.go
@@ -13,7 +13,7 @@ import (
 type endpointGroupUpdatePayload struct {
 	Name               string
 	Description        string
-	TagIDs             []portainer.TagID
+	Tags               []string
 	UserAccessPolicies portainer.UserAccessPolicies
 	TeamAccessPolicies portainer.TeamAccessPolicies
 }
@@ -35,7 +35,7 @@ func (handler *Handler) endpointGroupUpdate(w http.ResponseWriter, r *http.Reque
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
 	}

-	endpointGroup, err := handler.DataStore.EndpointGroup().EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
+	endpointGroup, err := handler.EndpointGroupService.EndpointGroup(portainer.EndpointGroupID(endpointGroupID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint group with the specified identifier inside the database", err}
 	} else if err != nil {
@@ -50,44 +50,8 @@ func (handler *Handler) endpointGroupUpdate(w http.ResponseWriter, r *http.Reque
 		endpointGroup.Description = payload.Description
 	}

-	tagsChanged := false
-	if payload.TagIDs != nil {
-		payloadTagSet := portainer.TagSet(payload.TagIDs)
-		endpointGroupTagSet := portainer.TagSet((endpointGroup.TagIDs))
-		union := portainer.TagUnion(payloadTagSet, endpointGroupTagSet)
-		intersection := portainer.TagIntersection(payloadTagSet, endpointGroupTagSet)
-		tagsChanged = len(union) > len(intersection)
-
-		if tagsChanged {
-			removeTags := portainer.TagDifference(endpointGroupTagSet, payloadTagSet)
-
-			for tagID := range removeTags {
-				tag, err := handler.DataStore.Tag().Tag(tagID)
-				if err != nil {
-					return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a tag inside the database", err}
-				}
-				delete(tag.EndpointGroups, endpointGroup.ID)
-				err = handler.DataStore.Tag().UpdateTag(tag.ID, tag)
-				if err != nil {
-					return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist tag changes inside the database", err}
-				}
-			}
-
-			endpointGroup.TagIDs = payload.TagIDs
-			for _, tagID := range payload.TagIDs {
-				tag, err := handler.DataStore.Tag().Tag(tagID)
-				if err != nil {
-					return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a tag inside the database", err}
-				}
-
-				tag.EndpointGroups[endpointGroup.ID] = true
-
-				err = handler.DataStore.Tag().UpdateTag(tag.ID, tag)
-				if err != nil {
-					return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist tag changes inside the database", err}
-				}
-			}
-		}
+	if payload.Tags != nil {
+		endpointGroup.Tags = payload.Tags
 	}

 	updateAuthorizations := false
@@ -101,7 +65,7 @@ func (handler *Handler) endpointGroupUpdate(w http.ResponseWriter, r *http.Reque
 		updateAuthorizations = true
 	}

-	err = handler.DataStore.EndpointGroup().UpdateEndpointGroup(endpointGroup.ID, endpointGroup)
+	err = handler.EndpointGroupService.UpdateEndpointGroup(endpointGroup.ID, endpointGroup)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint group changes inside the database", err}
 	}
@@ -113,22 +77,5 @@ func (handler *Handler) endpointGroupUpdate(w http.ResponseWriter, r *http.Reque
 		}
 	}

-	if tagsChanged {
-		endpoints, err := handler.DataStore.Endpoint().Endpoints()
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from the database", err}
-
-		}
-
-		for _, endpoint := range endpoints {
-			if endpoint.GroupID == endpointGroup.ID {
-				err = handler.updateEndpointRelations(&endpoint, endpointGroup)
-				if err != nil {
-					return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint relations changes inside the database", err}
-				}
-			}
-		}
-	}
-
 	return response.JSON(w, endpointGroup)
 }
--- a/api/http/handler/endpointgroups/endpoints.go
+++ b/api/http/handler/endpointgroups/endpoints.go
@@ -1,42 +0,0 @@
-package endpointgroups
-
-import portainer "github.com/portainer/portainer/api"
-
-func (handler *Handler) updateEndpointRelations(endpoint *portainer.Endpoint, endpointGroup *portainer.EndpointGroup) error {
-	if endpoint.Type != portainer.EdgeAgentEnvironment {
-		return nil
-	}
-
-	if endpointGroup == nil {
-		unassignedGroup, err := handler.DataStore.EndpointGroup().EndpointGroup(portainer.EndpointGroupID(1))
-		if err != nil {
-			return err
-		}
-
-		endpointGroup = unassignedGroup
-	}
-
-	endpointRelation, err := handler.DataStore.EndpointRelation().EndpointRelation(endpoint.ID)
-	if err != nil {
-		return err
-	}
-
-	edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
-	if err != nil {
-		return err
-	}
-
-	edgeStacks, err := handler.DataStore.EdgeStack().EdgeStacks()
-	if err != nil {
-		return err
-	}
-
-	endpointStacks := portainer.EndpointRelatedEdgeStacks(endpoint, endpointGroup, edgeGroups, edgeStacks)
-	stacksSet := map[portainer.EdgeStackID]bool{}
-	for _, edgeStackID := range endpointStacks {
-		stacksSet[edgeStackID] = true
-	}
-	endpointRelation.EdgeStacks = stacksSet
-
-	return handler.DataStore.EndpointRelation().UpdateEndpointRelation(endpoint.ID, endpointRelation)
-}
--- a/api/http/handler/endpointgroups/handler.go
+++ b/api/http/handler/endpointgroups/handler.go
@@ -12,7 +12,8 @@ import (
 // Handler is the HTTP handler used to handle endpoint group operations.
 type Handler struct {
 	*mux.Router
-	DataStore            portainer.DataStore
+	EndpointService      portainer.EndpointService
+	EndpointGroupService portainer.EndpointGroupService
 	AuthorizationService *portainer.AuthorizationService
 }

--- a/api/http/handler/endpointproxy/handler.go
+++ b/api/http/handler/endpointproxy/handler.go
@@ -11,8 +11,9 @@ import (
 // Handler is the HTTP handler used to proxy requests to external APIs.
 type Handler struct {
 	*mux.Router
-	DataStore            portainer.DataStore
 	requestBouncer       *security.RequestBouncer
+	EndpointService      portainer.EndpointService
+	SettingsService      portainer.SettingsService
 	ProxyManager         *proxy.Manager
 	ReverseTunnelService portainer.ReverseTunnelService
 }
@@ -23,6 +24,8 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 		Router:         mux.NewRouter(),
 		requestBouncer: bouncer,
 	}
+	h.PathPrefix("/{id}/azure").Handler(
+		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.proxyRequestsToAzureAPI)))
 	h.PathPrefix("/{id}/docker").Handler(
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.proxyRequestsToDockerAPI)))
 	h.PathPrefix("/{id}/storidge").Handler(
--- a/api/http/handler/endpointproxy/proxy_azure.go
+++ b/api/http/handler/endpointproxy/proxy_azure.go
@@ -0,0 +1,43 @@
+package endpointproxy
+
+import (
+	"strconv"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/portainer/api"
+
+	"net/http"
+)
+
+func (handler *Handler) proxyRequestsToAzureAPI(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
+	}
+
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
+	}
+
+	err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint, false)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
+	}
+
+	var proxy http.Handler
+	proxy = handler.ProxyManager.GetProxy(endpoint)
+	if proxy == nil {
+		proxy, err = handler.ProxyManager.CreateAndRegisterProxy(endpoint)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create proxy", err}
+		}
+	}
+
+	id := strconv.Itoa(endpointID)
+	http.StripPrefix("/"+id+"/azure", proxy).ServeHTTP(w, r)
+	return nil
+}
--- a/api/http/handler/endpointproxy/proxy_docker.go
+++ b/api/http/handler/endpointproxy/proxy_docker.go
@@ -18,7 +18,7 @@ func (handler *Handler) proxyRequestsToDockerAPI(w http.ResponseWriter, r *http.
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
 	}

-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
 	} else if err != nil {
@@ -37,14 +37,14 @@ func (handler *Handler) proxyRequestsToDockerAPI(w http.ResponseWriter, r *http.

 		tunnel := handler.ReverseTunnelService.GetTunnelDetails(endpoint.ID)
 		if tunnel.Status == portainer.EdgeAgentIdle {
-			handler.ProxyManager.DeleteEndpointProxy(endpoint)
+			handler.ProxyManager.DeleteProxy(endpoint)

 			err := handler.ReverseTunnelService.SetTunnelStatusToRequired(endpoint.ID)
 			if err != nil {
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update tunnel status", err}
 			}

-			settings, err := handler.DataStore.Settings().Settings()
+			settings, err := handler.SettingsService.Settings()
 			if err != nil {
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
 			}
@@ -55,9 +55,9 @@ func (handler *Handler) proxyRequestsToDockerAPI(w http.ResponseWriter, r *http.
 	}

 	var proxy http.Handler
-	proxy = handler.ProxyManager.GetEndpointProxy(endpoint)
+	proxy = handler.ProxyManager.GetProxy(endpoint)
 	if proxy == nil {
-		proxy, err = handler.ProxyManager.CreateAndRegisterEndpointProxy(endpoint)
+		proxy, err = handler.ProxyManager.CreateAndRegisterProxy(endpoint)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create proxy", err}
 		}
--- a/api/http/handler/endpointproxy/proxy_storidge.go
+++ b/api/http/handler/endpointproxy/proxy_storidge.go
@@ -18,7 +18,7 @@ func (handler *Handler) proxyRequestsToStoridgeAPI(w http.ResponseWriter, r *htt
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
 	}

-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
 	} else if err != nil {
--- a/api/http/handler/endpoints/endpoint_create.go
+++ b/api/http/handler/endpoints/endpoint_create.go
@@ -18,18 +18,21 @@ import (
 )

 type endpointCreatePayload struct {
-	Name                string
-	URL                 string
-	EndpointType        int
-	PublicURL           string
-	GroupID             int
-	TLS                 bool
-	TLSSkipVerify       bool
-	TLSSkipClientVerify bool
-	TLSCACertFile       []byte
-	TLSCertFile         []byte
-	TLSKeyFile          []byte
-	TagIDs              []portainer.TagID
+	Name                   string
+	URL                    string
+	EndpointType           int
+	PublicURL              string
+	GroupID                int
+	TLS                    bool
+	TLSSkipVerify          bool
+	TLSSkipClientVerify    bool
+	TLSCACertFile          []byte
+	TLSCertFile            []byte
+	TLSKeyFile             []byte
+	AzureApplicationID     string
+	AzureTenantID          string
+	AzureAuthenticationKey string
+	Tags                   []string
 }

 func (payload *endpointCreatePayload) Validate(r *http.Request) error {
@@ -41,7 +44,7 @@ func (payload *endpointCreatePayload) Validate(r *http.Request) error {

 	endpointType, err := request.RetrieveNumericMultiPartFormValue(r, "EndpointType", false)
 	if err != nil || endpointType == 0 {
-		return portainer.Error("Invalid endpoint type value. Value must be one of: 1 (Docker environment), 2 (Agent environment) or 4 (Edge Agent environment)")
+		return portainer.Error("Invalid endpoint type value. Value must be one of: 1 (Docker environment), 2 (Agent environment), 3 (Azure environment) or 4 (Edge Agent environment)")
 	}
 	payload.EndpointType = endpointType

@@ -51,14 +54,14 @@ func (payload *endpointCreatePayload) Validate(r *http.Request) error {
 	}
 	payload.GroupID = groupID

-	var tagIDs []portainer.TagID
-	err = request.RetrieveMultiPartFormJSONValue(r, "TagIds", &tagIDs, true)
+	var tags []string
+	err = request.RetrieveMultiPartFormJSONValue(r, "Tags", &tags, true)
 	if err != nil {
-		return portainer.Error("Invalid TagIds parameter")
+		return portainer.Error("Invalid Tags parameter")
 	}
-	payload.TagIDs = tagIDs
-	if payload.TagIDs == nil {
-		payload.TagIDs = make([]portainer.TagID, 0)
+	payload.Tags = tags
+	if payload.Tags == nil {
+		payload.Tags = make([]string, 0)
 	}

 	useTLS, _ := request.RetrieveBooleanMultiPartFormValue(r, "TLS", true)
@@ -93,20 +96,45 @@ func (payload *endpointCreatePayload) Validate(r *http.Request) error {
 		}
 	}

-	endpointURL, err := request.RetrieveMultiPartFormValue(r, "URL", true)
-	if err != nil {
-		return portainer.Error("Invalid endpoint URL")
-	}
-	payload.URL = endpointURL
+	switch portainer.EndpointType(payload.EndpointType) {
+	case portainer.AzureEnvironment:
+		azureApplicationID, err := request.RetrieveMultiPartFormValue(r, "AzureApplicationID", false)
+		if err != nil {
+			return portainer.Error("Invalid Azure application ID")
+		}
+		payload.AzureApplicationID = azureApplicationID

-	publicURL, _ := request.RetrieveMultiPartFormValue(r, "PublicURL", true)
-	payload.PublicURL = publicURL
+		azureTenantID, err := request.RetrieveMultiPartFormValue(r, "AzureTenantID", false)
+		if err != nil {
+			return portainer.Error("Invalid Azure tenant ID")
+		}
+		payload.AzureTenantID = azureTenantID
+
+		azureAuthenticationKey, err := request.RetrieveMultiPartFormValue(r, "AzureAuthenticationKey", false)
+		if err != nil {
+			return portainer.Error("Invalid Azure authentication key")
+		}
+		payload.AzureAuthenticationKey = azureAuthenticationKey
+	default:
+		url, err := request.RetrieveMultiPartFormValue(r, "URL", true)
+		if err != nil {
+			return portainer.Error("Invalid endpoint URL")
+		}
+		payload.URL = url
+
+		publicURL, _ := request.RetrieveMultiPartFormValue(r, "PublicURL", true)
+		payload.PublicURL = publicURL
+	}

 	return nil
 }

 // POST request on /api/endpoints
 func (handler *Handler) endpointCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	if !handler.authorizeEndpointManagement {
+		return &httperror.HandlerError{http.StatusServiceUnavailable, "Endpoint management is disabled", ErrEndpointManagementDisabled}
+	}
+
 	payload := &endpointCreatePayload{}
 	err := payload.Validate(r)
 	if err != nil {
@@ -118,43 +146,13 @@ func (handler *Handler) endpointCreate(w http.ResponseWriter, r *http.Request) *
 		return endpointCreationError
 	}

-	endpointGroup, err := handler.DataStore.EndpointGroup().EndpointGroup(endpoint.GroupID)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint group inside the database", err}
-	}
-
-	edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge groups from the database", err}
-	}
-
-	edgeStacks, err := handler.DataStore.EdgeStack().EdgeStacks()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge stacks from the database", err}
-	}
-
-	relationObject := &portainer.EndpointRelation{
-		EndpointID: endpoint.ID,
-		EdgeStacks: map[portainer.EdgeStackID]bool{},
-	}
-
-	if endpoint.Type == portainer.EdgeAgentEnvironment {
-		relatedEdgeStacks := portainer.EndpointRelatedEdgeStacks(endpoint, endpointGroup, edgeGroups, edgeStacks)
-		for _, stackID := range relatedEdgeStacks {
-			relationObject.EdgeStacks[stackID] = true
-		}
-	}
-
-	err = handler.DataStore.EndpointRelation().CreateEndpointRelation(relationObject)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the relation object inside the database", err}
-	}
-
 	return response.JSON(w, endpoint)
 }

 func (handler *Handler) createEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
-	if portainer.EndpointType(payload.EndpointType) == portainer.EdgeAgentEnvironment {
+	if portainer.EndpointType(payload.EndpointType) == portainer.AzureEnvironment {
+		return handler.createAzureEndpoint(payload)
+	} else if portainer.EndpointType(payload.EndpointType) == portainer.EdgeAgentEnvironment {
 		return handler.createEdgeAgentEndpoint(payload)
 	}

@@ -164,9 +162,47 @@ func (handler *Handler) createEndpoint(payload *endpointCreatePayload) (*portain
 	return handler.createUnsecuredEndpoint(payload)
 }

+func (handler *Handler) createAzureEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
+	credentials := portainer.AzureCredentials{
+		ApplicationID:     payload.AzureApplicationID,
+		TenantID:          payload.AzureTenantID,
+		AuthenticationKey: payload.AzureAuthenticationKey,
+	}
+
+	httpClient := client.NewHTTPClient()
+	_, err := httpClient.ExecuteAzureAuthenticationRequest(&credentials)
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate against Azure", err}
+	}
+
+	endpointID := handler.EndpointService.GetNextIdentifier()
+	endpoint := &portainer.Endpoint{
+		ID:                 portainer.EndpointID(endpointID),
+		Name:               payload.Name,
+		URL:                "https://management.azure.com",
+		Type:               portainer.AzureEnvironment,
+		GroupID:            portainer.EndpointGroupID(payload.GroupID),
+		PublicURL:          payload.PublicURL,
+		UserAccessPolicies: portainer.UserAccessPolicies{},
+		TeamAccessPolicies: portainer.TeamAccessPolicies{},
+		Extensions:         []portainer.EndpointExtension{},
+		AzureCredentials:   credentials,
+		Tags:               payload.Tags,
+		Status:             portainer.EndpointStatusUp,
+		Snapshots:          []portainer.Snapshot{},
+	}
+
+	err = handler.saveEndpointAndUpdateAuthorizations(endpoint)
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "An error occured while trying to create the endpoint", err}
+	}
+
+	return endpoint, nil
+}
+
 func (handler *Handler) createEdgeAgentEndpoint(payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
 	endpointType := portainer.EdgeAgentEnvironment
-	endpointID := handler.DataStore.Endpoint().GetNextIdentifier()
+	endpointID := handler.EndpointService.GetNextIdentifier()

 	portainerURL, err := url.Parse(payload.URL)
 	if err != nil {
@@ -196,7 +232,7 @@ func (handler *Handler) createEdgeAgentEndpoint(payload *endpointCreatePayload)
 		AuthorizedUsers: []portainer.UserID{},
 		AuthorizedTeams: []portainer.TeamID{},
 		Extensions:      []portainer.EndpointExtension{},
-		TagIDs:          payload.TagIDs,
+		Tags:            payload.Tags,
 		Status:          portainer.EndpointStatusUp,
 		Snapshots:       []portainer.Snapshot{},
 		EdgeKey:         edgeKey,
@@ -228,7 +264,7 @@ func (handler *Handler) createUnsecuredEndpoint(payload *endpointCreatePayload)
 		}
 	}

-	endpointID := handler.DataStore.Endpoint().GetNextIdentifier()
+	endpointID := handler.EndpointService.GetNextIdentifier()
 	endpoint := &portainer.Endpoint{
 		ID:        portainer.EndpointID(endpointID),
 		Name:      payload.Name,
@@ -242,7 +278,7 @@ func (handler *Handler) createUnsecuredEndpoint(payload *endpointCreatePayload)
 		UserAccessPolicies: portainer.UserAccessPolicies{},
 		TeamAccessPolicies: portainer.TeamAccessPolicies{},
 		Extensions:         []portainer.EndpointExtension{},
-		TagIDs:             payload.TagIDs,
+		Tags:               payload.Tags,
 		Status:             portainer.EndpointStatusUp,
 		Snapshots:          []portainer.Snapshot{},
 	}
@@ -271,7 +307,7 @@ func (handler *Handler) createTLSSecuredEndpoint(payload *endpointCreatePayload)
 		endpointType = portainer.AgentOnDockerEnvironment
 	}

-	endpointID := handler.DataStore.Endpoint().GetNextIdentifier()
+	endpointID := handler.EndpointService.GetNextIdentifier()
 	endpoint := &portainer.Endpoint{
 		ID:        portainer.EndpointID(endpointID),
 		Name:      payload.Name,
@@ -286,7 +322,7 @@ func (handler *Handler) createTLSSecuredEndpoint(payload *endpointCreatePayload)
 		UserAccessPolicies: portainer.UserAccessPolicies{},
 		TeamAccessPolicies: portainer.TeamAccessPolicies{},
 		Extensions:         []portainer.EndpointExtension{},
-		TagIDs:             payload.TagIDs,
+		Tags:               payload.Tags,
 		Status:             portainer.EndpointStatusUp,
 		Snapshots:          []portainer.Snapshot{},
 	}
@@ -327,12 +363,12 @@ func (handler *Handler) snapshotAndPersistEndpoint(endpoint *portainer.Endpoint)
 }

 func (handler *Handler) saveEndpointAndUpdateAuthorizations(endpoint *portainer.Endpoint) error {
-	err := handler.DataStore.Endpoint().CreateEndpoint(endpoint)
+	err := handler.EndpointService.CreateEndpoint(endpoint)
 	if err != nil {
 		return err
 	}

-	group, err := handler.DataStore.EndpointGroup().EndpointGroup(endpoint.GroupID)
+	group, err := handler.EndpointGroupService.EndpointGroup(endpoint.GroupID)
 	if err != nil {
 		return err
 	}
@@ -341,20 +377,6 @@ func (handler *Handler) saveEndpointAndUpdateAuthorizations(endpoint *portainer.
 		return handler.AuthorizationService.UpdateUsersAuthorizations()
 	}

-	for _, tagID := range endpoint.TagIDs {
-		tag, err := handler.DataStore.Tag().Tag(tagID)
-		if err != nil {
-			return err
-		}
-
-		tag.Endpoints[endpoint.ID] = true
-
-		err = handler.DataStore.Tag().UpdateTag(tagID, tag)
-		if err != nil {
-			return err
-		}
-	}
-
 	return nil
 }

--- a/api/http/handler/endpoints/endpoint_delete.go
+++ b/api/http/handler/endpoints/endpoint_delete.go
@@ -12,12 +12,16 @@ import (

 // DELETE request on /api/endpoints/:id
 func (handler *Handler) endpointDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	if !handler.authorizeEndpointManagement {
+		return &httperror.HandlerError{http.StatusServiceUnavailable, "Endpoint management is disabled", ErrEndpointManagementDisabled}
+	}
+
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
 	}

-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
 	} else if err != nil {
@@ -32,12 +36,12 @@ func (handler *Handler) endpointDelete(w http.ResponseWriter, r *http.Request) *
 		}
 	}

-	err = handler.DataStore.Endpoint().DeleteEndpoint(portainer.EndpointID(endpointID))
+	err = handler.EndpointService.DeleteEndpoint(portainer.EndpointID(endpointID))
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove endpoint from the database", err}
 	}

-	handler.ProxyManager.DeleteEndpointProxy(endpoint)
+	handler.ProxyManager.DeleteProxy(endpoint)

 	if len(endpoint.UserAccessPolicies) > 0 || len(endpoint.TeamAccessPolicies) > 0 {
 		err = handler.AuthorizationService.UpdateUsersAuthorizations()
@@ -46,75 +50,5 @@ func (handler *Handler) endpointDelete(w http.ResponseWriter, r *http.Request) *
 		}
 	}

-	err = handler.DataStore.EndpointRelation().DeleteEndpointRelation(endpoint.ID)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove endpoint relation from the database", err}
-	}
-
-	for _, tagID := range endpoint.TagIDs {
-		tag, err := handler.DataStore.Tag().Tag(tagID)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusNotFound, "Unable to find tag inside the database", err}
-		}
-
-		delete(tag.Endpoints, endpoint.ID)
-
-		err = handler.DataStore.Tag().UpdateTag(tagID, tag)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist tag relation inside the database", err}
-		}
-	}
-
-	edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge groups from the database", err}
-	}
-
-	for idx := range edgeGroups {
-		edgeGroup := &edgeGroups[idx]
-		endpointIdx := findEndpointIndex(edgeGroup.Endpoints, endpoint.ID)
-		if endpointIdx != -1 {
-			edgeGroup.Endpoints = removeElement(edgeGroup.Endpoints, endpointIdx)
-			err = handler.DataStore.EdgeGroup().UpdateEdgeGroup(edgeGroup.ID, edgeGroup)
-			if err != nil {
-				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update edge group", err}
-			}
-		}
-	}
-
-	edgeStacks, err := handler.DataStore.EdgeStack().EdgeStacks()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge stacks from the database", err}
-	}
-
-	for idx := range edgeStacks {
-		edgeStack := &edgeStacks[idx]
-		if _, ok := edgeStack.Status[endpoint.ID]; ok {
-			delete(edgeStack.Status, endpoint.ID)
-			err = handler.DataStore.EdgeStack().UpdateEdgeStack(edgeStack.ID, edgeStack)
-			if err != nil {
-				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update edge stack", err}
-			}
-		}
-	}
-
 	return response.Empty(w)
 }
-
-func findEndpointIndex(tags []portainer.EndpointID, searchEndpointID portainer.EndpointID) int {
-	for idx, tagID := range tags {
-		if searchEndpointID == tagID {
-			return idx
-		}
-	}
-	return -1
-}
-
-func removeElement(arr []portainer.EndpointID, index int) []portainer.EndpointID {
-	if index < 0 {
-		return arr
-	}
-	lastTagIdx := len(arr) - 1
-	arr[index] = arr[lastTagIdx]
-	return arr[:lastTagIdx]
-}
--- a/api/http/handler/endpoints/endpoint_extension_add.go
+++ b/api/http/handler/endpoints/endpoint_extension_add.go
@@ -34,7 +34,7 @@ func (handler *Handler) endpointExtensionAdd(w http.ResponseWriter, r *http.Requ
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
 	}

-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
 	} else if err != nil {
@@ -66,7 +66,7 @@ func (handler *Handler) endpointExtensionAdd(w http.ResponseWriter, r *http.Requ
 		endpoint.Extensions = append(endpoint.Extensions, *extension)
 	}

-	err = handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
+	err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint changes inside the database", err}
 	}
--- a/api/http/handler/endpoints/endpoint_extension_remove.go
+++ b/api/http/handler/endpoints/endpoint_extension_remove.go
@@ -18,7 +18,7 @@ func (handler *Handler) endpointExtensionRemove(w http.ResponseWriter, r *http.R
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
 	}

-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
 	} else if err != nil {
@@ -36,7 +36,7 @@ func (handler *Handler) endpointExtensionRemove(w http.ResponseWriter, r *http.R
 		}
 	}

-	err = handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
+	err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint changes inside the database", err}
 	}
--- a/api/http/handler/endpoints/endpoint_inspect.go
+++ b/api/http/handler/endpoints/endpoint_inspect.go
@@ -16,7 +16,7 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
 	}

-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
 	} else if err != nil {
--- a/api/http/handler/endpoints/endpoint_job.go
+++ b/api/http/handler/endpoints/endpoint_job.go
@@ -63,7 +63,7 @@ func (handler *Handler) endpointJob(w http.ResponseWriter, r *http.Request) *htt

 	nodeName, _ := request.RetrieveQueryParameter(r, "nodeName", true)

-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
 	} else if err != nil {
--- a/api/http/handler/endpoints/endpoint_list.go
+++ b/api/http/handler/endpoints/endpoint_list.go
@@ -5,7 +5,7 @@ import (
 	"strconv"
 	"strings"

-	"github.com/portainer/portainer/api"
+	portainer "github.com/portainer/portainer/api"

 	"github.com/portainer/libhttp/request"

@@ -28,22 +28,13 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht

 	groupID, _ := request.RetrieveNumericQueryParameter(r, "groupId", true)
 	limit, _ := request.RetrieveNumericQueryParameter(r, "limit", true)
-	endpointType, _ := request.RetrieveNumericQueryParameter(r, "type", true)

-	var tagIDs []portainer.TagID
-	request.RetrieveJSONQueryParameter(r, "tagIds", &tagIDs, true)
-
-	tagsPartialMatch, _ := request.RetrieveBooleanQueryParameter(r, "tagsPartialMatch", true)
-
-	var endpointIDs []portainer.EndpointID
-	request.RetrieveJSONQueryParameter(r, "endpointIds", &endpointIDs, true)
-
-	endpointGroups, err := handler.DataStore.EndpointGroup().EndpointGroups()
+	endpointGroups, err := handler.EndpointGroupService.EndpointGroups()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoint groups from the database", err}
 	}

-	endpoints, err := handler.DataStore.Endpoint().Endpoints()
+	endpoints, err := handler.EndpointService.Endpoints()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from the database", err}
 	}
@@ -55,32 +46,12 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht

 	filteredEndpoints := security.FilterEndpoints(endpoints, endpointGroups, securityContext)

-	if endpointIDs != nil {
-		filteredEndpoints = filteredEndpointsByIds(filteredEndpoints, endpointIDs)
-	}
-
 	if groupID != 0 {
 		filteredEndpoints = filterEndpointsByGroupID(filteredEndpoints, portainer.EndpointGroupID(groupID))
 	}

 	if search != "" {
-		tags, err := handler.DataStore.Tag().Tags()
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve tags from the database", err}
-		}
-		tagsMap := make(map[portainer.TagID]string)
-		for _, tag := range tags {
-			tagsMap[tag.ID] = tag.Name
-		}
-		filteredEndpoints = filterEndpointsBySearchCriteria(filteredEndpoints, endpointGroups, tagsMap, search)
-	}
-
-	if endpointType != 0 {
-		filteredEndpoints = filterEndpointsByType(filteredEndpoints, portainer.EndpointType(endpointType))
-	}
-
-	if tagIDs != nil {
-		filteredEndpoints = filteredEndpointsByTags(filteredEndpoints, tagIDs, endpointGroups, tagsPartialMatch)
+		filteredEndpoints = filterEndpointsBySearchCriteria(filteredEndpoints, endpointGroups, search)
 	}

 	filteredEndpointCount := len(filteredEndpoints)
@@ -126,17 +97,17 @@ func filterEndpointsByGroupID(endpoints []portainer.Endpoint, endpointGroupID po
 	return filteredEndpoints
 }

-func filterEndpointsBySearchCriteria(endpoints []portainer.Endpoint, endpointGroups []portainer.EndpointGroup, tagsMap map[portainer.TagID]string, searchCriteria string) []portainer.Endpoint {
+func filterEndpointsBySearchCriteria(endpoints []portainer.Endpoint, endpointGroups []portainer.EndpointGroup, searchCriteria string) []portainer.Endpoint {
 	filteredEndpoints := make([]portainer.Endpoint, 0)

 	for _, endpoint := range endpoints {
-		endpointTags := convertTagIDsToTags(tagsMap, endpoint.TagIDs)
-		if endpointMatchSearchCriteria(&endpoint, endpointTags, searchCriteria) {
+
+		if endpointMatchSearchCriteria(&endpoint, searchCriteria) {
 			filteredEndpoints = append(filteredEndpoints, endpoint)
 			continue
 		}

-		if endpointGroupMatchSearchCriteria(&endpoint, endpointGroups, tagsMap, searchCriteria) {
+		if endpointGroupMatchSearchCriteria(&endpoint, endpointGroups, searchCriteria) {
 			filteredEndpoints = append(filteredEndpoints, endpoint)
 		}
 	}
@@ -144,7 +115,7 @@ func filterEndpointsBySearchCriteria(endpoints []portainer.Endpoint, endpointGro
 	return filteredEndpoints
 }

-func endpointMatchSearchCriteria(endpoint *portainer.Endpoint, tags []string, searchCriteria string) bool {
+func endpointMatchSearchCriteria(endpoint *portainer.Endpoint, searchCriteria string) bool {
 	if strings.Contains(strings.ToLower(endpoint.Name), searchCriteria) {
 		return true
 	}
@@ -158,7 +129,8 @@ func endpointMatchSearchCriteria(endpoint *portainer.Endpoint, tags []string, se
 	} else if endpoint.Status == portainer.EndpointStatusDown && searchCriteria == "down" {
 		return true
 	}
-	for _, tag := range tags {
+
+	for _, tag := range endpoint.Tags {
 		if strings.Contains(strings.ToLower(tag), searchCriteria) {
 			return true
 		}
@@ -167,14 +139,14 @@ func endpointMatchSearchCriteria(endpoint *portainer.Endpoint, tags []string, se
 	return false
 }

-func endpointGroupMatchSearchCriteria(endpoint *portainer.Endpoint, endpointGroups []portainer.EndpointGroup, tagsMap map[portainer.TagID]string, searchCriteria string) bool {
+func endpointGroupMatchSearchCriteria(endpoint *portainer.Endpoint, endpointGroups []portainer.EndpointGroup, searchCriteria string) bool {
 	for _, group := range endpointGroups {
 		if group.ID == endpoint.GroupID {
 			if strings.Contains(strings.ToLower(group.Name), searchCriteria) {
 				return true
 			}
-			tags := convertTagIDsToTags(tagsMap, group.TagIDs)
-			for _, tag := range tags {
+
+			for _, tag := range group.Tags {
 				if strings.Contains(strings.ToLower(tag), searchCriteria) {
 					return true
 				}
@@ -184,106 +156,3 @@ func endpointGroupMatchSearchCriteria(endpoint *portainer.Endpoint, endpointGrou

 	return false
 }
-
-func filterEndpointsByType(endpoints []portainer.Endpoint, endpointType portainer.EndpointType) []portainer.Endpoint {
-	filteredEndpoints := make([]portainer.Endpoint, 0)
-
-	for _, endpoint := range endpoints {
-		if endpoint.Type == endpointType {
-			filteredEndpoints = append(filteredEndpoints, endpoint)
-		}
-	}
-	return filteredEndpoints
-}
-
-func convertTagIDsToTags(tagsMap map[portainer.TagID]string, tagIDs []portainer.TagID) []string {
-	tags := make([]string, 0)
-	for _, tagID := range tagIDs {
-		tags = append(tags, tagsMap[tagID])
-	}
-	return tags
-}
-
-func filteredEndpointsByTags(endpoints []portainer.Endpoint, tagIDs []portainer.TagID, endpointGroups []portainer.EndpointGroup, partialMatch bool) []portainer.Endpoint {
-	filteredEndpoints := make([]portainer.Endpoint, 0)
-
-	for _, endpoint := range endpoints {
-		endpointGroup := getEndpointGroup(endpoint.GroupID, endpointGroups)
-		endpointMatched := false
-		if partialMatch {
-			endpointMatched = endpointPartialMatchTags(endpoint, endpointGroup, tagIDs)
-		} else {
-			endpointMatched = endpointFullMatchTags(endpoint, endpointGroup, tagIDs)
-		}
-
-		if endpointMatched {
-			filteredEndpoints = append(filteredEndpoints, endpoint)
-		}
-	}
-	return filteredEndpoints
-}
-
-func getEndpointGroup(groupID portainer.EndpointGroupID, groups []portainer.EndpointGroup) portainer.EndpointGroup {
-	var endpointGroup portainer.EndpointGroup
-	for _, group := range groups {
-		if group.ID == groupID {
-			endpointGroup = group
-			break
-		}
-	}
-	return endpointGroup
-}
-
-func endpointPartialMatchTags(endpoint portainer.Endpoint, endpointGroup portainer.EndpointGroup, tagIDs []portainer.TagID) bool {
-	tagSet := make(map[portainer.TagID]bool)
-	for _, tagID := range tagIDs {
-		tagSet[tagID] = true
-	}
-	for _, tagID := range endpoint.TagIDs {
-		if tagSet[tagID] {
-			return true
-		}
-	}
-	for _, tagID := range endpointGroup.TagIDs {
-		if tagSet[tagID] {
-			return true
-		}
-	}
-	return false
-}
-
-func endpointFullMatchTags(endpoint portainer.Endpoint, endpointGroup portainer.EndpointGroup, tagIDs []portainer.TagID) bool {
-	missingTags := make(map[portainer.TagID]bool)
-	for _, tagID := range tagIDs {
-		missingTags[tagID] = true
-	}
-	for _, tagID := range endpoint.TagIDs {
-		if missingTags[tagID] {
-			delete(missingTags, tagID)
-		}
-	}
-	for _, tagID := range endpointGroup.TagIDs {
-		if missingTags[tagID] {
-			delete(missingTags, tagID)
-		}
-	}
-	return len(missingTags) == 0
-}
-
-func filteredEndpointsByIds(endpoints []portainer.Endpoint, ids []portainer.EndpointID) []portainer.Endpoint {
-	filteredEndpoints := make([]portainer.Endpoint, 0)
-
-	idsSet := make(map[portainer.EndpointID]bool)
-	for _, id := range ids {
-		idsSet[id] = true
-	}
-
-	for _, endpoint := range endpoints {
-		if idsSet[endpoint.ID] {
-			filteredEndpoints = append(filteredEndpoints, endpoint)
-		}
-	}
-
-	return filteredEndpoints
-
-}
--- a/api/http/handler/endpoints/endpoint_snapshot.go
+++ b/api/http/handler/endpoints/endpoint_snapshot.go
@@ -16,16 +16,20 @@ func (handler *Handler) endpointSnapshot(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
 	}

-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
 	} else if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
 	}

+	if endpoint.Type == portainer.AzureEnvironment {
+		return &httperror.HandlerError{http.StatusBadRequest, "Snapshots not supported for Azure endpoints", err}
+	}
+
 	snapshot, snapshotError := handler.Snapshotter.CreateSnapshot(endpoint)

-	latestEndpointReference, err := handler.DataStore.Endpoint().Endpoint(endpoint.ID)
+	latestEndpointReference, err := handler.EndpointService.Endpoint(endpoint.ID)
 	if latestEndpointReference == nil {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
 	}
@@ -39,7 +43,7 @@ func (handler *Handler) endpointSnapshot(w http.ResponseWriter, r *http.Request)
 		latestEndpointReference.Snapshots = []portainer.Snapshot{*snapshot}
 	}

-	err = handler.DataStore.Endpoint().UpdateEndpoint(latestEndpointReference.ID, latestEndpointReference)
+	err = handler.EndpointService.UpdateEndpoint(latestEndpointReference.ID, latestEndpointReference)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint changes inside the database", err}
 	}
--- a/api/http/handler/endpoints/endpoint_snapshots.go
+++ b/api/http/handler/endpoints/endpoint_snapshots.go
@@ -11,15 +11,19 @@ import (

 // POST request on /api/endpoints/snapshot
 func (handler *Handler) endpointSnapshots(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	endpoints, err := handler.DataStore.Endpoint().Endpoints()
+	endpoints, err := handler.EndpointService.Endpoints()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from the database", err}
 	}

 	for _, endpoint := range endpoints {
+		if endpoint.Type == portainer.AzureEnvironment {
+			continue
+		}
+
 		snapshot, snapshotError := handler.Snapshotter.CreateSnapshot(&endpoint)

-		latestEndpointReference, err := handler.DataStore.Endpoint().Endpoint(endpoint.ID)
+		latestEndpointReference, err := handler.EndpointService.Endpoint(endpoint.ID)
 		if latestEndpointReference == nil {
 			log.Printf("background schedule error (endpoint snapshot). Endpoint not found inside the database anymore (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
 			continue
@@ -35,7 +39,7 @@ func (handler *Handler) endpointSnapshots(w http.ResponseWriter, r *http.Request
 			latestEndpointReference.Snapshots = []portainer.Snapshot{*snapshot}
 		}

-		err = handler.DataStore.Endpoint().UpdateEndpoint(latestEndpointReference.ID, latestEndpointReference)
+		err = handler.EndpointService.UpdateEndpoint(latestEndpointReference.ID, latestEndpointReference)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint changes inside the database", err}
 		}
--- a/api/http/handler/endpoints/endpoint_status_inspect.go
+++ b/api/http/handler/endpoints/endpoint_status_inspect.go
@@ -1,6 +1,7 @@
 package endpoints

 import (
+	"errors"
 	"net/http"

 	httperror "github.com/portainer/libhttp/error"
@@ -9,18 +10,12 @@ import (
 	"github.com/portainer/portainer/api"
 )

-type stackStatusResponse struct {
-	ID      portainer.EdgeStackID
-	Version int
-}
-
 type endpointStatusInspectResponse struct {
 	Status          string                   `json:"status"`
 	Port            int                      `json:"port"`
 	Schedules       []portainer.EdgeSchedule `json:"schedules"`
 	CheckinInterval int                      `json:"checkin"`
 	Credentials     string                   `json:"credentials"`
-	Stacks          []stackStatusResponse    `json:"stacks"`
 }

 // GET request on /api/endpoints/:id/status
@@ -30,30 +25,36 @@ func (handler *Handler) endpointStatusInspect(w http.ResponseWriter, r *http.Req
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
 	}

-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
 	} else if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
 	}

-	err = handler.requestBouncer.AuthorizedEdgeEndpointOperation(r, endpoint)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusForbidden, "Permission denied to access endpoint", err}
+	if endpoint.Type != portainer.EdgeAgentEnvironment {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Status unavailable for non Edge agent endpoints", errors.New("Status unavailable")}
+	}
+
+	edgeIdentifier := r.Header.Get(portainer.PortainerAgentEdgeIDHeader)
+	if edgeIdentifier == "" {
+		return &httperror.HandlerError{http.StatusForbidden, "Missing Edge identifier", errors.New("missing Edge identifier")}
+	}
+
+	if endpoint.EdgeID != "" && endpoint.EdgeID != edgeIdentifier {
+		return &httperror.HandlerError{http.StatusForbidden, "Invalid Edge identifier", errors.New("invalid Edge identifier")}
 	}

 	if endpoint.EdgeID == "" {
-		edgeIdentifier := r.Header.Get(portainer.PortainerAgentEdgeIDHeader)
-
 		endpoint.EdgeID = edgeIdentifier

-		err := handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
+		err := handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to Unable to persist endpoint changes inside the database", err}
 		}
 	}

-	settings, err := handler.DataStore.Settings().Settings()
+	settings, err := handler.SettingsService.Settings()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
 	}
@@ -72,27 +73,5 @@ func (handler *Handler) endpointStatusInspect(w http.ResponseWriter, r *http.Req
 		handler.ReverseTunnelService.SetTunnelStatusToActive(endpoint.ID)
 	}

-	relation, err := handler.DataStore.EndpointRelation().EndpointRelation(endpoint.ID)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve relation object from the database", err}
-	}
-
-	edgeStacksStatus := []stackStatusResponse{}
-	for stackID := range relation.EdgeStacks {
-		stack, err := handler.DataStore.EdgeStack().EdgeStack(stackID)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge stack from the database", err}
-		}
-
-		stackStatus := stackStatusResponse{
-			ID:      stack.ID,
-			Version: stack.Version,
-		}
-
-		edgeStacksStatus = append(edgeStacksStatus, stackStatus)
-	}
-
-	statusResponse.Stacks = edgeStacksStatus
-
 	return response.JSON(w, statusResponse)
 }
--- a/api/http/handler/endpoints/endpoint_update.go
+++ b/api/http/handler/endpoints/endpoint_update.go
@@ -9,20 +9,24 @@ import (
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
 	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/client"
 )

 type endpointUpdatePayload struct {
-	Name                *string
-	URL                 *string
-	PublicURL           *string
-	GroupID             *int
-	TLS                 *bool
-	TLSSkipVerify       *bool
-	TLSSkipClientVerify *bool
-	Status              *int
-	TagIDs              []portainer.TagID
-	UserAccessPolicies  portainer.UserAccessPolicies
-	TeamAccessPolicies  portainer.TeamAccessPolicies
+	Name                   *string
+	URL                    *string
+	PublicURL              *string
+	GroupID                *int
+	TLS                    *bool
+	TLSSkipVerify          *bool
+	TLSSkipClientVerify    *bool
+	Status                 *int
+	AzureApplicationID     *string
+	AzureTenantID          *string
+	AzureAuthenticationKey *string
+	Tags                   []string
+	UserAccessPolicies     portainer.UserAccessPolicies
+	TeamAccessPolicies     portainer.TeamAccessPolicies
 }

 func (payload *endpointUpdatePayload) Validate(r *http.Request) error {
@@ -31,6 +35,10 @@ func (payload *endpointUpdatePayload) Validate(r *http.Request) error {

 // PUT request on /api/endpoints/:id
 func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	if !handler.authorizeEndpointManagement {
+		return &httperror.HandlerError{http.StatusServiceUnavailable, "Endpoint management is disabled", ErrEndpointManagementDisabled}
+	}
+
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid endpoint identifier route variable", err}
@@ -42,7 +50,7 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
 	}

-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
 	} else if err != nil {
@@ -61,52 +69,12 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		endpoint.PublicURL = *payload.PublicURL
 	}

-	groupIDChanged := false
 	if payload.GroupID != nil {
-		groupID := portainer.EndpointGroupID(*payload.GroupID)
-		groupIDChanged = groupID != endpoint.GroupID
-		endpoint.GroupID = groupID
+		endpoint.GroupID = portainer.EndpointGroupID(*payload.GroupID)
 	}

-	tagsChanged := false
-	if payload.TagIDs != nil {
-		payloadTagSet := portainer.TagSet(payload.TagIDs)
-		endpointTagSet := portainer.TagSet((endpoint.TagIDs))
-		union := portainer.TagUnion(payloadTagSet, endpointTagSet)
-		intersection := portainer.TagIntersection(payloadTagSet, endpointTagSet)
-		tagsChanged = len(union) > len(intersection)
-
-		if tagsChanged {
-			removeTags := portainer.TagDifference(endpointTagSet, payloadTagSet)
-
-			for tagID := range removeTags {
-				tag, err := handler.DataStore.Tag().Tag(tagID)
-				if err != nil {
-					return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a tag inside the database", err}
-				}
-
-				delete(tag.Endpoints, endpoint.ID)
-				err = handler.DataStore.Tag().UpdateTag(tag.ID, tag)
-				if err != nil {
-					return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist tag changes inside the database", err}
-				}
-			}
-
-			endpoint.TagIDs = payload.TagIDs
-			for _, tagID := range payload.TagIDs {
-				tag, err := handler.DataStore.Tag().Tag(tagID)
-				if err != nil {
-					return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a tag inside the database", err}
-				}
-
-				tag.Endpoints[endpoint.ID] = true
-
-				err = handler.DataStore.Tag().UpdateTag(tag.ID, tag)
-				if err != nil {
-					return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist tag changes inside the database", err}
-				}
-			}
-		}
+	if payload.Tags != nil {
+		endpoint.Tags = payload.Tags
 	}

 	updateAuthorizations := false
@@ -133,6 +101,26 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		}
 	}

+	if endpoint.Type == portainer.AzureEnvironment {
+		credentials := endpoint.AzureCredentials
+		if payload.AzureApplicationID != nil {
+			credentials.ApplicationID = *payload.AzureApplicationID
+		}
+		if payload.AzureTenantID != nil {
+			credentials.TenantID = *payload.AzureTenantID
+		}
+		if payload.AzureAuthenticationKey != nil {
+			credentials.AuthenticationKey = *payload.AzureAuthenticationKey
+		}
+
+		httpClient := client.NewHTTPClient()
+		_, authErr := httpClient.ExecuteAzureAuthenticationRequest(&credentials)
+		if authErr != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate against Azure", authErr}
+		}
+		endpoint.AzureCredentials = credentials
+	}
+
 	if payload.TLS != nil {
 		folder := strconv.Itoa(endpointID)

@@ -177,14 +165,14 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		}
 	}

-	if payload.URL != nil || payload.TLS != nil {
-		_, err = handler.ProxyManager.CreateAndRegisterEndpointProxy(endpoint)
+	if payload.URL != nil || payload.TLS != nil || endpoint.Type == portainer.AzureEnvironment {
+		_, err = handler.ProxyManager.CreateAndRegisterProxy(endpoint)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to register HTTP proxy for the endpoint", err}
 		}
 	}

-	err = handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
+	err = handler.EndpointService.UpdateEndpoint(endpoint.ID, endpoint)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint changes inside the database", err}
 	}
@@ -196,41 +184,5 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		}
 	}

-	if endpoint.Type == portainer.EdgeAgentEnvironment && (groupIDChanged || tagsChanged) {
-		relation, err := handler.DataStore.EndpointRelation().EndpointRelation(endpoint.ID)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find endpoint relation inside the database", err}
-		}
-
-		endpointGroup, err := handler.DataStore.EndpointGroup().EndpointGroup(endpoint.GroupID)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find endpoint group inside the database", err}
-		}
-
-		edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge groups from the database", err}
-		}
-
-		edgeStacks, err := handler.DataStore.EdgeStack().EdgeStacks()
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge stacks from the database", err}
-		}
-
-		edgeStackSet := map[portainer.EdgeStackID]bool{}
-
-		endpointEdgeStacks := portainer.EndpointRelatedEdgeStacks(endpoint, endpointGroup, edgeGroups, edgeStacks)
-		for _, edgeStackID := range endpointEdgeStacks {
-			edgeStackSet[edgeStackID] = true
-		}
-
-		relation.EdgeStacks = edgeStackSet
-
-		err = handler.DataStore.EndpointRelation().UpdateEndpointRelation(endpoint.ID, relation)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint relation changes inside the database", err}
-		}
-	}
-
 	return response.JSON(w, endpoint)
 }
--- a/api/http/handler/endpoints/handler.go
+++ b/api/http/handler/endpoints/handler.go
@@ -11,7 +11,14 @@ import (
 	"github.com/gorilla/mux"
 )

+const (
+	// ErrEndpointManagementDisabled is an error raised when trying to access the endpoints management endpoints
+	// when the server has been started with the --external-endpoints flag
+	ErrEndpointManagementDisabled = portainer.Error("Endpoint management is disabled")
+)
+
 func hideFields(endpoint *portainer.Endpoint) {
+	endpoint.AzureCredentials = portainer.AzureCredentials{}
 	if len(endpoint.Snapshots) > 0 {
 		endpoint.Snapshots[0].SnapshotRaw = portainer.SnapshotRaw{}
 	}
@@ -20,21 +27,25 @@ func hideFields(endpoint *portainer.Endpoint) {
 // Handler is the HTTP handler used to handle endpoint operations.
 type Handler struct {
 	*mux.Router
-	requestBouncer       *security.RequestBouncer
-	DataStore            portainer.DataStore
-	AuthorizationService *portainer.AuthorizationService
-	FileService          portainer.FileService
-	JobService           portainer.JobService
-	ProxyManager         *proxy.Manager
-	ReverseTunnelService portainer.ReverseTunnelService
-	Snapshotter          portainer.Snapshotter
+	authorizeEndpointManagement bool
+	requestBouncer              *security.RequestBouncer
+	EndpointService             portainer.EndpointService
+	EndpointGroupService        portainer.EndpointGroupService
+	FileService                 portainer.FileService
+	ProxyManager                *proxy.Manager
+	Snapshotter                 portainer.Snapshotter
+	JobService                  portainer.JobService
+	ReverseTunnelService        portainer.ReverseTunnelService
+	SettingsService             portainer.SettingsService
+	AuthorizationService        *portainer.AuthorizationService
 }

 // NewHandler creates a handler to manage endpoint operations.
-func NewHandler(bouncer *security.RequestBouncer) *Handler {
+func NewHandler(bouncer *security.RequestBouncer, authorizeEndpointManagement bool) *Handler {
 	h := &Handler{
-		Router:         mux.NewRouter(),
-		requestBouncer: bouncer,
+		Router:                      mux.NewRouter(),
+		authorizeEndpointManagement: authorizeEndpointManagement,
+		requestBouncer:              bouncer,
 	}

 	h.Handle("/endpoints",
@@ -59,5 +70,6 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointSnapshot))).Methods(http.MethodPost)
 	h.Handle("/endpoints/{id}/status",
 		bouncer.PublicAccess(httperror.LoggerHandler(h.endpointStatusInspect))).Methods(http.MethodGet)
+
 	return h
 }
--- a/api/http/handler/extensions/data.go
+++ b/api/http/handler/extensions/data.go
@@ -1,117 +0,0 @@
-package extensions
-
-import (
-	portainer "github.com/portainer/portainer/api"
-)
-
-func updateUserAccessPolicyToReadOnlyRole(policies portainer.UserAccessPolicies, key portainer.UserID) {
-	tmp := policies[key]
-	tmp.RoleID = 4
-	policies[key] = tmp
-}
-
-func updateTeamAccessPolicyToReadOnlyRole(policies portainer.TeamAccessPolicies, key portainer.TeamID) {
-	tmp := policies[key]
-	tmp.RoleID = 4
-	policies[key] = tmp
-}
-
-func (handler *Handler) upgradeRBACData() error {
-	endpointGroups, err := handler.DataStore.EndpointGroup().EndpointGroups()
-	if err != nil {
-		return err
-	}
-
-	for _, endpointGroup := range endpointGroups {
-		for key := range endpointGroup.UserAccessPolicies {
-			updateUserAccessPolicyToReadOnlyRole(endpointGroup.UserAccessPolicies, key)
-		}
-
-		for key := range endpointGroup.TeamAccessPolicies {
-			updateTeamAccessPolicyToReadOnlyRole(endpointGroup.TeamAccessPolicies, key)
-		}
-
-		err := handler.DataStore.EndpointGroup().UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
-		if err != nil {
-			return err
-		}
-	}
-
-	endpoints, err := handler.DataStore.Endpoint().Endpoints()
-	if err != nil {
-		return err
-	}
-
-	for _, endpoint := range endpoints {
-		for key := range endpoint.UserAccessPolicies {
-			updateUserAccessPolicyToReadOnlyRole(endpoint.UserAccessPolicies, key)
-		}
-
-		for key := range endpoint.TeamAccessPolicies {
-			updateTeamAccessPolicyToReadOnlyRole(endpoint.TeamAccessPolicies, key)
-		}
-
-		err := handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, &endpoint)
-		if err != nil {
-			return err
-		}
-	}
-
-	return handler.AuthorizationService.UpdateUsersAuthorizations()
-}
-
-func updateUserAccessPolicyToNoRole(policies portainer.UserAccessPolicies, key portainer.UserID) {
-	tmp := policies[key]
-	tmp.RoleID = 0
-	policies[key] = tmp
-}
-
-func updateTeamAccessPolicyToNoRole(policies portainer.TeamAccessPolicies, key portainer.TeamID) {
-	tmp := policies[key]
-	tmp.RoleID = 0
-	policies[key] = tmp
-}
-
-func (handler *Handler) downgradeRBACData() error {
-	endpointGroups, err := handler.DataStore.EndpointGroup().EndpointGroups()
-	if err != nil {
-		return err
-	}
-
-	for _, endpointGroup := range endpointGroups {
-		for key := range endpointGroup.UserAccessPolicies {
-			updateUserAccessPolicyToNoRole(endpointGroup.UserAccessPolicies, key)
-		}
-
-		for key := range endpointGroup.TeamAccessPolicies {
-			updateTeamAccessPolicyToNoRole(endpointGroup.TeamAccessPolicies, key)
-		}
-
-		err := handler.DataStore.EndpointGroup().UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
-		if err != nil {
-			return err
-		}
-	}
-
-	endpoints, err := handler.DataStore.Endpoint().Endpoints()
-	if err != nil {
-		return err
-	}
-
-	for _, endpoint := range endpoints {
-		for key := range endpoint.UserAccessPolicies {
-			updateUserAccessPolicyToNoRole(endpoint.UserAccessPolicies, key)
-		}
-
-		for key := range endpoint.TeamAccessPolicies {
-			updateTeamAccessPolicyToNoRole(endpoint.TeamAccessPolicies, key)
-		}
-
-		err := handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, &endpoint)
-		if err != nil {
-			return err
-		}
-	}
-
-	return handler.AuthorizationService.UpdateUsersAuthorizations()
-}
--- a/api/http/handler/extensions/extension_create.go
+++ b/api/http/handler/extensions/extension_create.go
@@ -36,7 +36,7 @@ func (handler *Handler) extensionCreate(w http.ResponseWriter, r *http.Request)
 	}
 	extensionID := portainer.ExtensionID(extensionIdentifier)

-	extensions, err := handler.DataStore.Extension().Extensions()
+	extensions, err := handler.ExtensionService.Extensions()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve extensions status from the database", err}
 	}
@@ -77,7 +77,7 @@ func (handler *Handler) extensionCreate(w http.ResponseWriter, r *http.Request)
 		}
 	}

-	err = handler.DataStore.Extension().Persist(extension)
+	err = handler.ExtensionService.Persist(extension)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist extension status inside the database", err}
 	}
--- a/api/http/handler/extensions/extension_delete.go
+++ b/api/http/handler/extensions/extension_delete.go
@@ -17,7 +17,7 @@ func (handler *Handler) extensionDelete(w http.ResponseWriter, r *http.Request)
 	}
 	extensionID := portainer.ExtensionID(extensionIdentifier)

-	extension, err := handler.DataStore.Extension().Extension(extensionID)
+	extension, err := handler.ExtensionService.Extension(extensionID)
 	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a extension with the specified identifier inside the database", err}
 	} else if err != nil {
@@ -29,14 +29,7 @@ func (handler *Handler) extensionDelete(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to delete extension", err}
 	}

-	if extensionID == portainer.RBACExtension {
-		err = handler.downgradeRBACData()
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "An error occured during database update", err}
-		}
-	}
-
-	err = handler.DataStore.Extension().DeleteExtension(extensionID)
+	err = handler.ExtensionService.DeleteExtension(extensionID)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to delete the extension from the database", err}
 	}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Anthony Lapenna	80439b1ca9	chore(version): bump version number	2019-11-05 14:41:27 +13:00
Anthony Lapenna	857a363e84	Revert "fix(api): fix invalid resource control check (#3225 )" (#3327 ) This reverts commit `1fbe6a12f1`.	2019-11-01 17:48:51 +13:00
Anthony Lapenna	2f32119f34	fix(api): data migration to update default Portainer authorizations (#3314 )	2019-11-01 17:48:20 +13:00