Merge tag '1.24.1' into demo

Release 1.24.1
chore(version): bump version number
2020-07-23 11:43:41 +12:00 · 2020-07-23 10:28:34 +12:00 · 2020-07-22 21:13:51 +12:00 · 2020-07-17 17:04:32 +12:00 · 2020-07-16 20:57:52 +12:00 · 2020-07-13 22:27:22 +12:00
1054 changed files with 23333 additions and 44230 deletions
--- a/.codeclimate.yml
+++ b/.codeclimate.yml
@@ -1,44 +1,62 @@
 version: "2"
 checks:
  argument-count:
-    enabled: false
+    enabled: true
+    config:
+      threshold: 4
  complex-logic:
-    enabled: false
+    enabled: true
+    config:
+      threshold: 4
  file-lines:
-    enabled: false
+    enabled: true
+    config:
+      threshold: 300
  method-complexity:
    enabled: false
  method-count:
-    enabled: false
+    enabled: true
+    config:
+      threshold: 20
  method-lines:
-    enabled: false
+    enabled: true
+    config:
+      threshold: 50
  nested-control-flow:
-    enabled: false
+    enabled: true
+    config:
+      threshold: 4
  return-statements:
    enabled: false
  similar-code:
-    enabled: false
+    enabled: true
+    config:
+      threshold: #language-specific defaults. overrides affect all languages.
  identical-code:
-    enabled: false
+    enabled: true
+    config:
+      threshold: #language-specific defaults. overrides affect all languages.
 plugins:
  gofmt:
    enabled: true
+  golint:
+    enabled: true
+  govet:
+    enabled: true
+  csslint:
+    enabled: true
+  duplication:
+    enabled: true
+    config:
+      languages:
+        javascript:
+          mass_threshold: 80
  eslint:
    enabled: true
    channel: "eslint-5"
    config:
      config: .eslintrc.yml
+  fixme:
+    enabled: true
 exclude_patterns:
- assets/
- build/
- dist/
- distribution/
- node_modules
 - test/
- webpack/
- gruntfile.js
- webpack.config.js
- api/
- "!app/kubernetes/**"
- .github/
- .tmp/
--- a/.eslintrc.yml
+++ b/.eslintrc.yml
@@ -6,6 +6,7 @@ env:

 globals:
  angular: true
+  __CONFIG_GA_ID: true

 extends:
  - 'eslint:recommended'
--- a/.github/ISSUE_TEMPLATE/Bug_report.md
+++ b/.github/ISSUE_TEMPLATE/Bug_report.md
@@ -1,48 +1,47 @@
---
-name: Bug report
-about: Create a bug report
---
-
-<!--
-
-Thanks for reporting a bug for Portainer !
-
-You can find more information about Portainer support framework policy here: https://www.portainer.io/2019/04/portainer-support-policy/
-
-Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/.
-
-Before opening a new issue, make sure that we do not have any duplicates
-already open. You can ensure this by searching the issue list for this
-repository. If there is a duplicate, please close your issue and add a comment
-to the existing issue instead.
-
-Also, be sure to check our FAQ and documentation first: https://documentation.portainer.io/
-->
-
-**Bug description**
-A clear and concise description of what the bug is.
-
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**Portainer Logs**
-Provide the logs of your Portainer container or Service.
-You can see how [here](https://documentation.portainer.io/archive/1.23.2/faq/#how-do-i-get-the-logs-from-portainer)
-
-**Steps to reproduce the issue:**
-
-1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
-4. See error
-
-**Technical details:**
-
- Portainer version:
- Docker version (managed by Portainer):
- Platform (windows/linux):
- Command used to start Portainer (`docker run -p 9000:9000 portainer/portainer`):
- Browser:
-
-**Additional context**
-Add any other context about the problem here.
+---
+name: Bug report
+about: Create a bug report
+
+---
+
+<!--
+
+Thanks for reporting a bug for Portainer !
+
+You can find more information about Portainer support framework policy here: https://www.portainer.io/2019/04/portainer-support-policy/
+
+Do you need help or have a question? Come chat with us on Slack http://portainer.io/slack/.
+
+Before opening a new issue, make sure that we do not have any duplicates
+already open. You can ensure this by searching the issue list for this
+repository. If there is a duplicate, please close your issue and add a comment
+to the existing issue instead.
+
+Also, be sure to check our FAQ and documentation first: https://portainer.readthedocs.io
+-->
+
+**Bug description**
+A clear and concise description of what the bug is.
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Portainer Logs**
+Provide the logs of your Portainer container or Service.
+You can see how [here](https://portainer.readthedocs.io/en/stable/faq.html#how-do-i-get-the-logs-from-portainer)
+
+**Steps to reproduce the issue:**
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Technical details:**
+* Portainer version:
+* Docker version (managed by Portainer):
+* Platform (windows/linux):
+* Command used to start Portainer (`docker run -p 9000:9000 portainer/portainer`):
+* Browser:
+
+**Additional context**
+Add any other context about the problem here.
--- a/.github/stale.yml
+++ b/.github/stale.yml
@@ -12,13 +12,14 @@ issues:
  # Issues with these labels will never be considered stale
  exemptLabels:
    - kind/enhancement
+    - kind/feature
    - kind/question
    - kind/style
    - kind/workaround
    - bug/need-confirmation
    - bug/confirmed
    - status/discuss
-
+  
  # Only issues with all of these labels are checked if stale. Defaults to `[]` (disabled)
  onlyLabels: []

@@ -34,9 +35,9 @@ issues:

  # Comment to post when marking an issue as stale. Set to `false` to disable
  markComment: >
-    This issue has been marked as stale as it has not had recent activity,
+    This issue has been marked as stale as it has not had recent activity, 
    it will be closed if no further activity occurs in the next 7 days.
-    If you believe that it has been incorrectly labelled as stale,
+    If you believe that it has been incorrectly labelled as stale, 
    leave a comment and the label will be removed.

  # Comment to post when removing the stale label.
@@ -47,7 +48,8 @@ issues:
  closeComment: >
    Since no further activity has appeared on this issue it will be closed.
    If you believe that it has been incorrectly closed, leave a comment
-    mentioning `ametdoohan`, `balasu` or `keverv` and one of our staff will then review the issue.
-
+    and mention @itsconquest. One of our staff will then review the issue.
+    
    Note - If it is an old bug report, make sure that it is reproduceable in the
    latest version of Portainer as it may have already been fixed.
+    
--- a/.gitignore
+++ b/.gitignore
@@ -4,7 +4,5 @@ dist
 portainer-checksum.txt
 api/cmd/portainer/portainer*
 .tmp
-**/.vscode/settings.json
-**/.vscode/tasks.json
-
-.eslintcache
+.vscode
+.eslintcache
--- a/.vscode/portainer.code-snippets
+++ b/.vscode/portainer.code-snippets
@@ -1,162 +0,0 @@
-{
-  // Place your portainer workspace snippets here. Each snippet is defined under a snippet name and has a scope, prefix, body and
-  // description. Add comma separated ids of the languages where the snippet is applicable in the scope field. If scope
-  // is left empty or omitted, the snippet gets applied to all languages. The prefix is what is
-  // used to trigger the snippet and the body will be expanded and inserted. Possible variables are:
-  // $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders.
-  // Placeholders with the same ids are connected.
-  // Example:
-  // "Print to console": {
-  // 	"scope": "javascript,typescript",
-  // 	"prefix": "log",
-  // 	"body": [
-  // 		"console.log('$1');",
-  // 		"$2"
-  // 	],
-  // 	"description": "Log output to console"
-  // }
-  "Component": {
-    "scope": "javascript",
-    "prefix": "mycomponent",
-    "description": "Dummy Angularjs Component",
-    "body": [
-      "import angular from 'angular';",
-      "import ${TM_FILENAME_BASE/(.*)/${1:/capitalize}/}Controller from './${TM_FILENAME_BASE}Controller'",
-      "",
-      "angular.module('portainer.${TM_DIRECTORY/.*\\/app\\/([^\\/]*)(\\/.*)?$/$1/}').component('$TM_FILENAME_BASE', {",
-      "  templateUrl: './$TM_FILENAME_BASE.html',",
-      "  controller: ${TM_FILENAME_BASE/(.*)/${1:/capitalize}/}Controller,",
-      "});",
-      ""
-    ]
-  },
-  "Controller": {
-    "scope": "javascript",
-    "prefix": "mycontroller",
-    "body": [
-      "class ${TM_FILENAME_BASE/(.*)/${1:/capitalize}/} {",
-      "\t/* @ngInject */",
-      "\tconstructor($0) {",
-      "\t}",
-      "}",
-      "",
-      "export default ${TM_FILENAME_BASE/(.*)/${1:/capitalize}/};"
-    ],
-    "description": "Dummy ES6+ controller"
-  },
-  "Model": {
-    "scope": "javascript",
-    "prefix": "mymodel",
-    "description": "Dummy ES6+ model",
-    "body": [
-      "/**",
-      " * $1 Model",
-      " */",
-      "const _$1 = Object.freeze({",
-      "  $0",
-      "});",
-      "",
-      "export class $1 {",
-      "  constructor() {",
-      "    Object.assign(this, JSON.parse(JSON.stringify(_$1)));",
-      "  }",
-      "}"
-    ]
-  },
-  "Service": {
-    "scope": "javascript",
-    "prefix": "myservice",
-    "description": "Dummy ES6+ service",
-    "body": [
-      "import angular from 'angular';",
-      "import PortainerError from 'Portainer/error';",
-      "",
-      "class $1 {",
-      "  /* @ngInject */",
-      "  constructor(\\$async, $0) {",
-      "    this.\\$async = \\$async;",
-      "",
-      "    this.getAsync = this.getAsync.bind(this);",
-      "    this.getAllAsync = this.getAllAsync.bind(this);",
-      "    this.createAsync = this.createAsync.bind(this);",
-      "    this.updateAsync = this.updateAsync.bind(this);",
-      "    this.deleteAsync = this.deleteAsync.bind(this);",
-      "  }",
-      "",
-      "  /**",
-      "   * GET",
-      "   */",
-      "  async getAsync() {",
-      "    try {",
-      "",
-      "    } catch (err) {",
-      "      throw new PortainerError('', err);",
-      "    }",
-      "  }",
-      "",
-      "  async getAllAsync() {",
-      "    try {",
-      "",
-      "    } catch (err) {",
-      "      throw new PortainerError('', err);",
-      "    }",
-      "  }",
-      "",
-      "  get() {",
-      "    if () {",
-      "      return this.\\$async(this.getAsync);",
-      "    }",
-      "    return this.\\$async(this.getAllAsync);",
-      "  }",
-      "",
-      "  /**",
-      "   * CREATE",
-      "   */",
-      "  async createAsync() {",
-      "    try {",
-      "",
-      "    } catch (err) {",
-      "      throw new PortainerError('', err);",
-      "    }",
-      "  }",
-      "",
-      "  create() {",
-      "    return this.\\$async(this.createAsync);",
-      "  }",
-      "",
-      "  /**",
-      "   * UPDATE",
-      "   */",
-      "  async updateAsync() {",
-      "    try {",
-      "",
-      "    } catch (err) {",
-      "      throw new PortainerError('', err);",
-      "    }",
-      "  }",
-      "",
-      "  update() {",
-      "    return this.\\$async(this.updateAsync);",
-      "  }",
-      "",
-      "  /**",
-      "   * DELETE",
-      "   */",
-      "  async deleteAsync() {",
-      "    try {",
-      "",
-      "    } catch (err) {",
-      "      throw new PortainerError('', err);",
-      "    }",
-      "  }",
-      "",
-      "  delete() {",
-      "    return this.\\$async(this.deleteAsync);",
-      "  }",
-      "}",
-      "",
-      "export default $1;",
-      "angular.module('portainer.${TM_DIRECTORY/.*\\/app\\/([^\\/]*)(\\/.*)?$/$1/}').service('$1', $1);"
-    ]
-  }
-}
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 <p align="center">
-  <img title="portainer" src='https://github.com/portainer/portainer/blob/develop/app/assets/images/logo_alt.png?raw=true' />
+  <img title="portainer" src='https://github.com/portainer/portainer/blob/develop/assets/images/logo_alt.png?raw=true' />
 </p>

 [![Docker Pulls](https://img.shields.io/docker/pulls/portainer/portainer.svg)](https://hub.docker.com/r/portainer/portainer/)
@@ -10,7 +10,7 @@

 **_Portainer_** is a lightweight management UI which allows you to **easily** manage your different Docker environments (Docker hosts or Swarm clusters).
 **_Portainer_** is meant to be as **simple** to deploy as it is to use. It consists of a single container that can run on any Docker engine (can be deployed as Linux container or a Windows native container, supports other platforms too).
-**_Portainer_** allows you to manage all your Docker resources (containers, images, volumes, networks and more!) It is compatible with the _standalone Docker_ engine and with _Docker Swarm mode_.
+**_Portainer_** allows you to manage all your Docker resources (containers, images, volumes, networks and more) ! It is compatible with the _standalone Docker_ engine and with _Docker Swarm mode_.

 ## Demo

@@ -24,12 +24,12 @@ Alternatively, you can deploy a copy of the demo stack inside a [play-with-docke
 - Sign in with your [Docker ID](https://docs.docker.com/docker-id)
 - Follow [these](https://github.com/portainer/portainer-demo/blob/master/play-with-docker/docker-stack.yml#L5-L8) steps.

-Unlike the public demo, the playground sessions are deleted after 4 hours. Apart from that, all the settings are the same, including default credentials.
+Unlike the public demo, the playground sessions are deleted after 4 hours. Apart from that, all the settings are same, including default credentials.

 ## Getting started

 - [Deploy Portainer](https://www.portainer.io/installation/)
- [Documentation](https://documentation.portainer.io)
+- [Documentation](https://www.portainer.io/documentation/)

 ## Getting help

@@ -38,24 +38,18 @@ For FORMAL Support, please purchase a support subscription from here: https://ww
 For community support: You can find more information about Portainer's community support framework policy here: https://www.portainer.io/2019/04/portainer-support-policy/

 - Issues: https://github.com/portainer/portainer/issues
- FAQ: https://documentation.portainer.io
+- FAQ: https://www.portainer.io/documentation/faqs/
 - Slack (chat): https://portainer.io/slack/

 ## Reporting bugs and contributing

 - Want to report a bug or request a feature? Please open [an issue](https://github.com/portainer/portainer/issues/new).
- Want to help us build **_portainer_**? Follow our [contribution guidelines](https://documentation.portainer.io/contributing/instructions/) to build it locally and make a pull request. We need all the help we can get!
+- Want to help us build **_portainer_**? Follow our [contribution guidelines](https://www.portainer.io/documentation/how-to-contribute/) to build it locally and make a pull request. We need all the help we can get!

 ## Security

 - Here at Portainer, we believe in [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure) of security issues. If you have found a security issue, please report it to <security@portainer.io>.

-## Privacy
-
-**To make sure we focus our development effort in the right places we need to know which features get used most often. To give us this information we use [Matomo Analytics](https://matomo.org/), which is hosted in Germany and is fully GDPR compliant.**
-
-When Portainer first starts, you are given the option to DISABLE analytics. If you **don't** choose to disable it, we collect anonymous usage as per [our privacy policy](https://www.portainer.io/documentation/in-app-analytics-and-privacy-policy/). **Please note**, there is no personally identifiable information sent or stored at any time and we only use the data to help us improve Portainer.
-
 ## Limitations

 Portainer supports "Current - 2 docker versions only. Prior versions may operate, however these are not supported.
--- a/api/internal/authorization/access_control.go
+++ b/api/internal/authorization/access_control.go
@@ -1,25 +1,19 @@
-package authorization
-
-import (
-	"strconv"
-
-	"github.com/portainer/portainer/api"
-)
+package portainer

 // NewPrivateResourceControl will create a new private resource control associated to the resource specified by the
 // identifier and type parameters. It automatically assigns it to the user specified by the userID parameter.
-func NewPrivateResourceControl(resourceIdentifier string, resourceType portainer.ResourceControlType, userID portainer.UserID) *portainer.ResourceControl {
-	return &portainer.ResourceControl{
+func NewPrivateResourceControl(resourceIdentifier string, resourceType ResourceControlType, userID UserID) *ResourceControl {
+	return &ResourceControl{
 		Type:           resourceType,
 		ResourceID:     resourceIdentifier,
 		SubResourceIDs: []string{},
-		UserAccesses: []portainer.UserResourceAccess{
+		UserAccesses: []UserResourceAccess{
 			{
 				UserID:      userID,
-				AccessLevel: portainer.ReadWriteAccessLevel,
+				AccessLevel: ReadWriteAccessLevel,
 			},
 		},
-		TeamAccesses:       []portainer.TeamResourceAccess{},
+		TeamAccesses:       []TeamResourceAccess{},
 		AdministratorsOnly: false,
 		Public:             false,
 		System:             false,
@@ -28,13 +22,13 @@ func NewPrivateResourceControl(resourceIdentifier string, resourceType portainer

 // NewSystemResourceControl will create a new public resource control with the System flag set to true.
 // These kind of resource control are not persisted and are created on the fly by the Portainer API.
-func NewSystemResourceControl(resourceIdentifier string, resourceType portainer.ResourceControlType) *portainer.ResourceControl {
-	return &portainer.ResourceControl{
+func NewSystemResourceControl(resourceIdentifier string, resourceType ResourceControlType) *ResourceControl {
+	return &ResourceControl{
 		Type:               resourceType,
 		ResourceID:         resourceIdentifier,
 		SubResourceIDs:     []string{},
-		UserAccesses:       []portainer.UserResourceAccess{},
-		TeamAccesses:       []portainer.TeamResourceAccess{},
+		UserAccesses:       []UserResourceAccess{},
+		TeamAccesses:       []TeamResourceAccess{},
 		AdministratorsOnly: false,
 		Public:             true,
 		System:             true,
@@ -42,13 +36,13 @@ func NewSystemResourceControl(resourceIdentifier string, resourceType portainer.
 }

 // NewPublicResourceControl will create a new public resource control.
-func NewPublicResourceControl(resourceIdentifier string, resourceType portainer.ResourceControlType) *portainer.ResourceControl {
-	return &portainer.ResourceControl{
+func NewPublicResourceControl(resourceIdentifier string, resourceType ResourceControlType) *ResourceControl {
+	return &ResourceControl{
 		Type:               resourceType,
 		ResourceID:         resourceIdentifier,
 		SubResourceIDs:     []string{},
-		UserAccesses:       []portainer.UserResourceAccess{},
-		TeamAccesses:       []portainer.TeamResourceAccess{},
+		UserAccesses:       []UserResourceAccess{},
+		TeamAccesses:       []TeamResourceAccess{},
 		AdministratorsOnly: false,
 		Public:             true,
 		System:             false,
@@ -56,29 +50,29 @@ func NewPublicResourceControl(resourceIdentifier string, resourceType portainer.
 }

 // NewRestrictedResourceControl will create a new resource control with user and team accesses restrictions.
-func NewRestrictedResourceControl(resourceIdentifier string, resourceType portainer.ResourceControlType, userIDs []portainer.UserID, teamIDs []portainer.TeamID) *portainer.ResourceControl {
-	userAccesses := make([]portainer.UserResourceAccess, 0)
-	teamAccesses := make([]portainer.TeamResourceAccess, 0)
+func NewRestrictedResourceControl(resourceIdentifier string, resourceType ResourceControlType, userIDs []UserID, teamIDs []TeamID) *ResourceControl {
+	userAccesses := make([]UserResourceAccess, 0)
+	teamAccesses := make([]TeamResourceAccess, 0)

 	for _, id := range userIDs {
-		access := portainer.UserResourceAccess{
+		access := UserResourceAccess{
 			UserID:      id,
-			AccessLevel: portainer.ReadWriteAccessLevel,
+			AccessLevel: ReadWriteAccessLevel,
 		}

 		userAccesses = append(userAccesses, access)
 	}

 	for _, id := range teamIDs {
-		access := portainer.TeamResourceAccess{
+		access := TeamResourceAccess{
 			TeamID:      id,
-			AccessLevel: portainer.ReadWriteAccessLevel,
+			AccessLevel: ReadWriteAccessLevel,
 		}

 		teamAccesses = append(teamAccesses, access)
 	}

-	return &portainer.ResourceControl{
+	return &ResourceControl{
 		Type:               resourceType,
 		ResourceID:         resourceIdentifier,
 		SubResourceIDs:     []string{},
@@ -92,10 +86,10 @@ func NewRestrictedResourceControl(resourceIdentifier string, resourceType portai

 // DecorateStacks will iterate through a list of stacks, check for an associated resource control for each
 // stack and decorate the stack element if a resource control is found.
-func DecorateStacks(stacks []portainer.Stack, resourceControls []portainer.ResourceControl) []portainer.Stack {
+func DecorateStacks(stacks []Stack, resourceControls []ResourceControl) []Stack {
 	for idx, stack := range stacks {

-		resourceControl := GetResourceControlByResourceIDAndType(stack.Name, portainer.StackResourceControl, resourceControls)
+		resourceControl := GetResourceControlByResourceIDAndType(stack.Name, StackResourceControl, resourceControls)
 		if resourceControl != nil {
 			stacks[idx].ResourceControl = resourceControl
 		}
@@ -104,25 +98,17 @@ func DecorateStacks(stacks []portainer.Stack, resourceControls []portainer.Resou
 	return stacks
 }

-// DecorateCustomTemplates will iterate through a list of custom templates, check for an associated resource control for each
-// template and decorate the template element if a resource control is found.
-func DecorateCustomTemplates(templates []portainer.CustomTemplate, resourceControls []portainer.ResourceControl) []portainer.CustomTemplate {
-	for idx, template := range templates {
-
-		resourceControl := GetResourceControlByResourceIDAndType(strconv.Itoa(int(template.ID)), portainer.CustomTemplateResourceControl, resourceControls)
-		if resourceControl != nil {
-			templates[idx].ResourceControl = resourceControl
-		}
-	}
-
-	return templates
-}
-
 // FilterAuthorizedStacks returns a list of decorated stacks filtered through resource control access checks.
-func FilterAuthorizedStacks(stacks []portainer.Stack, user *portainer.User, userTeamIDs []portainer.TeamID) []portainer.Stack {
-	authorizedStacks := make([]portainer.Stack, 0)
+func FilterAuthorizedStacks(stacks []Stack, user *User, userTeamIDs []TeamID, rbacEnabled bool) []Stack {
+	authorizedStacks := make([]Stack, 0)

 	for _, stack := range stacks {
+		_, ok := user.EndpointAuthorizations[stack.EndpointID][EndpointResourcesAccess]
+		if rbacEnabled && ok {
+			authorizedStacks = append(authorizedStacks, stack)
+			continue
+		}
+
 		if stack.ResourceControl != nil && UserCanAccessResource(user.ID, userTeamIDs, stack.ResourceControl) {
 			authorizedStacks = append(authorizedStacks, stack)
 		}
@@ -131,22 +117,9 @@ func FilterAuthorizedStacks(stacks []portainer.Stack, user *portainer.User, user
 	return authorizedStacks
 }

-// FilterAuthorizedCustomTemplates returns a list of decorated custom templates filtered through resource control access checks.
-func FilterAuthorizedCustomTemplates(customTemplates []portainer.CustomTemplate, user *portainer.User, userTeamIDs []portainer.TeamID) []portainer.CustomTemplate {
-	authorizedTemplates := make([]portainer.CustomTemplate, 0)
-
-	for _, customTemplate := range customTemplates {
-		if customTemplate.CreatedByUserID == user.ID || (customTemplate.ResourceControl != nil && UserCanAccessResource(user.ID, userTeamIDs, customTemplate.ResourceControl)) {
-			authorizedTemplates = append(authorizedTemplates, customTemplate)
-		}
-	}
-
-	return authorizedTemplates
-}
-
 // UserCanAccessResource will valide that a user has permissions defined in the specified resource control
 // based on its identifier and the team(s) he is part of.
-func UserCanAccessResource(userID portainer.UserID, userTeamIDs []portainer.TeamID, resourceControl *portainer.ResourceControl) bool {
+func UserCanAccessResource(userID UserID, userTeamIDs []TeamID, resourceControl *ResourceControl) bool {
 	for _, authorizedUserAccess := range resourceControl.UserAccesses {
 		if userID == authorizedUserAccess.UserID {
 			return true
@@ -166,7 +139,7 @@ func UserCanAccessResource(userID portainer.UserID, userTeamIDs []portainer.Team

 // GetResourceControlByResourceIDAndType retrieves the first matching resource control in a set of resource controls
 // based on the specified id and resource type parameters.
-func GetResourceControlByResourceIDAndType(resourceID string, resourceType portainer.ResourceControlType, resourceControls []portainer.ResourceControl) *portainer.ResourceControl {
+func GetResourceControlByResourceIDAndType(resourceID string, resourceType ResourceControlType, resourceControls []ResourceControl) *ResourceControl {
 	for _, resourceControl := range resourceControls {
 		if resourceID == resourceControl.ResourceID && resourceType == resourceControl.Type {
 			return &resourceControl
--- a/api/authorizations.go
+++ b/api/authorizations.go
@@ -0,0 +1,795 @@
+package portainer
+
+// AuthorizationService represents a service used to
+// update authorizations associated to a user or team.
+type AuthorizationService struct {
+	endpointService       EndpointService
+	endpointGroupService  EndpointGroupService
+	registryService       RegistryService
+	roleService           RoleService
+	teamMembershipService TeamMembershipService
+	userService           UserService
+}
+
+// AuthorizationServiceParameters are the required parameters
+// used to create a new AuthorizationService.
+type AuthorizationServiceParameters struct {
+	EndpointService       EndpointService
+	EndpointGroupService  EndpointGroupService
+	RegistryService       RegistryService
+	RoleService           RoleService
+	TeamMembershipService TeamMembershipService
+	UserService           UserService
+}
+
+// NewAuthorizationService returns a point to a new AuthorizationService instance.
+func NewAuthorizationService(parameters *AuthorizationServiceParameters) *AuthorizationService {
+	return &AuthorizationService{
+		endpointService:       parameters.EndpointService,
+		endpointGroupService:  parameters.EndpointGroupService,
+		registryService:       parameters.RegistryService,
+		roleService:           parameters.RoleService,
+		teamMembershipService: parameters.TeamMembershipService,
+		userService:           parameters.UserService,
+	}
+}
+
+// DefaultEndpointAuthorizationsForEndpointAdministratorRole returns the default endpoint authorizations
+// associated to the endpoint administrator role.
+func DefaultEndpointAuthorizationsForEndpointAdministratorRole() Authorizations {
+	return map[Authorization]bool{
+		OperationDockerContainerArchiveInfo:         true,
+		OperationDockerContainerList:                true,
+		OperationDockerContainerExport:              true,
+		OperationDockerContainerChanges:             true,
+		OperationDockerContainerInspect:             true,
+		OperationDockerContainerTop:                 true,
+		OperationDockerContainerLogs:                true,
+		OperationDockerContainerStats:               true,
+		OperationDockerContainerAttachWebsocket:     true,
+		OperationDockerContainerArchive:             true,
+		OperationDockerContainerCreate:              true,
+		OperationDockerContainerPrune:               true,
+		OperationDockerContainerKill:                true,
+		OperationDockerContainerPause:               true,
+		OperationDockerContainerUnpause:             true,
+		OperationDockerContainerRestart:             true,
+		OperationDockerContainerStart:               true,
+		OperationDockerContainerStop:                true,
+		OperationDockerContainerWait:                true,
+		OperationDockerContainerResize:              true,
+		OperationDockerContainerAttach:              true,
+		OperationDockerContainerExec:                true,
+		OperationDockerContainerRename:              true,
+		OperationDockerContainerUpdate:              true,
+		OperationDockerContainerPutContainerArchive: true,
+		OperationDockerContainerDelete:              true,
+		OperationDockerImageList:                    true,
+		OperationDockerImageSearch:                  true,
+		OperationDockerImageGetAll:                  true,
+		OperationDockerImageGet:                     true,
+		OperationDockerImageHistory:                 true,
+		OperationDockerImageInspect:                 true,
+		OperationDockerImageLoad:                    true,
+		OperationDockerImageCreate:                  true,
+		OperationDockerImagePrune:                   true,
+		OperationDockerImagePush:                    true,
+		OperationDockerImageTag:                     true,
+		OperationDockerImageDelete:                  true,
+		OperationDockerImageCommit:                  true,
+		OperationDockerImageBuild:                   true,
+		OperationDockerNetworkList:                  true,
+		OperationDockerNetworkInspect:               true,
+		OperationDockerNetworkCreate:                true,
+		OperationDockerNetworkConnect:               true,
+		OperationDockerNetworkDisconnect:            true,
+		OperationDockerNetworkPrune:                 true,
+		OperationDockerNetworkDelete:                true,
+		OperationDockerVolumeList:                   true,
+		OperationDockerVolumeInspect:                true,
+		OperationDockerVolumeCreate:                 true,
+		OperationDockerVolumePrune:                  true,
+		OperationDockerVolumeDelete:                 true,
+		OperationDockerExecInspect:                  true,
+		OperationDockerExecStart:                    true,
+		OperationDockerExecResize:                   true,
+		OperationDockerSwarmInspect:                 true,
+		OperationDockerSwarmUnlockKey:               true,
+		OperationDockerSwarmInit:                    true,
+		OperationDockerSwarmJoin:                    true,
+		OperationDockerSwarmLeave:                   true,
+		OperationDockerSwarmUpdate:                  true,
+		OperationDockerSwarmUnlock:                  true,
+		OperationDockerNodeList:                     true,
+		OperationDockerNodeInspect:                  true,
+		OperationDockerNodeUpdate:                   true,
+		OperationDockerNodeDelete:                   true,
+		OperationDockerServiceList:                  true,
+		OperationDockerServiceInspect:               true,
+		OperationDockerServiceLogs:                  true,
+		OperationDockerServiceCreate:                true,
+		OperationDockerServiceUpdate:                true,
+		OperationDockerServiceDelete:                true,
+		OperationDockerSecretList:                   true,
+		OperationDockerSecretInspect:                true,
+		OperationDockerSecretCreate:                 true,
+		OperationDockerSecretUpdate:                 true,
+		OperationDockerSecretDelete:                 true,
+		OperationDockerConfigList:                   true,
+		OperationDockerConfigInspect:                true,
+		OperationDockerConfigCreate:                 true,
+		OperationDockerConfigUpdate:                 true,
+		OperationDockerConfigDelete:                 true,
+		OperationDockerTaskList:                     true,
+		OperationDockerTaskInspect:                  true,
+		OperationDockerTaskLogs:                     true,
+		OperationDockerPluginList:                   true,
+		OperationDockerPluginPrivileges:             true,
+		OperationDockerPluginInspect:                true,
+		OperationDockerPluginPull:                   true,
+		OperationDockerPluginCreate:                 true,
+		OperationDockerPluginEnable:                 true,
+		OperationDockerPluginDisable:                true,
+		OperationDockerPluginPush:                   true,
+		OperationDockerPluginUpgrade:                true,
+		OperationDockerPluginSet:                    true,
+		OperationDockerPluginDelete:                 true,
+		OperationDockerSessionStart:                 true,
+		OperationDockerDistributionInspect:          true,
+		OperationDockerBuildPrune:                   true,
+		OperationDockerBuildCancel:                  true,
+		OperationDockerPing:                         true,
+		OperationDockerInfo:                         true,
+		OperationDockerVersion:                      true,
+		OperationDockerEvents:                       true,
+		OperationDockerSystem:                       true,
+		OperationDockerUndefined:                    true,
+		OperationDockerAgentPing:                    true,
+		OperationDockerAgentList:                    true,
+		OperationDockerAgentHostInfo:                true,
+		OperationDockerAgentBrowseDelete:            true,
+		OperationDockerAgentBrowseGet:               true,
+		OperationDockerAgentBrowseList:              true,
+		OperationDockerAgentBrowsePut:               true,
+		OperationDockerAgentBrowseRename:            true,
+		OperationDockerAgentUndefined:               true,
+		OperationPortainerResourceControlCreate:     true,
+		OperationPortainerResourceControlUpdate:     true,
+		OperationPortainerStackList:                 true,
+		OperationPortainerStackInspect:              true,
+		OperationPortainerStackFile:                 true,
+		OperationPortainerStackCreate:               true,
+		OperationPortainerStackMigrate:              true,
+		OperationPortainerStackUpdate:               true,
+		OperationPortainerStackDelete:               true,
+		OperationPortainerWebsocketExec:             true,
+		OperationPortainerWebhookList:               true,
+		OperationPortainerWebhookCreate:             true,
+		OperationPortainerWebhookDelete:             true,
+		OperationIntegrationStoridgeAdmin:           true,
+		EndpointResourcesAccess:                     true,
+	}
+}
+
+// DefaultEndpointAuthorizationsForHelpDeskRole returns the default endpoint authorizations
+// associated to the helpdesk role.
+func DefaultEndpointAuthorizationsForHelpDeskRole(volumeBrowsingAuthorizations bool) Authorizations {
+	authorizations := map[Authorization]bool{
+		OperationDockerContainerArchiveInfo: true,
+		OperationDockerContainerList:        true,
+		OperationDockerContainerChanges:     true,
+		OperationDockerContainerInspect:     true,
+		OperationDockerContainerTop:         true,
+		OperationDockerContainerLogs:        true,
+		OperationDockerContainerStats:       true,
+		OperationDockerImageList:            true,
+		OperationDockerImageSearch:          true,
+		OperationDockerImageGetAll:          true,
+		OperationDockerImageGet:             true,
+		OperationDockerImageHistory:         true,
+		OperationDockerImageInspect:         true,
+		OperationDockerNetworkList:          true,
+		OperationDockerNetworkInspect:       true,
+		OperationDockerVolumeList:           true,
+		OperationDockerVolumeInspect:        true,
+		OperationDockerSwarmInspect:         true,
+		OperationDockerNodeList:             true,
+		OperationDockerNodeInspect:          true,
+		OperationDockerServiceList:          true,
+		OperationDockerServiceInspect:       true,
+		OperationDockerServiceLogs:          true,
+		OperationDockerSecretList:           true,
+		OperationDockerSecretInspect:        true,
+		OperationDockerConfigList:           true,
+		OperationDockerConfigInspect:        true,
+		OperationDockerTaskList:             true,
+		OperationDockerTaskInspect:          true,
+		OperationDockerTaskLogs:             true,
+		OperationDockerPluginList:           true,
+		OperationDockerDistributionInspect:  true,
+		OperationDockerPing:                 true,
+		OperationDockerInfo:                 true,
+		OperationDockerVersion:              true,
+		OperationDockerEvents:               true,
+		OperationDockerSystem:               true,
+		OperationDockerAgentPing:            true,
+		OperationDockerAgentList:            true,
+		OperationDockerAgentHostInfo:        true,
+		OperationPortainerStackList:         true,
+		OperationPortainerStackInspect:      true,
+		OperationPortainerStackFile:         true,
+		OperationPortainerWebhookList:       true,
+		EndpointResourcesAccess:             true,
+	}
+
+	if volumeBrowsingAuthorizations {
+		authorizations[OperationDockerAgentBrowseGet] = true
+		authorizations[OperationDockerAgentBrowseList] = true
+	}
+
+	return authorizations
+}
+
+// DefaultEndpointAuthorizationsForStandardUserRole returns the default endpoint authorizations
+// associated to the standard user role.
+func DefaultEndpointAuthorizationsForStandardUserRole(volumeBrowsingAuthorizations bool) Authorizations {
+	authorizations := map[Authorization]bool{
+		OperationDockerContainerArchiveInfo:         true,
+		OperationDockerContainerList:                true,
+		OperationDockerContainerExport:              true,
+		OperationDockerContainerChanges:             true,
+		OperationDockerContainerInspect:             true,
+		OperationDockerContainerTop:                 true,
+		OperationDockerContainerLogs:                true,
+		OperationDockerContainerStats:               true,
+		OperationDockerContainerAttachWebsocket:     true,
+		OperationDockerContainerArchive:             true,
+		OperationDockerContainerCreate:              true,
+		OperationDockerContainerKill:                true,
+		OperationDockerContainerPause:               true,
+		OperationDockerContainerUnpause:             true,
+		OperationDockerContainerRestart:             true,
+		OperationDockerContainerStart:               true,
+		OperationDockerContainerStop:                true,
+		OperationDockerContainerWait:                true,
+		OperationDockerContainerResize:              true,
+		OperationDockerContainerAttach:              true,
+		OperationDockerContainerExec:                true,
+		OperationDockerContainerRename:              true,
+		OperationDockerContainerUpdate:              true,
+		OperationDockerContainerPutContainerArchive: true,
+		OperationDockerContainerDelete:              true,
+		OperationDockerImageList:                    true,
+		OperationDockerImageSearch:                  true,
+		OperationDockerImageGetAll:                  true,
+		OperationDockerImageGet:                     true,
+		OperationDockerImageHistory:                 true,
+		OperationDockerImageInspect:                 true,
+		OperationDockerImageLoad:                    true,
+		OperationDockerImageCreate:                  true,
+		OperationDockerImagePush:                    true,
+		OperationDockerImageTag:                     true,
+		OperationDockerImageDelete:                  true,
+		OperationDockerImageCommit:                  true,
+		OperationDockerImageBuild:                   true,
+		OperationDockerNetworkList:                  true,
+		OperationDockerNetworkInspect:               true,
+		OperationDockerNetworkCreate:                true,
+		OperationDockerNetworkConnect:               true,
+		OperationDockerNetworkDisconnect:            true,
+		OperationDockerNetworkDelete:                true,
+		OperationDockerVolumeList:                   true,
+		OperationDockerVolumeInspect:                true,
+		OperationDockerVolumeCreate:                 true,
+		OperationDockerVolumeDelete:                 true,
+		OperationDockerExecInspect:                  true,
+		OperationDockerExecStart:                    true,
+		OperationDockerExecResize:                   true,
+		OperationDockerSwarmInspect:                 true,
+		OperationDockerSwarmUnlockKey:               true,
+		OperationDockerSwarmInit:                    true,
+		OperationDockerSwarmJoin:                    true,
+		OperationDockerSwarmLeave:                   true,
+		OperationDockerSwarmUpdate:                  true,
+		OperationDockerSwarmUnlock:                  true,
+		OperationDockerNodeList:                     true,
+		OperationDockerNodeInspect:                  true,
+		OperationDockerNodeUpdate:                   true,
+		OperationDockerNodeDelete:                   true,
+		OperationDockerServiceList:                  true,
+		OperationDockerServiceInspect:               true,
+		OperationDockerServiceLogs:                  true,
+		OperationDockerServiceCreate:                true,
+		OperationDockerServiceUpdate:                true,
+		OperationDockerServiceDelete:                true,
+		OperationDockerSecretList:                   true,
+		OperationDockerSecretInspect:                true,
+		OperationDockerSecretCreate:                 true,
+		OperationDockerSecretUpdate:                 true,
+		OperationDockerSecretDelete:                 true,
+		OperationDockerConfigList:                   true,
+		OperationDockerConfigInspect:                true,
+		OperationDockerConfigCreate:                 true,
+		OperationDockerConfigUpdate:                 true,
+		OperationDockerConfigDelete:                 true,
+		OperationDockerTaskList:                     true,
+		OperationDockerTaskInspect:                  true,
+		OperationDockerTaskLogs:                     true,
+		OperationDockerPluginList:                   true,
+		OperationDockerPluginPrivileges:             true,
+		OperationDockerPluginInspect:                true,
+		OperationDockerPluginPull:                   true,
+		OperationDockerPluginCreate:                 true,
+		OperationDockerPluginEnable:                 true,
+		OperationDockerPluginDisable:                true,
+		OperationDockerPluginPush:                   true,
+		OperationDockerPluginUpgrade:                true,
+		OperationDockerPluginSet:                    true,
+		OperationDockerPluginDelete:                 true,
+		OperationDockerSessionStart:                 true,
+		OperationDockerDistributionInspect:          true,
+		OperationDockerBuildPrune:                   true,
+		OperationDockerBuildCancel:                  true,
+		OperationDockerPing:                         true,
+		OperationDockerInfo:                         true,
+		OperationDockerVersion:                      true,
+		OperationDockerEvents:                       true,
+		OperationDockerSystem:                       true,
+		OperationDockerUndefined:                    true,
+		OperationDockerAgentPing:                    true,
+		OperationDockerAgentList:                    true,
+		OperationDockerAgentHostInfo:                true,
+		OperationDockerAgentUndefined:               true,
+		OperationPortainerResourceControlUpdate:     true,
+		OperationPortainerStackList:                 true,
+		OperationPortainerStackInspect:              true,
+		OperationPortainerStackFile:                 true,
+		OperationPortainerStackCreate:               true,
+		OperationPortainerStackMigrate:              true,
+		OperationPortainerStackUpdate:               true,
+		OperationPortainerStackDelete:               true,
+		OperationPortainerWebsocketExec:             true,
+		OperationPortainerWebhookList:               true,
+		OperationPortainerWebhookCreate:             true,
+	}
+
+	if volumeBrowsingAuthorizations {
+		authorizations[OperationDockerAgentBrowseGet] = true
+		authorizations[OperationDockerAgentBrowseList] = true
+		authorizations[OperationDockerAgentBrowseDelete] = true
+		authorizations[OperationDockerAgentBrowsePut] = true
+		authorizations[OperationDockerAgentBrowseRename] = true
+	}
+
+	return authorizations
+}
+
+// DefaultEndpointAuthorizationsForReadOnlyUserRole returns the default endpoint authorizations
+// associated to the readonly user role.
+func DefaultEndpointAuthorizationsForReadOnlyUserRole(volumeBrowsingAuthorizations bool) Authorizations {
+	authorizations := map[Authorization]bool{
+		OperationDockerContainerArchiveInfo: true,
+		OperationDockerContainerList:        true,
+		OperationDockerContainerChanges:     true,
+		OperationDockerContainerInspect:     true,
+		OperationDockerContainerTop:         true,
+		OperationDockerContainerLogs:        true,
+		OperationDockerContainerStats:       true,
+		OperationDockerImageList:            true,
+		OperationDockerImageSearch:          true,
+		OperationDockerImageGetAll:          true,
+		OperationDockerImageGet:             true,
+		OperationDockerImageHistory:         true,
+		OperationDockerImageInspect:         true,
+		OperationDockerNetworkList:          true,
+		OperationDockerNetworkInspect:       true,
+		OperationDockerVolumeList:           true,
+		OperationDockerVolumeInspect:        true,
+		OperationDockerSwarmInspect:         true,
+		OperationDockerNodeList:             true,
+		OperationDockerNodeInspect:          true,
+		OperationDockerServiceList:          true,
+		OperationDockerServiceInspect:       true,
+		OperationDockerServiceLogs:          true,
+		OperationDockerSecretList:           true,
+		OperationDockerSecretInspect:        true,
+		OperationDockerConfigList:           true,
+		OperationDockerConfigInspect:        true,
+		OperationDockerTaskList:             true,
+		OperationDockerTaskInspect:          true,
+		OperationDockerTaskLogs:             true,
+		OperationDockerPluginList:           true,
+		OperationDockerDistributionInspect:  true,
+		OperationDockerPing:                 true,
+		OperationDockerInfo:                 true,
+		OperationDockerVersion:              true,
+		OperationDockerEvents:               true,
+		OperationDockerSystem:               true,
+		OperationDockerAgentPing:            true,
+		OperationDockerAgentList:            true,
+		OperationDockerAgentHostInfo:        true,
+		OperationPortainerStackList:         true,
+		OperationPortainerStackInspect:      true,
+		OperationPortainerStackFile:         true,
+		OperationPortainerWebhookList:       true,
+	}
+
+	if volumeBrowsingAuthorizations {
+		authorizations[OperationDockerAgentBrowseGet] = true
+		authorizations[OperationDockerAgentBrowseList] = true
+	}
+
+	return authorizations
+}
+
+// DefaultPortainerAuthorizations returns the default Portainer authorizations used by non-admin users.
+func DefaultPortainerAuthorizations() Authorizations {
+	return map[Authorization]bool{
+		OperationPortainerDockerHubInspect:        true,
+		OperationPortainerEndpointGroupList:       true,
+		OperationPortainerEndpointList:            true,
+		OperationPortainerEndpointInspect:         true,
+		OperationPortainerEndpointExtensionAdd:    true,
+		OperationPortainerEndpointExtensionRemove: true,
+		OperationPortainerExtensionList:           true,
+		OperationPortainerMOTD:                    true,
+		OperationPortainerRegistryList:            true,
+		OperationPortainerRegistryInspect:         true,
+		OperationPortainerTeamList:                true,
+		OperationPortainerTemplateList:            true,
+		OperationPortainerTemplateInspect:         true,
+		OperationPortainerUserList:                true,
+		OperationPortainerUserInspect:             true,
+		OperationPortainerUserMemberships:         true,
+	}
+}
+
+// UpdateVolumeBrowsingAuthorizations will update all the volume browsing authorizations for each role (except endpoint administrator)
+// based on the specified removeAuthorizations parameter. If removeAuthorizations is set to true, all
+// the authorizations will be dropped for the each role. If removeAuthorizations is set to false, the authorizations
+// will be reset based for each role.
+func (service AuthorizationService) UpdateVolumeBrowsingAuthorizations(remove bool) error {
+	roles, err := service.roleService.Roles()
+	if err != nil {
+		return err
+	}
+
+	for _, role := range roles {
+		// all roles except endpoint administrator
+		if role.ID != RoleID(1) {
+			updateRoleVolumeBrowsingAuthorizations(&role, remove)
+
+			err := service.roleService.UpdateRole(role.ID, &role)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func updateRoleVolumeBrowsingAuthorizations(role *Role, removeAuthorizations bool) {
+	if !removeAuthorizations {
+		delete(role.Authorizations, OperationDockerAgentBrowseDelete)
+		delete(role.Authorizations, OperationDockerAgentBrowseGet)
+		delete(role.Authorizations, OperationDockerAgentBrowseList)
+		delete(role.Authorizations, OperationDockerAgentBrowsePut)
+		delete(role.Authorizations, OperationDockerAgentBrowseRename)
+		return
+	}
+
+	role.Authorizations[OperationDockerAgentBrowseGet] = true
+	role.Authorizations[OperationDockerAgentBrowseList] = true
+
+	// Standard-user
+	if role.ID == RoleID(3) {
+		role.Authorizations[OperationDockerAgentBrowseDelete] = true
+		role.Authorizations[OperationDockerAgentBrowsePut] = true
+		role.Authorizations[OperationDockerAgentBrowseRename] = true
+	}
+}
+
+// RemoveTeamAccessPolicies will remove all existing access policies associated to the specified team
+func (service *AuthorizationService) RemoveTeamAccessPolicies(teamID TeamID) error {
+	endpoints, err := service.endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range endpoints {
+		for policyTeamID := range endpoint.TeamAccessPolicies {
+			if policyTeamID == teamID {
+				delete(endpoint.TeamAccessPolicies, policyTeamID)
+
+				err := service.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	endpointGroups, err := service.endpointGroupService.EndpointGroups()
+	if err != nil {
+		return err
+	}
+
+	for _, endpointGroup := range endpointGroups {
+		for policyTeamID := range endpointGroup.TeamAccessPolicies {
+			if policyTeamID == teamID {
+				delete(endpointGroup.TeamAccessPolicies, policyTeamID)
+
+				err := service.endpointGroupService.UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	registries, err := service.registryService.Registries()
+	if err != nil {
+		return err
+	}
+
+	for _, registry := range registries {
+		for policyTeamID := range registry.TeamAccessPolicies {
+			if policyTeamID == teamID {
+				delete(registry.TeamAccessPolicies, policyTeamID)
+
+				err := service.registryService.UpdateRegistry(registry.ID, &registry)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	return service.UpdateUsersAuthorizations()
+}
+
+// RemoveUserAccessPolicies will remove all existing access policies associated to the specified user
+func (service *AuthorizationService) RemoveUserAccessPolicies(userID UserID) error {
+	endpoints, err := service.endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range endpoints {
+		for policyUserID := range endpoint.UserAccessPolicies {
+			if policyUserID == userID {
+				delete(endpoint.UserAccessPolicies, policyUserID)
+
+				err := service.endpointService.UpdateEndpoint(endpoint.ID, &endpoint)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	endpointGroups, err := service.endpointGroupService.EndpointGroups()
+	if err != nil {
+		return err
+	}
+
+	for _, endpointGroup := range endpointGroups {
+		for policyUserID := range endpointGroup.UserAccessPolicies {
+			if policyUserID == userID {
+				delete(endpointGroup.UserAccessPolicies, policyUserID)
+
+				err := service.endpointGroupService.UpdateEndpointGroup(endpointGroup.ID, &endpointGroup)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	registries, err := service.registryService.Registries()
+	if err != nil {
+		return err
+	}
+
+	for _, registry := range registries {
+		for policyUserID := range registry.UserAccessPolicies {
+			if policyUserID == userID {
+				delete(registry.UserAccessPolicies, policyUserID)
+
+				err := service.registryService.UpdateRegistry(registry.ID, &registry)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	return nil
+}
+
+// UpdateUsersAuthorizations will trigger an update of the authorizations for all the users.
+func (service *AuthorizationService) UpdateUsersAuthorizations() error {
+	users, err := service.userService.Users()
+	if err != nil {
+		return err
+	}
+
+	for _, user := range users {
+		err := service.updateUserAuthorizations(user.ID)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (service *AuthorizationService) updateUserAuthorizations(userID UserID) error {
+	user, err := service.userService.User(userID)
+	if err != nil {
+		return err
+	}
+
+	endpointAuthorizations, err := service.getAuthorizations(user)
+	if err != nil {
+		return err
+	}
+
+	user.EndpointAuthorizations = endpointAuthorizations
+
+	return service.userService.UpdateUser(userID, user)
+}
+
+func (service *AuthorizationService) getAuthorizations(user *User) (EndpointAuthorizations, error) {
+	endpointAuthorizations := EndpointAuthorizations{}
+	if user.Role == AdministratorRole {
+		return endpointAuthorizations, nil
+	}
+
+	userMemberships, err := service.teamMembershipService.TeamMembershipsByUserID(user.ID)
+	if err != nil {
+		return endpointAuthorizations, err
+	}
+
+	endpoints, err := service.endpointService.Endpoints()
+	if err != nil {
+		return endpointAuthorizations, err
+	}
+
+	endpointGroups, err := service.endpointGroupService.EndpointGroups()
+	if err != nil {
+		return endpointAuthorizations, err
+	}
+
+	roles, err := service.roleService.Roles()
+	if err != nil {
+		return endpointAuthorizations, err
+	}
+
+	endpointAuthorizations = getUserEndpointAuthorizations(user, endpoints, endpointGroups, roles, userMemberships)
+
+	return endpointAuthorizations, nil
+}
+
+func getUserEndpointAuthorizations(user *User, endpoints []Endpoint, endpointGroups []EndpointGroup, roles []Role, userMemberships []TeamMembership) EndpointAuthorizations {
+	endpointAuthorizations := make(EndpointAuthorizations)
+
+	groupUserAccessPolicies := map[EndpointGroupID]UserAccessPolicies{}
+	groupTeamAccessPolicies := map[EndpointGroupID]TeamAccessPolicies{}
+	for _, endpointGroup := range endpointGroups {
+		groupUserAccessPolicies[endpointGroup.ID] = endpointGroup.UserAccessPolicies
+		groupTeamAccessPolicies[endpointGroup.ID] = endpointGroup.TeamAccessPolicies
+	}
+
+	for _, endpoint := range endpoints {
+		authorizations := getAuthorizationsFromUserEndpointPolicy(user, &endpoint, roles)
+		if len(authorizations) > 0 {
+			endpointAuthorizations[endpoint.ID] = authorizations
+			continue
+		}
+
+		authorizations = getAuthorizationsFromUserEndpointGroupPolicy(user, &endpoint, roles, groupUserAccessPolicies)
+		if len(authorizations) > 0 {
+			endpointAuthorizations[endpoint.ID] = authorizations
+			continue
+		}
+
+		authorizations = getAuthorizationsFromTeamEndpointPolicies(userMemberships, &endpoint, roles)
+		if len(authorizations) > 0 {
+			endpointAuthorizations[endpoint.ID] = authorizations
+			continue
+		}
+
+		authorizations = getAuthorizationsFromTeamEndpointGroupPolicies(userMemberships, &endpoint, roles, groupTeamAccessPolicies)
+		if len(authorizations) > 0 {
+			endpointAuthorizations[endpoint.ID] = authorizations
+		}
+	}
+
+	return endpointAuthorizations
+}
+
+func getAuthorizationsFromUserEndpointPolicy(user *User, endpoint *Endpoint, roles []Role) Authorizations {
+	policyRoles := make([]RoleID, 0)
+
+	policy, ok := endpoint.UserAccessPolicies[user.ID]
+	if ok {
+		policyRoles = append(policyRoles, policy.RoleID)
+	}
+
+	return getAuthorizationsFromRoles(policyRoles, roles)
+}
+
+func getAuthorizationsFromUserEndpointGroupPolicy(user *User, endpoint *Endpoint, roles []Role, groupAccessPolicies map[EndpointGroupID]UserAccessPolicies) Authorizations {
+	policyRoles := make([]RoleID, 0)
+
+	policy, ok := groupAccessPolicies[endpoint.GroupID][user.ID]
+	if ok {
+		policyRoles = append(policyRoles, policy.RoleID)
+	}
+
+	return getAuthorizationsFromRoles(policyRoles, roles)
+}
+
+func getAuthorizationsFromTeamEndpointPolicies(memberships []TeamMembership, endpoint *Endpoint, roles []Role) Authorizations {
+	policyRoles := make([]RoleID, 0)
+
+	for _, membership := range memberships {
+		policy, ok := endpoint.TeamAccessPolicies[membership.TeamID]
+		if ok {
+			policyRoles = append(policyRoles, policy.RoleID)
+		}
+	}
+
+	return getAuthorizationsFromRoles(policyRoles, roles)
+}
+
+func getAuthorizationsFromTeamEndpointGroupPolicies(memberships []TeamMembership, endpoint *Endpoint, roles []Role, groupAccessPolicies map[EndpointGroupID]TeamAccessPolicies) Authorizations {
+	policyRoles := make([]RoleID, 0)
+
+	for _, membership := range memberships {
+		policy, ok := groupAccessPolicies[endpoint.GroupID][membership.TeamID]
+		if ok {
+			policyRoles = append(policyRoles, policy.RoleID)
+		}
+	}
+
+	return getAuthorizationsFromRoles(policyRoles, roles)
+}
+
+func getAuthorizationsFromRoles(roleIdentifiers []RoleID, roles []Role) Authorizations {
+	var associatedRoles []Role
+
+	for _, id := range roleIdentifiers {
+		for _, role := range roles {
+			if role.ID == id {
+				associatedRoles = append(associatedRoles, role)
+				break
+			}
+		}
+	}
+
+	var authorizations Authorizations
+	highestPriority := 0
+	for _, role := range associatedRoles {
+		if role.Priority > highestPriority {
+			highestPriority = role.Priority
+			authorizations = role.Authorizations
+		}
+	}
+
+	return authorizations
+}
--- a/api/bolt/customtemplate/customtemplate.go
+++ b/api/bolt/customtemplate/customtemplate.go
@@ -1,96 +0,0 @@
-package customtemplate
-
-import (
-	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/internal"
-)
-
-const (
-	// BucketName represents the name of the bucket where this service stores data.
-	BucketName = "customtemplates"
-)
-
-// Service represents a service for managing custom template data.
-type Service struct {
-	db *bolt.DB
-}
-
-// NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
-	if err != nil {
-		return nil, err
-	}
-
-	return &Service{
-		db: db,
-	}, nil
-}
-
-// CustomTemplates return an array containing all the custom templates.
-func (service *Service) CustomTemplates() ([]portainer.CustomTemplate, error) {
-	var customTemplates = make([]portainer.CustomTemplate, 0)
-
-	err := service.db.View(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-
-		cursor := bucket.Cursor()
-		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
-			var customTemplate portainer.CustomTemplate
-			err := internal.UnmarshalObjectWithJsoniter(v, &customTemplate)
-			if err != nil {
-				return err
-			}
-			customTemplates = append(customTemplates, customTemplate)
-		}
-
-		return nil
-	})
-
-	return customTemplates, err
-}
-
-// CustomTemplate returns an custom template by ID.
-func (service *Service) CustomTemplate(ID portainer.CustomTemplateID) (*portainer.CustomTemplate, error) {
-	var customTemplate portainer.CustomTemplate
-	identifier := internal.Itob(int(ID))
-
-	err := internal.GetObject(service.db, BucketName, identifier, &customTemplate)
-	if err != nil {
-		return nil, err
-	}
-
-	return &customTemplate, nil
-}
-
-// UpdateCustomTemplate updates an custom template.
-func (service *Service) UpdateCustomTemplate(ID portainer.CustomTemplateID, customTemplate *portainer.CustomTemplate) error {
-	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, customTemplate)
-}
-
-// DeleteCustomTemplate deletes an custom template.
-func (service *Service) DeleteCustomTemplate(ID portainer.CustomTemplateID) error {
-	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
-}
-
-// CreateCustomTemplate assign an ID to a new custom template and saves it.
-func (service *Service) CreateCustomTemplate(customTemplate *portainer.CustomTemplate) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-
-		data, err := internal.MarshalObject(customTemplate)
-		if err != nil {
-			return err
-		}
-
-		return bucket.Put(internal.Itob(int(customTemplate.ID)), data)
-	})
-}
-
-// GetNextIdentifier returns the next identifier for a custom template.
-func (service *Service) GetNextIdentifier() int {
-	return internal.GetNextIdentifier(service.db, BucketName)
-}
--- a/api/bolt/datastore.go
+++ b/api/bolt/datastore.go
@@ -5,17 +5,16 @@ import (
 	"path"
 	"time"

+	"github.com/portainer/portainer/api/bolt/edgegroup"
+	"github.com/portainer/portainer/api/bolt/edgestack"
+	"github.com/portainer/portainer/api/bolt/endpointrelation"
+	"github.com/portainer/portainer/api/bolt/tunnelserver"
+
 	"github.com/boltdb/bolt"
 	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/customtemplate"
 	"github.com/portainer/portainer/api/bolt/dockerhub"
-	"github.com/portainer/portainer/api/bolt/edgegroup"
-	"github.com/portainer/portainer/api/bolt/edgejob"
-	"github.com/portainer/portainer/api/bolt/edgestack"
 	"github.com/portainer/portainer/api/bolt/endpoint"
 	"github.com/portainer/portainer/api/bolt/endpointgroup"
-	"github.com/portainer/portainer/api/bolt/endpointrelation"
-	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/bolt/extension"
 	"github.com/portainer/portainer/api/bolt/migrator"
 	"github.com/portainer/portainer/api/bolt/registry"
@@ -27,11 +26,10 @@ import (
 	"github.com/portainer/portainer/api/bolt/tag"
 	"github.com/portainer/portainer/api/bolt/team"
 	"github.com/portainer/portainer/api/bolt/teammembership"
-	"github.com/portainer/portainer/api/bolt/tunnelserver"
+	"github.com/portainer/portainer/api/bolt/template"
 	"github.com/portainer/portainer/api/bolt/user"
 	"github.com/portainer/portainer/api/bolt/version"
 	"github.com/portainer/portainer/api/bolt/webhook"
-	"github.com/portainer/portainer/api/internal/authorization"
 )

 const (
@@ -43,12 +41,11 @@ const (
 type Store struct {
 	path                    string
 	db                      *bolt.DB
-	isNew                   bool
+	checkForDataMigration   bool
 	fileService             portainer.FileService
-	CustomTemplateService   *customtemplate.Service
+	RoleService             *role.Service
 	DockerHubService        *dockerhub.Service
 	EdgeGroupService        *edgegroup.Service
-	EdgeJobService          *edgejob.Service
 	EdgeStackService        *edgestack.Service
 	EndpointGroupService    *endpointgroup.Service
 	EndpointService         *endpoint.Service
@@ -56,17 +53,17 @@ type Store struct {
 	ExtensionService        *extension.Service
 	RegistryService         *registry.Service
 	ResourceControlService  *resourcecontrol.Service
-	RoleService             *role.Service
-	ScheduleService         *schedule.Service
 	SettingsService         *settings.Service
 	StackService            *stack.Service
 	TagService              *tag.Service
 	TeamMembershipService   *teammembership.Service
 	TeamService             *team.Service
+	TemplateService         *template.Service
 	TunnelServerService     *tunnelserver.Service
 	UserService             *user.Service
 	VersionService          *version.Service
 	WebhookService          *webhook.Service
+	ScheduleService         *schedule.Service
 }

 // NewStore initializes a new Store and the associated services
@@ -74,7 +71,6 @@ func NewStore(storePath string, fileService portainer.FileService) (*Store, erro
 	store := &Store{
 		path:        storePath,
 		fileService: fileService,
-		isNew:       true,
 	}

 	databasePath := path.Join(storePath, databaseFileName)
@@ -83,8 +79,10 @@ func NewStore(storePath string, fileService portainer.FileService) (*Store, erro
 		return nil, err
 	}

-	if databaseFileExists {
-		store.isNew = false
+	if !databaseFileExists {
+		store.checkForDataMigration = false
+	} else {
+		store.checkForDataMigration = true
 	}

 	return store, nil
@@ -110,21 +108,14 @@ func (store *Store) Close() error {
 	return nil
 }

-// IsNew returns true if the database was just created and false if it is re-using
-// existing data.
-func (store *Store) IsNew() bool {
-	return store.isNew
-}
-
 // MigrateData automatically migrate the data based on the DBVersion.
-// This process is only triggered on an existing database, not if the database was just created.
 func (store *Store) MigrateData() error {
-	if store.isNew {
+	if !store.checkForDataMigration {
 		return store.VersionService.StoreDBVersion(portainer.DBVersion)
 	}

 	version, err := store.VersionService.DBVersion()
-	if err == errors.ErrObjectNotFound {
+	if err == portainer.ErrObjectNotFound {
 		version = 0
 	} else if err != nil {
 		return err
@@ -146,10 +137,10 @@ func (store *Store) MigrateData() error {
 			StackService:            store.StackService,
 			TagService:              store.TagService,
 			TeamMembershipService:   store.TeamMembershipService,
+			TemplateService:         store.TemplateService,
 			UserService:             store.UserService,
 			VersionService:          store.VersionService,
 			FileService:             store.fileService,
-			AuthorizationService:    authorization.NewService(store),
 		}
 		migrator := migrator.NewMigrator(migratorParams)

@@ -171,12 +162,6 @@ func (store *Store) initServices() error {
 	}
 	store.RoleService = authorizationsetService

-	customTemplateService, err := customtemplate.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.CustomTemplateService = customTemplateService
-
 	dockerhubService, err := dockerhub.NewService(store.db)
 	if err != nil {
 		return err
@@ -195,12 +180,6 @@ func (store *Store) initServices() error {
 	}
 	store.EdgeGroupService = edgeGroupService

-	edgeJobService, err := edgejob.NewService(store.db)
-	if err != nil {
-		return err
-	}
-	store.EdgeJobService = edgeJobService
-
 	endpointgroupService, err := endpointgroup.NewService(store.db)
 	if err != nil {
 		return err
@@ -267,6 +246,12 @@ func (store *Store) initServices() error {
 	}
 	store.TeamService = teamService

+	templateService, err := template.NewService(store.db)
+	if err != nil {
+		return err
+	}
+	store.TemplateService = templateService
+
 	tunnelServerService, err := tunnelserver.NewService(store.db)
 	if err != nil {
 		return err
@@ -299,103 +284,3 @@ func (store *Store) initServices() error {

 	return nil
 }
-
-// CustomTemplate gives access to the CustomTemplate data management layer
-func (store *Store) CustomTemplate() portainer.CustomTemplateService {
-	return store.CustomTemplateService
-}
-
-// DockerHub gives access to the DockerHub data management layer
-func (store *Store) DockerHub() portainer.DockerHubService {
-	return store.DockerHubService
-}
-
-// EdgeGroup gives access to the EdgeGroup data management layer
-func (store *Store) EdgeGroup() portainer.EdgeGroupService {
-	return store.EdgeGroupService
-}
-
-// EdgeJob gives access to the EdgeJob data management layer
-func (store *Store) EdgeJob() portainer.EdgeJobService {
-	return store.EdgeJobService
-}
-
-// EdgeStack gives access to the EdgeStack data management layer
-func (store *Store) EdgeStack() portainer.EdgeStackService {
-	return store.EdgeStackService
-}
-
-// Endpoint gives access to the Endpoint data management layer
-func (store *Store) Endpoint() portainer.EndpointService {
-	return store.EndpointService
-}
-
-// EndpointGroup gives access to the EndpointGroup data management layer
-func (store *Store) EndpointGroup() portainer.EndpointGroupService {
-	return store.EndpointGroupService
-}
-
-// EndpointRelation gives access to the EndpointRelation data management layer
-func (store *Store) EndpointRelation() portainer.EndpointRelationService {
-	return store.EndpointRelationService
-}
-
-// Registry gives access to the Registry data management layer
-func (store *Store) Registry() portainer.RegistryService {
-	return store.RegistryService
-}
-
-// ResourceControl gives access to the ResourceControl data management layer
-func (store *Store) ResourceControl() portainer.ResourceControlService {
-	return store.ResourceControlService
-}
-
-// Role gives access to the Role data management layer
-func (store *Store) Role() portainer.RoleService {
-	return store.RoleService
-}
-
-// Settings gives access to the Settings data management layer
-func (store *Store) Settings() portainer.SettingsService {
-	return store.SettingsService
-}
-
-// Stack gives access to the Stack data management layer
-func (store *Store) Stack() portainer.StackService {
-	return store.StackService
-}
-
-// Tag gives access to the Tag data management layer
-func (store *Store) Tag() portainer.TagService {
-	return store.TagService
-}
-
-// TeamMembership gives access to the TeamMembership data management layer
-func (store *Store) TeamMembership() portainer.TeamMembershipService {
-	return store.TeamMembershipService
-}
-
-// Team gives access to the Team data management layer
-func (store *Store) Team() portainer.TeamService {
-	return store.TeamService
-}
-
-// TunnelServer gives access to the TunnelServer data management layer
-func (store *Store) TunnelServer() portainer.TunnelServerService {
-	return store.TunnelServerService
-}
-
-// User gives access to the User data management layer
-func (store *Store) User() portainer.UserService {
-	return store.UserService
-}
-
-// Version gives access to the Version data management layer
-func (store *Store) Version() portainer.VersionService {
-	return store.VersionService
-}
-
-// Webhook gives access to the Webhook data management layer
-func (store *Store) Webhook() portainer.WebhookService {
-	return store.WebhookService
-}
--- a/api/bolt/edgejob/edgejob.go
+++ b/api/bolt/edgejob/edgejob.go
@@ -1,101 +0,0 @@
-package edgejob
-
-import (
-	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/internal"
-)
-
-const (
-	// BucketName represents the name of the bucket where this service stores data.
-	BucketName = "edgejobs"
-)
-
-// Service represents a service for managing edge jobs data.
-type Service struct {
-	db *bolt.DB
-}
-
-// NewService creates a new instance of a service.
-func NewService(db *bolt.DB) (*Service, error) {
-	err := internal.CreateBucket(db, BucketName)
-	if err != nil {
-		return nil, err
-	}
-
-	return &Service{
-		db: db,
-	}, nil
-}
-
-// EdgeJobs returns a list of Edge jobs
-func (service *Service) EdgeJobs() ([]portainer.EdgeJob, error) {
-	var edgeJobs = make([]portainer.EdgeJob, 0)
-
-	err := service.db.View(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-
-		cursor := bucket.Cursor()
-		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
-			var edgeJob portainer.EdgeJob
-			err := internal.UnmarshalObject(v, &edgeJob)
-			if err != nil {
-				return err
-			}
-			edgeJobs = append(edgeJobs, edgeJob)
-		}
-
-		return nil
-	})
-
-	return edgeJobs, err
-}
-
-// EdgeJob returns an Edge job by ID
-func (service *Service) EdgeJob(ID portainer.EdgeJobID) (*portainer.EdgeJob, error) {
-	var edgeJob portainer.EdgeJob
-	identifier := internal.Itob(int(ID))
-
-	err := internal.GetObject(service.db, BucketName, identifier, &edgeJob)
-	if err != nil {
-		return nil, err
-	}
-
-	return &edgeJob, nil
-}
-
-// CreateEdgeJob creates a new Edge job
-func (service *Service) CreateEdgeJob(edgeJob *portainer.EdgeJob) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-
-		if edgeJob.ID == 0 {
-			id, _ := bucket.NextSequence()
-			edgeJob.ID = portainer.EdgeJobID(id)
-		}
-
-		data, err := internal.MarshalObject(edgeJob)
-		if err != nil {
-			return err
-		}
-
-		return bucket.Put(internal.Itob(int(edgeJob.ID)), data)
-	})
-}
-
-// UpdateEdgeJob updates an Edge job by ID
-func (service *Service) UpdateEdgeJob(ID portainer.EdgeJobID, edgeJob *portainer.EdgeJob) error {
-	identifier := internal.Itob(int(ID))
-	return internal.UpdateObject(service.db, BucketName, identifier, edgeJob)
-}
-
-// DeleteEdgeJob deletes an Edge job
-func (service *Service) DeleteEdgeJob(ID portainer.EdgeJobID) error {
-	identifier := internal.Itob(int(ID))
-	return internal.DeleteObject(service.db, BucketName, identifier)
-}
-
-// GetNextIdentifier returns the next identifier for an endpoint.
-func (service *Service) GetNextIdentifier() int {
-	return internal.GetNextIdentifier(service.db, BucketName)
-}
--- a/api/bolt/errors/errors.go
+++ b/api/bolt/errors/errors.go
@@ -1,7 +0,0 @@
-package errors
-
-import "errors"
-
-var (
-	ErrObjectNotFound = errors.New("Object not found inside the database")
-)
--- a/api/bolt/init.go
+++ b/api/bolt/init.go
@@ -1,83 +1,9 @@
 package bolt

-import (
-	"github.com/gofrs/uuid"
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/errors"
-)
+import portainer "github.com/portainer/portainer/api"

 // Init creates the default data set.
 func (store *Store) Init() error {
-	instanceID, err := store.VersionService.InstanceID()
-	if err == errors.ErrObjectNotFound {
-		uid, err := uuid.NewV4()
-		if err != nil {
-			return err
-		}
-
-		instanceID = uid.String()
-		err = store.VersionService.StoreInstanceID(instanceID)
-		if err != nil {
-			return err
-		}
-	} else if err != nil {
-		return err
-	}
-
-	_, err = store.SettingsService.Settings()
-	if err == errors.ErrObjectNotFound {
-		defaultSettings := &portainer.Settings{
-			AuthenticationMethod: portainer.AuthenticationInternal,
-			BlackListedLabels:    make([]portainer.Pair, 0),
-			LDAPSettings: portainer.LDAPSettings{
-				AnonymousMode:   true,
-				AutoCreateUsers: true,
-				TLSConfig:       portainer.TLSConfiguration{},
-				SearchSettings: []portainer.LDAPSearchSettings{
-					portainer.LDAPSearchSettings{},
-				},
-				GroupSearchSettings: []portainer.LDAPGroupSearchSettings{
-					portainer.LDAPGroupSearchSettings{},
-				},
-			},
-			OAuthSettings:                             portainer.OAuthSettings{},
-			AllowBindMountsForRegularUsers:            true,
-			AllowPrivilegedModeForRegularUsers:        true,
-			AllowVolumeBrowserForRegularUsers:         false,
-			AllowHostNamespaceForRegularUsers:         true,
-			AllowDeviceMappingForRegularUsers:         true,
-			AllowStackManagementForRegularUsers:       true,
-			AllowContainerCapabilitiesForRegularUsers: true,
-			EnableHostManagementFeatures:              false,
-			EdgeAgentCheckinInterval:                  portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
-			TemplatesURL:                              portainer.DefaultTemplatesURL,
-			UserSessionTimeout:                        portainer.DefaultUserSessionTimeout,
-		}
-
-		err = store.SettingsService.UpdateSettings(defaultSettings)
-		if err != nil {
-			return err
-		}
-	} else if err != nil {
-		return err
-	}
-
-	_, err = store.DockerHubService.DockerHub()
-	if err == errors.ErrObjectNotFound {
-		defaultDockerHub := &portainer.DockerHub{
-			Authentication: false,
-			Username:       "",
-			Password:       "",
-		}
-
-		err := store.DockerHubService.UpdateDockerHub(defaultDockerHub)
-		if err != nil {
-			return err
-		}
-	} else if err != nil {
-		return err
-	}
-
 	groups, err := store.EndpointGroupService.EndpointGroups()
 	if err != nil {
 		return err
@@ -99,5 +25,60 @@ func (store *Store) Init() error {
 		}
 	}

+	roles, err := store.RoleService.Roles()
+	if err != nil {
+		return err
+	}
+
+	if len(roles) == 0 {
+		environmentAdministratorRole := &portainer.Role{
+			Name:           "Endpoint administrator",
+			Description:    "Full control of all resources in an endpoint",
+			Priority:       1,
+			Authorizations: portainer.DefaultEndpointAuthorizationsForEndpointAdministratorRole(),
+		}
+
+		err = store.RoleService.CreateRole(environmentAdministratorRole)
+		if err != nil {
+			return err
+		}
+
+		environmentReadOnlyUserRole := &portainer.Role{
+			Name:           "Helpdesk",
+			Description:    "Read-only access of all resources in an endpoint",
+			Priority:       2,
+			Authorizations: portainer.DefaultEndpointAuthorizationsForHelpDeskRole(false),
+		}
+
+		err = store.RoleService.CreateRole(environmentReadOnlyUserRole)
+		if err != nil {
+			return err
+		}
+
+		standardUserRole := &portainer.Role{
+			Name:           "Standard user",
+			Description:    "Full control of assigned resources in an endpoint",
+			Priority:       3,
+			Authorizations: portainer.DefaultEndpointAuthorizationsForStandardUserRole(false),
+		}
+
+		err = store.RoleService.CreateRole(standardUserRole)
+		if err != nil {
+			return err
+		}
+
+		readOnlyUserRole := &portainer.Role{
+			Name:           "Read-only user",
+			Description:    "Read-only access of assigned resources in an endpoint",
+			Priority:       4,
+			Authorizations: portainer.DefaultEndpointAuthorizationsForReadOnlyUserRole(false),
+		}
+
+		err = store.RoleService.CreateRole(readOnlyUserRole)
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
--- a/api/bolt/internal/db.go
+++ b/api/bolt/internal/db.go
@@ -4,7 +4,7 @@ import (
 	"encoding/binary"

 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api/bolt/errors"
+	"github.com/portainer/portainer/api"
 )

 // Itob returns an 8-byte big endian representation of v.
@@ -36,7 +36,7 @@ func GetObject(db *bolt.DB, bucketName string, key []byte, object interface{}) e

 		value := bucket.Get(key)
 		if value == nil {
-			return errors.ErrObjectNotFound
+			return portainer.ErrObjectNotFound
 		}

 		data = make([]byte, len(value))
--- a/api/bolt/migrator/migrate_dbversion0.go
+++ b/api/bolt/migrator/migrate_dbversion0.go
@@ -3,7 +3,6 @@ package migrator
 import (
 	"github.com/boltdb/bolt"
 	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/bolt/user"
 )

@@ -23,7 +22,7 @@ func (m *Migrator) updateAdminUserToDBVersion1() error {
 		if err != nil {
 			return err
 		}
-	} else if err != nil && err != errors.ErrObjectNotFound {
+	} else if err != nil && err != portainer.ErrObjectNotFound {
 		return err
 	}
 	return nil
--- a/api/bolt/migrator/migrate_dbversion14.go
+++ b/api/bolt/migrator/migrate_dbversion14.go
@@ -1,5 +1,11 @@
 package migrator

+import (
+	"strings"
+
+	"github.com/portainer/portainer/api"
+)
+
 func (m *Migrator) updateSettingsToDBVersion15() error {
 	legacySettings, err := m.settingsService.Settings()
 	if err != nil {
@@ -11,6 +17,19 @@ func (m *Migrator) updateSettingsToDBVersion15() error {
 }

 func (m *Migrator) updateTemplatesToVersion15() error {
-	// Removed with the entire template management layer, part of https://github.com/portainer/portainer/issues/3707
+	legacyTemplates, err := m.templateService.Templates()
+	if err != nil {
+		return err
+	}
+
+	for _, template := range legacyTemplates {
+		template.Logo = strings.Replace(template.Logo, "https://portainer.io/images", portainer.AssetsServerURL, -1)
+
+		err = m.templateService.UpdateTemplate(template.ID, &template)
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
--- a/api/bolt/migrator/migrate_dbversion19.go
+++ b/api/bolt/migrator/migrate_dbversion19.go
@@ -2,12 +2,22 @@ package migrator

 import (
 	"strings"
+
+	portainer "github.com/portainer/portainer/api"
 )

-const scheduleScriptExecutionJobType = 1
-
 func (m *Migrator) updateUsersToDBVersion20() error {
-	return m.authorizationService.UpdateUsersAuthorizations()
+	authorizationServiceParameters := &portainer.AuthorizationServiceParameters{
+		EndpointService:       m.endpointService,
+		EndpointGroupService:  m.endpointGroupService,
+		RegistryService:       m.registryService,
+		RoleService:           m.roleService,
+		TeamMembershipService: m.teamMembershipService,
+		UserService:           m.userService,
+	}
+
+	authorizationService := portainer.NewAuthorizationService(authorizationServiceParameters)
+	return authorizationService.UpdateUsersAuthorizations()
 }

 func (m *Migrator) updateSettingsToDBVersion20() error {
@@ -28,7 +38,7 @@ func (m *Migrator) updateSchedulesToDBVersion20() error {
 	}

 	for _, schedule := range legacySchedules {
-		if schedule.JobType == scheduleScriptExecutionJobType {
+		if schedule.JobType == portainer.ScriptExecutionJobType {
 			if schedule.CronExpression == "0 0 * * *" {
 				schedule.CronExpression = "0 * * * *"
 			} else if schedule.CronExpression == "0 0 0/2 * *" {
--- a/api/bolt/migrator/migrate_dbversion20.go
+++ b/api/bolt/migrator/migrate_dbversion20.go
@@ -1,9 +1,6 @@
 package migrator

-import (
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/internal/authorization"
-)
+import portainer "github.com/portainer/portainer/api"

 func (m *Migrator) updateResourceControlsToDBVersion22() error {
 	legacyResourceControls, err := m.resourceControlService.ResourceControls()
@@ -35,7 +32,7 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 	}

 	for _, user := range legacyUsers {
-		user.PortainerAuthorizations = authorization.DefaultPortainerAuthorizations()
+		user.PortainerAuthorizations = portainer.DefaultPortainerAuthorizations()
 		err = m.userService.UpdateUser(user.ID, &user)
 		if err != nil {
 			return err
@@ -47,7 +44,7 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 		return err
 	}
 	endpointAdministratorRole.Priority = 1
-	endpointAdministratorRole.Authorizations = authorization.DefaultEndpointAuthorizationsForEndpointAdministratorRole()
+	endpointAdministratorRole.Authorizations = portainer.DefaultEndpointAuthorizationsForEndpointAdministratorRole()

 	err = m.roleService.UpdateRole(endpointAdministratorRole.ID, endpointAdministratorRole)

@@ -56,7 +53,7 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 		return err
 	}
 	helpDeskRole.Priority = 2
-	helpDeskRole.Authorizations = authorization.DefaultEndpointAuthorizationsForHelpDeskRole(settings.AllowVolumeBrowserForRegularUsers)
+	helpDeskRole.Authorizations = portainer.DefaultEndpointAuthorizationsForHelpDeskRole(settings.AllowVolumeBrowserForRegularUsers)

 	err = m.roleService.UpdateRole(helpDeskRole.ID, helpDeskRole)

@@ -65,7 +62,7 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 		return err
 	}
 	standardUserRole.Priority = 3
-	standardUserRole.Authorizations = authorization.DefaultEndpointAuthorizationsForStandardUserRole(settings.AllowVolumeBrowserForRegularUsers)
+	standardUserRole.Authorizations = portainer.DefaultEndpointAuthorizationsForStandardUserRole(settings.AllowVolumeBrowserForRegularUsers)

 	err = m.roleService.UpdateRole(standardUserRole.ID, standardUserRole)

@@ -74,12 +71,19 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 		return err
 	}
 	readOnlyUserRole.Priority = 4
-	readOnlyUserRole.Authorizations = authorization.DefaultEndpointAuthorizationsForReadOnlyUserRole(settings.AllowVolumeBrowserForRegularUsers)
+	readOnlyUserRole.Authorizations = portainer.DefaultEndpointAuthorizationsForReadOnlyUserRole(settings.AllowVolumeBrowserForRegularUsers)

 	err = m.roleService.UpdateRole(readOnlyUserRole.ID, readOnlyUserRole)
-	if err != nil {
-		return err
+
+	authorizationServiceParameters := &portainer.AuthorizationServiceParameters{
+		EndpointService:       m.endpointService,
+		EndpointGroupService:  m.endpointGroupService,
+		RegistryService:       m.registryService,
+		RoleService:           m.roleService,
+		TeamMembershipService: m.teamMembershipService,
+		UserService:           m.userService,
 	}

-	return m.authorizationService.UpdateUsersAuthorizations()
+	authorizationService := portainer.NewAuthorizationService(authorizationServiceParameters)
+	return authorizationService.UpdateUsersAuthorizations()
 }
--- a/api/bolt/migrator/migrate_dbversion22.go
+++ b/api/bolt/migrator/migrate_dbversion22.go
@@ -1,6 +1,8 @@
 package migrator

-import "github.com/portainer/portainer/api"
+import (
+	"github.com/portainer/portainer/api"
+)

 func (m *Migrator) updateTagsToDBVersion23() error {
 	tags, err := m.tagService.Tags()
--- a/api/bolt/migrator/migrate_dbversion23.go
+++ b/api/bolt/migrator/migrate_dbversion23.go
@@ -1,34 +1,14 @@
 package migrator

-import portainer "github.com/portainer/portainer/api"
-
-func (m *Migrator) updateSettingsToDB24() error {
+func (m *Migrator) updateSettingsToDBVersion24() error {
 	legacySettings, err := m.settingsService.Settings()
 	if err != nil {
 		return err
 	}

-	legacySettings.AllowHostNamespaceForRegularUsers = true
 	legacySettings.AllowDeviceMappingForRegularUsers = true
 	legacySettings.AllowStackManagementForRegularUsers = true
+	legacySettings.AllowHostNamespaceForRegularUsers = true

 	return m.settingsService.UpdateSettings(legacySettings)
 }
-
-func (m *Migrator) updateStacksToDB24() error {
-	stacks, err := m.stackService.Stacks()
-	if err != nil {
-		return err
-	}
-
-	for idx := range stacks {
-		stack := &stacks[idx]
-		stack.Status = portainer.StackStatusActive
-		err := m.stackService.UpdateStack(stack.ID, stack)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
--- a/api/bolt/migrator/migrate_dbversion24.go
+++ b/api/bolt/migrator/migrate_dbversion24.go
@@ -1,23 +0,0 @@
-package migrator
-
-import (
-	"github.com/portainer/portainer/api"
-)
-
-func (m *Migrator) updateSettingsToDB25() error {
-	legacySettings, err := m.settingsService.Settings()
-	if err != nil {
-		return err
-	}
-
-	if legacySettings.TemplatesURL == "" {
-		legacySettings.TemplatesURL = portainer.DefaultTemplatesURL
-	}
-
-	legacySettings.UserSessionTimeout = portainer.DefaultUserSessionTimeout
-	legacySettings.EnableTelemetry = true
-
-	legacySettings.AllowContainerCapabilitiesForRegularUsers = true
-
-	return m.settingsService.UpdateSettings(legacySettings)
-}
--- a/api/bolt/migrator/migrator.go
+++ b/api/bolt/migrator/migrator.go
@@ -15,9 +15,9 @@ import (
 	"github.com/portainer/portainer/api/bolt/stack"
 	"github.com/portainer/portainer/api/bolt/tag"
 	"github.com/portainer/portainer/api/bolt/teammembership"
+	"github.com/portainer/portainer/api/bolt/template"
 	"github.com/portainer/portainer/api/bolt/user"
 	"github.com/portainer/portainer/api/bolt/version"
-	"github.com/portainer/portainer/api/internal/authorization"
 )

 type (
@@ -37,10 +37,10 @@ type (
 		stackService            *stack.Service
 		tagService              *tag.Service
 		teamMembershipService   *teammembership.Service
+		templateService         *template.Service
 		userService             *user.Service
 		versionService          *version.Service
 		fileService             portainer.FileService
-		authorizationService    *authorization.Service
 	}

 	// Parameters represents the required parameters to create a new Migrator instance.
@@ -59,10 +59,10 @@ type (
 		StackService            *stack.Service
 		TagService              *tag.Service
 		TeamMembershipService   *teammembership.Service
+		TemplateService         *template.Service
 		UserService             *user.Service
 		VersionService          *version.Service
 		FileService             portainer.FileService
-		AuthorizationService    *authorization.Service
 	}
 )

@@ -82,16 +82,17 @@ func NewMigrator(parameters *Parameters) *Migrator {
 		settingsService:         parameters.SettingsService,
 		tagService:              parameters.TagService,
 		teamMembershipService:   parameters.TeamMembershipService,
+		templateService:         parameters.TemplateService,
 		stackService:            parameters.StackService,
 		userService:             parameters.UserService,
 		versionService:          parameters.VersionService,
 		fileService:             parameters.FileService,
-		authorizationService:    parameters.AuthorizationService,
 	}
 }

 // Migrate checks the database version and migrate the existing data to the most recent data model.
 func (m *Migrator) Migrate() error {
+
 	// Portainer < 1.12
 	if m.currentDBVersion < 1 {
 		err := m.updateAdminUserToDBVersion1()
@@ -323,20 +324,7 @@ func (m *Migrator) Migrate() error {

 	// Portainer 1.24.1
 	if m.currentDBVersion < 24 {
-		err := m.updateSettingsToDB24()
-		if err != nil {
-			return err
-		}
-	}
-
-	// Portainer 2.0.0
-	if m.currentDBVersion < 25 {
-		err := m.updateSettingsToDB25()
-		if err != nil {
-			return err
-		}
-
-		err = m.updateStacksToDB24()
+		err := m.updateSettingsToDBVersion24()
 		if err != nil {
 			return err
 		}
--- a/api/bolt/stack/stack.go
+++ b/api/bolt/stack/stack.go
@@ -2,7 +2,6 @@ package stack

 import (
 	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/bolt/internal"

 	"github.com/boltdb/bolt"
@@ -65,7 +64,7 @@ func (service *Service) StackByName(name string) (*portainer.Stack, error) {
 		}

 		if stack == nil {
-			return errors.ErrObjectNotFound
+			return portainer.ErrObjectNotFound
 		}

 		return nil
--- a/api/bolt/team/team.go
+++ b/api/bolt/team/team.go
@@ -2,7 +2,6 @@ package team

 import (
 	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/bolt/internal"

 	"github.com/boltdb/bolt"
@@ -65,7 +64,7 @@ func (service *Service) TeamByName(name string) (*portainer.Team, error) {
 		}

 		if team == nil {
-			return errors.ErrObjectNotFound
+			return portainer.ErrObjectNotFound
 		}

 		return nil
--- a/api/bolt/template/template.go
+++ b/api/bolt/template/template.go
@@ -0,0 +1,95 @@
+package template
+
+import (
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt/internal"
+
+	"github.com/boltdb/bolt"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "templates"
+)
+
+// Service represents a service for managing endpoint data.
+type Service struct {
+	db *bolt.DB
+}
+
+// NewService creates a new instance of a service.
+func NewService(db *bolt.DB) (*Service, error) {
+	err := internal.CreateBucket(db, BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		db: db,
+	}, nil
+}
+
+// Templates return an array containing all the templates.
+func (service *Service) Templates() ([]portainer.Template, error) {
+	var templates = make([]portainer.Template, 0)
+
+	err := service.db.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var template portainer.Template
+			err := internal.UnmarshalObject(v, &template)
+			if err != nil {
+				return err
+			}
+			templates = append(templates, template)
+		}
+
+		return nil
+	})
+
+	return templates, err
+}
+
+// Template returns a template by ID.
+func (service *Service) Template(ID portainer.TemplateID) (*portainer.Template, error) {
+	var template portainer.Template
+	identifier := internal.Itob(int(ID))
+
+	err := internal.GetObject(service.db, BucketName, identifier, &template)
+	if err != nil {
+		return nil, err
+	}
+
+	return &template, nil
+}
+
+// CreateTemplate creates a new template.
+func (service *Service) CreateTemplate(template *portainer.Template) error {
+	return service.db.Update(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket([]byte(BucketName))
+
+		id, _ := bucket.NextSequence()
+		template.ID = portainer.TemplateID(id)
+
+		data, err := internal.MarshalObject(template)
+		if err != nil {
+			return err
+		}
+
+		return bucket.Put(internal.Itob(int(template.ID)), data)
+	})
+}
+
+// UpdateTemplate saves a template.
+func (service *Service) UpdateTemplate(ID portainer.TemplateID, template *portainer.Template) error {
+	identifier := internal.Itob(int(ID))
+	return internal.UpdateObject(service.db, BucketName, identifier, template)
+}
+
+// DeleteTemplate deletes a template.
+func (service *Service) DeleteTemplate(ID portainer.TemplateID) error {
+	identifier := internal.Itob(int(ID))
+	return internal.DeleteObject(service.db, BucketName, identifier)
+}
--- a/api/bolt/user/user.go
+++ b/api/bolt/user/user.go
@@ -2,7 +2,6 @@ package user

 import (
 	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/bolt/internal"

 	"github.com/boltdb/bolt"
@@ -65,7 +64,7 @@ func (service *Service) UserByUsername(username string) (*portainer.User, error)
 		}

 		if user == nil {
-			return errors.ErrObjectNotFound
+			return portainer.ErrObjectNotFound
 		}
 		return nil
 	})
--- a/api/bolt/version/version.go
+++ b/api/bolt/version/version.go
@@ -4,15 +4,14 @@ import (
 	"strconv"

 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api/bolt/errors"
+	"github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/bolt/internal"
 )

 const (
 	// BucketName represents the name of the bucket where this service stores data.
-	BucketName  = "version"
-	versionKey  = "DB_VERSION"
-	instanceKey = "INSTANCE_ID"
+	BucketName = "version"
+	versionKey = "DB_VERSION"
 )

 // Service represents a service to manage stored versions.
@@ -41,7 +40,7 @@ func (service *Service) DBVersion() (int, error) {

 		value := bucket.Get([]byte(versionKey))
 		if value == nil {
-			return errors.ErrObjectNotFound
+			return portainer.ErrObjectNotFound
 		}

 		data = make([]byte, len(value))
@@ -65,37 +64,3 @@ func (service *Service) StoreDBVersion(version int) error {
 		return bucket.Put([]byte(versionKey), data)
 	})
 }
-
-// InstanceID retrieves the stored instance ID.
-func (service *Service) InstanceID() (string, error) {
-	var data []byte
-
-	err := service.db.View(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-
-		value := bucket.Get([]byte(instanceKey))
-		if value == nil {
-			return errors.ErrObjectNotFound
-		}
-
-		data = make([]byte, len(value))
-		copy(data, value)
-
-		return nil
-	})
-	if err != nil {
-		return "", err
-	}
-
-	return string(data), nil
-}
-
-// StoreInstanceID store the instance ID.
-func (service *Service) StoreInstanceID(ID string) error {
-	return service.db.Update(func(tx *bolt.Tx) error {
-		bucket := tx.Bucket([]byte(BucketName))
-
-		data := []byte(ID)
-		return bucket.Put([]byte(instanceKey), data)
-	})
-}
--- a/api/bolt/webhook/webhook.go
+++ b/api/bolt/webhook/webhook.go
@@ -2,7 +2,6 @@ package webhook

 import (
 	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/errors"
 	"github.com/portainer/portainer/api/bolt/internal"

 	"github.com/boltdb/bolt"
@@ -88,7 +87,7 @@ func (service *Service) WebhookByResourceID(ID string) (*portainer.Webhook, erro
 		}

 		if webhook == nil {
-			return errors.ErrObjectNotFound
+			return portainer.ErrObjectNotFound
 		}

 		return nil
@@ -119,7 +118,7 @@ func (service *Service) WebhookByToken(token string) (*portainer.Webhook, error)
 		}

 		if webhook == nil {
-			return errors.ErrObjectNotFound
+			return portainer.ErrObjectNotFound
 		}

 		return nil
--- a/api/chisel/schedules.go
+++ b/api/chisel/schedules.go
@@ -6,42 +6,42 @@ import (
 	portainer "github.com/portainer/portainer/api"
 )

-// AddEdgeJob register an EdgeJob inside the tunnel details associated to an endpoint.
-func (service *Service) AddEdgeJob(endpointID portainer.EndpointID, edgeJob *portainer.EdgeJob) {
+// AddSchedule register a schedule inside the tunnel details associated to an endpoint.
+func (service *Service) AddSchedule(endpointID portainer.EndpointID, schedule *portainer.EdgeSchedule) {
 	tunnel := service.GetTunnelDetails(endpointID)

-	existingJobIndex := -1
-	for idx, existingJob := range tunnel.Jobs {
-		if existingJob.ID == edgeJob.ID {
-			existingJobIndex = idx
+	existingScheduleIndex := -1
+	for idx, existingSchedule := range tunnel.Schedules {
+		if existingSchedule.ID == schedule.ID {
+			existingScheduleIndex = idx
 			break
 		}
 	}

-	if existingJobIndex == -1 {
-		tunnel.Jobs = append(tunnel.Jobs, *edgeJob)
+	if existingScheduleIndex == -1 {
+		tunnel.Schedules = append(tunnel.Schedules, *schedule)
 	} else {
-		tunnel.Jobs[existingJobIndex] = *edgeJob
+		tunnel.Schedules[existingScheduleIndex] = *schedule
 	}

 	key := strconv.Itoa(int(endpointID))
 	service.tunnelDetailsMap.Set(key, tunnel)
 }

-// RemoveEdgeJob will remove the specified Edge job from each tunnel it was registered with.
-func (service *Service) RemoveEdgeJob(edgeJobID portainer.EdgeJobID) {
+// RemoveSchedule will remove the specified schedule from each tunnel it was registered with.
+func (service *Service) RemoveSchedule(scheduleID portainer.ScheduleID) {
 	for item := range service.tunnelDetailsMap.IterBuffered() {
 		tunnelDetails := item.Val.(*portainer.TunnelDetails)

-		updatedJobs := make([]portainer.EdgeJob, 0)
-		for _, edgeJob := range tunnelDetails.Jobs {
-			if edgeJob.ID == edgeJobID {
+		updatedSchedules := make([]portainer.EdgeSchedule, 0)
+		for _, schedule := range tunnelDetails.Schedules {
+			if schedule.ID == scheduleID {
 				continue
 			}
-			updatedJobs = append(updatedJobs, edgeJob)
+			updatedSchedules = append(updatedSchedules, schedule)
 		}

-		tunnelDetails.Jobs = updatedJobs
+		tunnelDetails.Schedules = updatedSchedules
 		service.tunnelDetailsMap.Set(item.Key, tunnelDetails)
 	}
 }
--- a/api/chisel/service.go
+++ b/api/chisel/service.go
@@ -7,10 +7,11 @@ import (
 	"time"

 	"github.com/dchest/uniuri"
-	chserver "github.com/jpillora/chisel/server"
+
 	cmap "github.com/orcaman/concurrent-map"
-	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/errors"
+
+	chserver "github.com/jpillora/chisel/server"
+	portainer "github.com/portainer/portainer/api"
 )

 const (
@@ -23,19 +24,21 @@ const (
 // It is used to start a reverse tunnel server and to manage the connection status of each tunnel
 // connected to the tunnel server.
 type Service struct {
-	serverFingerprint string
-	serverPort        string
-	tunnelDetailsMap  cmap.ConcurrentMap
-	dataStore         portainer.DataStore
-	snapshotService   portainer.SnapshotService
-	chiselServer      *chserver.Server
+	serverFingerprint   string
+	serverPort          string
+	tunnelDetailsMap    cmap.ConcurrentMap
+	endpointService     portainer.EndpointService
+	tunnelServerService portainer.TunnelServerService
+	snapshotter         portainer.Snapshotter
+	chiselServer        *chserver.Server
 }

 // NewService returns a pointer to a new instance of Service
-func NewService(dataStore portainer.DataStore) *Service {
+func NewService(endpointService portainer.EndpointService, tunnelServerService portainer.TunnelServerService) *Service {
 	return &Service{
-		tunnelDetailsMap: cmap.New(),
-		dataStore:        dataStore,
+		tunnelDetailsMap:    cmap.New(),
+		endpointService:     endpointService,
+		tunnelServerService: tunnelServerService,
 	}
 }

@@ -44,7 +47,7 @@ func NewService(dataStore portainer.DataStore) *Service {
 // be found inside the database, it will generate a new one randomly and persist it.
 // It starts the tunnel status verification process in the background.
 // The snapshotter is used in the tunnel status verification process.
-func (service *Service) StartTunnelServer(addr, port string, snapshotService portainer.SnapshotService) error {
+func (service *Service) StartTunnelServer(addr, port string, snapshotter portainer.Snapshotter) error {
 	keySeed, err := service.retrievePrivateKeySeed()
 	if err != nil {
 		return err
@@ -77,7 +80,7 @@ func (service *Service) StartTunnelServer(addr, port string, snapshotService por
 		return err
 	}

-	service.snapshotService = snapshotService
+	service.snapshotter = snapshotter
 	go service.startTunnelVerificationLoop()

 	return nil
@@ -86,15 +89,15 @@ func (service *Service) StartTunnelServer(addr, port string, snapshotService por
 func (service *Service) retrievePrivateKeySeed() (string, error) {
 	var serverInfo *portainer.TunnelServerInfo

-	serverInfo, err := service.dataStore.TunnelServer().Info()
-	if err == errors.ErrObjectNotFound {
+	serverInfo, err := service.tunnelServerService.Info()
+	if err == portainer.ErrObjectNotFound {
 		keySeed := uniuri.NewLen(16)

 		serverInfo = &portainer.TunnelServerInfo{
 			PrivateKeySeed: keySeed,
 		}

-		err := service.dataStore.TunnelServer().UpdateInfo(serverInfo)
+		err := service.tunnelServerService.UpdateInfo(serverInfo)
 		if err != nil {
 			return "", err
 		}
@@ -154,7 +157,7 @@ func (service *Service) checkTunnels() {
 			}
 		}

-		if len(tunnel.Jobs) > 0 {
+		if len(tunnel.Schedules) > 0 {
 			endpointID, err := strconv.Atoi(item.Key)
 			if err != nil {
 				log.Printf("[ERROR] [chisel,conversion] Invalid endpoint identifier (id: %s): %s", item.Key, err)
@@ -170,19 +173,19 @@ func (service *Service) checkTunnels() {
 }

 func (service *Service) snapshotEnvironment(endpointID portainer.EndpointID, tunnelPort int) error {
-	endpoint, err := service.dataStore.Endpoint().Endpoint(endpointID)
+	endpoint, err := service.endpointService.Endpoint(portainer.EndpointID(endpointID))
 	if err != nil {
 		return err
 	}

 	endpointURL := endpoint.URL
-
 	endpoint.URL = fmt.Sprintf("tcp://127.0.0.1:%d", tunnelPort)
-	err = service.snapshotService.SnapshotEndpoint(endpoint)
+	snapshot, err := service.snapshotter.CreateSnapshot(endpoint)
 	if err != nil {
 		return err
 	}

+	endpoint.Snapshots = []portainer.Snapshot{*snapshot}
 	endpoint.URL = endpointURL
-	return service.dataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
+	return service.endpointService.UpdateEndpoint(endpoint.ID, endpoint)
 }
--- a/api/chisel/tunnel.go
+++ b/api/chisel/tunnel.go
@@ -47,11 +47,11 @@ func (service *Service) GetTunnelDetails(endpointID portainer.EndpointID) *porta
 		return tunnelDetails
 	}

-	jobs := make([]portainer.EdgeJob, 0)
+	schedules := make([]portainer.EdgeSchedule, 0)
 	return &portainer.TunnelDetails{
 		Status:      portainer.EdgeAgentIdle,
 		Port:        0,
-		Jobs:        jobs,
+		Schedules:   schedules,
 		Credentials: "",
 	}
 }
@@ -97,7 +97,7 @@ func (service *Service) SetTunnelStatusToRequired(endpointID portainer.EndpointI
 	tunnel := service.GetTunnelDetails(endpointID)

 	if tunnel.Port == 0 {
-		endpoint, err := service.dataStore.Endpoint().Endpoint(endpointID)
+		endpoint, err := service.endpointService.Endpoint(endpointID)
 		if err != nil {
 			return err
 		}
--- a/api/cli/cli.go
+++ b/api/cli/cli.go
@@ -1,7 +1,6 @@
 package cli

 import (
-	"errors"
 	"log"
 	"time"

@@ -17,11 +16,16 @@ import (
 // Service implements the CLIService interface
 type Service struct{}

-var (
-	errInvalidEndpointProtocol       = errors.New("Invalid endpoint protocol: Portainer only supports unix://, npipe:// or tcp://")
-	errSocketOrNamedPipeNotFound     = errors.New("Unable to locate Unix socket or named pipe")
-	errInvalidSnapshotInterval       = errors.New("Invalid snapshot interval")
-	errAdminPassExcludeAdminPassFile = errors.New("Cannot use --admin-password with --admin-password-file")
+const (
+	errInvalidEndpointProtocol       = portainer.Error("Invalid endpoint protocol: Portainer only supports unix://, npipe:// or tcp://")
+	errSocketOrNamedPipeNotFound     = portainer.Error("Unable to locate Unix socket or named pipe")
+	errEndpointsFileNotFound         = portainer.Error("Unable to locate external endpoints file")
+	errTemplateFileNotFound          = portainer.Error("Unable to locate template file on disk")
+	errInvalidSyncInterval           = portainer.Error("Invalid synchronization interval")
+	errInvalidSnapshotInterval       = portainer.Error("Invalid snapshot interval")
+	errEndpointExcludeExternal       = portainer.Error("Cannot use the -H flag mutually with --external-endpoints")
+	errNoAuthExcludeAdminPassword    = portainer.Error("Cannot use --no-auth with --admin-password or --admin-password-file")
+	errAdminPassExcludeAdminPassFile = portainer.Error("Cannot use --admin-password with --admin-password-file")
 )

 // ParseFlags parse the CLI flags and return a portainer.Flags struct
@@ -29,28 +33,32 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 	kingpin.Version(version)

 	flags := &portainer.CLIFlags{
-		Addr:                      kingpin.Flag("bind", "Address and port to serve Portainer").Default(defaultBindAddress).Short('p').String(),
-		TunnelAddr:                kingpin.Flag("tunnel-addr", "Address to serve the tunnel server").Default(defaultTunnelServerAddress).String(),
-		TunnelPort:                kingpin.Flag("tunnel-port", "Port to serve the tunnel server").Default(defaultTunnelServerPort).String(),
-		Assets:                    kingpin.Flag("assets", "Path to the assets").Default(defaultAssetsDirectory).Short('a').String(),
-		Data:                      kingpin.Flag("data", "Path to the folder where the data is stored").Default(defaultDataDirectory).Short('d').String(),
-		EndpointURL:               kingpin.Flag("host", "Endpoint URL").Short('H').String(),
-		EnableEdgeComputeFeatures: kingpin.Flag("edge-compute", "Enable Edge Compute features").Bool(),
-		NoAnalytics:               kingpin.Flag("no-analytics", "Disable Analytics in app (deprecated)").Bool(),
-		TLS:                       kingpin.Flag("tlsverify", "TLS support").Default(defaultTLS).Bool(),
-		TLSSkipVerify:             kingpin.Flag("tlsskipverify", "Disable TLS server verification").Default(defaultTLSSkipVerify).Bool(),
-		TLSCacert:                 kingpin.Flag("tlscacert", "Path to the CA").Default(defaultTLSCACertPath).String(),
-		TLSCert:                   kingpin.Flag("tlscert", "Path to the TLS certificate file").Default(defaultTLSCertPath).String(),
-		TLSKey:                    kingpin.Flag("tlskey", "Path to the TLS key").Default(defaultTLSKeyPath).String(),
-		SSL:                       kingpin.Flag("ssl", "Secure Portainer instance using SSL").Default(defaultSSL).Bool(),
-		SSLCert:                   kingpin.Flag("sslcert", "Path to the SSL certificate used to secure the Portainer instance").Default(defaultSSLCertPath).String(),
-		SSLKey:                    kingpin.Flag("sslkey", "Path to the SSL key used to secure the Portainer instance").Default(defaultSSLKeyPath).String(),
-		SnapshotInterval:          kingpin.Flag("snapshot-interval", "Duration between each endpoint snapshot job").Default(defaultSnapshotInterval).String(),
-		AdminPassword:             kingpin.Flag("admin-password", "Hashed admin password").String(),
-		AdminPasswordFile:         kingpin.Flag("admin-password-file", "Path to the file containing the password for the admin user").String(),
-		Labels:                    pairs(kingpin.Flag("hide-label", "Hide containers with a specific label in the UI").Short('l')),
-		Logo:                      kingpin.Flag("logo", "URL for the logo displayed in the UI").String(),
-		Templates:                 kingpin.Flag("templates", "URL to the templates definitions.").Short('t').String(),
+		Addr:              kingpin.Flag("bind", "Address and port to serve Portainer").Default(defaultBindAddress).Short('p').String(),
+		TunnelAddr:        kingpin.Flag("tunnel-addr", "Address to serve the tunnel server").Default(defaultTunnelServerAddress).String(),
+		TunnelPort:        kingpin.Flag("tunnel-port", "Port to serve the tunnel server").Default(defaultTunnelServerPort).String(),
+		Assets:            kingpin.Flag("assets", "Path to the assets").Default(defaultAssetsDirectory).Short('a').String(),
+		Data:              kingpin.Flag("data", "Path to the folder where the data is stored").Default(defaultDataDirectory).Short('d').String(),
+		EndpointURL:       kingpin.Flag("host", "Endpoint URL").Short('H').String(),
+		ExternalEndpoints: kingpin.Flag("external-endpoints", "Path to a file defining available endpoints (deprecated)").String(),
+		NoAuth:            kingpin.Flag("no-auth", "Disable authentication (deprecated)").Default(defaultNoAuth).Bool(),
+		NoAnalytics:       kingpin.Flag("no-analytics", "Disable Analytics in app").Default(defaultNoAnalytics).Bool(),
+		TLS:               kingpin.Flag("tlsverify", "TLS support").Default(defaultTLS).Bool(),
+		TLSSkipVerify:     kingpin.Flag("tlsskipverify", "Disable TLS server verification").Default(defaultTLSSkipVerify).Bool(),
+		TLSCacert:         kingpin.Flag("tlscacert", "Path to the CA").Default(defaultTLSCACertPath).String(),
+		TLSCert:           kingpin.Flag("tlscert", "Path to the TLS certificate file").Default(defaultTLSCertPath).String(),
+		TLSKey:            kingpin.Flag("tlskey", "Path to the TLS key").Default(defaultTLSKeyPath).String(),
+		SSL:               kingpin.Flag("ssl", "Secure Portainer instance using SSL").Default(defaultSSL).Bool(),
+		SSLCert:           kingpin.Flag("sslcert", "Path to the SSL certificate used to secure the Portainer instance").Default(defaultSSLCertPath).String(),
+		SSLKey:            kingpin.Flag("sslkey", "Path to the SSL key used to secure the Portainer instance").Default(defaultSSLKeyPath).String(),
+		SyncInterval:      kingpin.Flag("sync-interval", "Duration between each synchronization via the external endpoints source (deprecated)").Default(defaultSyncInterval).String(),
+		Snapshot:          kingpin.Flag("snapshot", "Start a background job to create endpoint snapshots (deprecated)").Default(defaultSnapshot).Bool(),
+		SnapshotInterval:  kingpin.Flag("snapshot-interval", "Duration between each endpoint snapshot job").Default(defaultSnapshotInterval).String(),
+		AdminPassword:     kingpin.Flag("admin-password", "Hashed admin password").String(),
+		AdminPasswordFile: kingpin.Flag("admin-password-file", "Path to the file containing the password for the admin user").String(),
+		Labels:            pairs(kingpin.Flag("hide-label", "Hide containers with a specific label in the UI").Short('l')),
+		Logo:              kingpin.Flag("logo", "URL for the logo displayed in the UI").String(),
+		Templates:         kingpin.Flag("templates", "URL to the templates definitions.").Short('t').String(),
+		TemplateFile:      kingpin.Flag("template-file", "Path to the App templates definitions on the filesystem (deprecated)").Default(defaultTemplateFile).String(),
 	}

 	kingpin.Parse()
@@ -71,7 +79,26 @@ func (*Service) ValidateFlags(flags *portainer.CLIFlags) error {

 	displayDeprecationWarnings(flags)

-	err := validateEndpointURL(*flags.EndpointURL)
+	if *flags.EndpointURL != "" && *flags.ExternalEndpoints != "" {
+		return errEndpointExcludeExternal
+	}
+
+	err := validateTemplateFile(*flags.TemplateFile)
+	if err != nil {
+		return err
+	}
+
+	err = validateEndpointURL(*flags.EndpointURL)
+	if err != nil {
+		return err
+	}
+
+	err = validateExternalEndpoints(*flags.ExternalEndpoints)
+	if err != nil {
+		return err
+	}
+
+	err = validateSyncInterval(*flags.SyncInterval)
 	if err != nil {
 		return err
 	}
@@ -81,6 +108,10 @@ func (*Service) ValidateFlags(flags *portainer.CLIFlags) error {
 		return err
 	}

+	if *flags.NoAuth && (*flags.AdminPassword != "" || *flags.AdminPasswordFile != "") {
+		return errNoAuthExcludeAdminPassword
+	}
+
 	if *flags.AdminPassword != "" && *flags.AdminPasswordFile != "" {
 		return errAdminPassExcludeAdminPassFile
 	}
@@ -89,8 +120,24 @@ func (*Service) ValidateFlags(flags *portainer.CLIFlags) error {
 }

 func displayDeprecationWarnings(flags *portainer.CLIFlags) {
-	if *flags.NoAnalytics {
-		log.Println("Warning: The --no-analytics flag has been kept to allow migration of instances running a previous version of Portainer with this flag enabled, to version 2.0 where enabling this flag will have no effect.")
+	if *flags.ExternalEndpoints != "" {
+		log.Println("Warning: the --external-endpoint flag is deprecated and will likely be removed in a future version of Portainer.")
+	}
+
+	if *flags.SyncInterval != defaultSyncInterval {
+		log.Println("Warning: the --sync-interval flag is deprecated and will likely be removed in a future version of Portainer.")
+	}
+
+	if *flags.NoAuth {
+		log.Println("Warning: the --no-auth flag is deprecated and will likely be removed in a future version of Portainer.")
+	}
+
+	if !*flags.Snapshot {
+		log.Println("Warning: the --no-snapshot flag is deprecated and will likely be removed in a future version of Portainer.")
+	}
+
+	if *flags.TemplateFile != "" {
+		log.Println("Warning: the --template-file flag is deprecated and will likely be removed in a future version of Portainer.")
 	}
 }

@@ -114,6 +161,38 @@ func validateEndpointURL(endpointURL string) error {
 	return nil
 }

+func validateExternalEndpoints(externalEndpoints string) error {
+	if externalEndpoints != "" {
+		if _, err := os.Stat(externalEndpoints); err != nil {
+			if os.IsNotExist(err) {
+				return errEndpointsFileNotFound
+			}
+			return err
+		}
+	}
+	return nil
+}
+
+func validateTemplateFile(templateFile string) error {
+	if _, err := os.Stat(templateFile); err != nil {
+		if os.IsNotExist(err) {
+			return errTemplateFileNotFound
+		}
+		return err
+	}
+	return nil
+}
+
+func validateSyncInterval(syncInterval string) error {
+	if syncInterval != defaultSyncInterval {
+		_, err := time.ParseDuration(syncInterval)
+		if err != nil {
+			return errInvalidSyncInterval
+		}
+	}
+	return nil
+}
+
 func validateSnapshotInterval(snapshotInterval string) error {
 	if snapshotInterval != defaultSnapshotInterval {
 		_, err := time.ParseDuration(snapshotInterval)
--- a/api/cli/defaults.go
+++ b/api/cli/defaults.go
@@ -8,6 +8,8 @@ const (
 	defaultTunnelServerPort    = "8000"
 	defaultDataDirectory       = "/data"
 	defaultAssetsDirectory     = "./"
+	defaultNoAuth              = "false"
+	defaultNoAnalytics         = "false"
 	defaultTLS                 = "false"
 	defaultTLSSkipVerify       = "false"
 	defaultTLSCACertPath       = "/certs/ca.pem"
@@ -16,5 +18,8 @@ const (
 	defaultSSL                 = "false"
 	defaultSSLCertPath         = "/certs/portainer.crt"
 	defaultSSLKeyPath          = "/certs/portainer.key"
+	defaultSyncInterval        = "60s"
+	defaultSnapshot            = "true"
 	defaultSnapshotInterval    = "5m"
+	defaultTemplateFile        = "/templates.json"
 )
--- a/api/cli/defaults_windows.go
+++ b/api/cli/defaults_windows.go
@@ -6,6 +6,8 @@ const (
 	defaultTunnelServerPort    = "8000"
 	defaultDataDirectory       = "C:\\data"
 	defaultAssetsDirectory     = "./"
+	defaultNoAuth              = "false"
+	defaultNoAnalytics         = "false"
 	defaultTLS                 = "false"
 	defaultTLSSkipVerify       = "false"
 	defaultTLSCACertPath       = "C:\\certs\\ca.pem"
@@ -14,5 +16,8 @@ const (
 	defaultSSL                 = "false"
 	defaultSSLCertPath         = "C:\\certs\\portainer.crt"
 	defaultSSLKeyPath          = "C:\\certs\\portainer.key"
+	defaultSyncInterval        = "60s"
+	defaultSnapshot            = "true"
 	defaultSnapshotInterval    = "5m"
+	defaultTemplateFile        = "/templates.json"
 )
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -1,15 +1,18 @@
 package main

 import (
+	"encoding/json"
 	"log"
 	"os"
 	"strings"
 	"time"

-	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt"
 	"github.com/portainer/portainer/api/chisel"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/bolt"
 	"github.com/portainer/portainer/api/cli"
+	"github.com/portainer/portainer/api/cron"
 	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/docker"
 	"github.com/portainer/portainer/api/exec"
@@ -17,23 +20,19 @@ import (
 	"github.com/portainer/portainer/api/git"
 	"github.com/portainer/portainer/api/http"
 	"github.com/portainer/portainer/api/http/client"
-	"github.com/portainer/portainer/api/internal/snapshot"
 	"github.com/portainer/portainer/api/jwt"
-	"github.com/portainer/portainer/api/kubernetes"
-	kubecli "github.com/portainer/portainer/api/kubernetes/cli"
 	"github.com/portainer/portainer/api/ldap"
 	"github.com/portainer/portainer/api/libcompose"
-	"github.com/portainer/portainer/api/oauth"
 )

 func initCLI() *portainer.CLIFlags {
-	var cliService portainer.CLIService = &cli.Service{}
-	flags, err := cliService.ParseFlags(portainer.APIVersion)
+	var cli portainer.CLIService = &cli.Service{}
+	flags, err := cli.ParseFlags(portainer.APIVersion)
 	if err != nil {
 		log.Fatal(err)
 	}

-	err = cliService.ValidateFlags(flags)
+	err = cli.ValidateFlags(flags)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -48,7 +47,7 @@ func initFileService(dataStorePath string) portainer.FileService {
 	return fileService
 }

-func initDataStore(dataStorePath string, fileService portainer.FileService) portainer.DataStore {
+func initStore(dataStorePath string, fileService portainer.FileService) *bolt.Store {
 	store, err := bolt.NewStore(dataStorePath, fileService)
 	if err != nil {
 		log.Fatal(err)
@@ -71,6 +70,45 @@ func initDataStore(dataStorePath string, fileService portainer.FileService) port
 	return store
 }

+func initDemoData(store *bolt.Store, cryptoService portainer.CryptoService) error {
+	password, err := cryptoService.Hash("tryportainer")
+	if err != nil {
+		return err
+	}
+
+	admin := &portainer.User{
+		Username: "admin",
+		Password: password,
+		Role:     portainer.AdministratorRole,
+	}
+
+	err = store.UserService.CreateUser(admin)
+	if err != nil {
+		return err
+	}
+
+	localEndpoint := &portainer.Endpoint{
+		ID:        portainer.EndpointID(1),
+		Name:      "local",
+		URL:       "unix:///var/run/docker.sock",
+		PublicURL: "demo.portainer.io",
+		TLSConfig: portainer.TLSConfiguration{
+			TLS: false,
+		},
+		AuthorizedUsers: []portainer.UserID{},
+		AuthorizedTeams: []portainer.TeamID{},
+		Extensions:      []portainer.EndpointExtension{},
+		Tags:            []string{},
+	}
+
+	err = store.EndpointService.CreateEndpoint(localEndpoint)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func initComposeStackManager(dataStorePath string, reverseTunnelService portainer.ReverseTunnelService) portainer.ComposeStackManager {
 	return libcompose.NewComposeStackManager(dataStorePath, reverseTunnelService)
 }
@@ -79,21 +117,15 @@ func initSwarmStackManager(assetsPath string, dataStorePath string, signatureSer
 	return exec.NewSwarmStackManager(assetsPath, dataStorePath, signatureService, fileService, reverseTunnelService)
 }

-func initKubernetesDeployer(assetsPath string) portainer.KubernetesDeployer {
-	return exec.NewKubernetesDeployer(assetsPath)
-}
-
-func initJWTService(dataStore portainer.DataStore) (portainer.JWTService, error) {
-	settings, err := dataStore.Settings().Settings()
-	if err != nil {
-		return nil, err
+func initJWTService(authenticationEnabled bool) portainer.JWTService {
+	if authenticationEnabled {
+		jwtService, err := jwt.NewService()
+		if err != nil {
+			log.Fatal(err)
+		}
+		return jwtService
 	}
-
-	jwtService, err := jwt.NewService(settings.UserSessionTimeout)
-	if err != nil {
-		return nil, err
-	}
-	return jwtService, nil
+	return nil
 }

 func initDigitalSignatureService() portainer.DigitalSignatureService {
@@ -108,75 +140,249 @@ func initLDAPService() portainer.LDAPService {
 	return &ldap.Service{}
 }

-func initOAuthService() portainer.OAuthService {
-	return oauth.NewService()
-}
-
 func initGitService() portainer.GitService {
 	return git.NewService()
 }

-func initDockerClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService) *docker.ClientFactory {
+func initClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService) *docker.ClientFactory {
 	return docker.NewClientFactory(signatureService, reverseTunnelService)
 }

-func initKubernetesClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, instanceID string) *kubecli.ClientFactory {
-	return kubecli.NewClientFactory(signatureService, reverseTunnelService, instanceID)
+func initSnapshotter(clientFactory *docker.ClientFactory) portainer.Snapshotter {
+	return docker.NewSnapshotter(clientFactory)
 }

-func initSnapshotService(snapshotInterval string, dataStore portainer.DataStore, dockerClientFactory *docker.ClientFactory, kubernetesClientFactory *kubecli.ClientFactory) (portainer.SnapshotService, error) {
-	dockerSnapshotter := docker.NewSnapshotter(dockerClientFactory)
-	kubernetesSnapshotter := kubernetes.NewSnapshotter(kubernetesClientFactory)
-
-	snapshotService, err := snapshot.NewService(snapshotInterval, dataStore, dockerSnapshotter, kubernetesSnapshotter)
-	if err != nil {
-		return nil, err
-	}
-
-	return snapshotService, nil
+func initJobScheduler() portainer.JobScheduler {
+	return cron.NewJobScheduler()
 }

-func loadEdgeJobsFromDatabase(dataStore portainer.DataStore, reverseTunnelService portainer.ReverseTunnelService) error {
-	edgeJobs, err := dataStore.EdgeJob().EdgeJobs()
+func loadSnapshotSystemSchedule(jobScheduler portainer.JobScheduler, snapshotter portainer.Snapshotter, scheduleService portainer.ScheduleService, endpointService portainer.EndpointService, settingsService portainer.SettingsService) error {
+	settings, err := settingsService.Settings()
 	if err != nil {
 		return err
 	}

-	for _, edgeJob := range edgeJobs {
-		for endpointID := range edgeJob.Endpoints {
-			reverseTunnelService.AddEdgeJob(endpointID, &edgeJob)
+	schedules, err := scheduleService.SchedulesByJobType(portainer.SnapshotJobType)
+	if err != nil {
+		return err
+	}
+
+	var snapshotSchedule *portainer.Schedule
+	if len(schedules) == 0 {
+		snapshotJob := &portainer.SnapshotJob{}
+		snapshotSchedule = &portainer.Schedule{
+			ID:             portainer.ScheduleID(scheduleService.GetNextIdentifier()),
+			Name:           "system_snapshot",
+			CronExpression: "@every " + settings.SnapshotInterval,
+			Recurring:      true,
+			JobType:        portainer.SnapshotJobType,
+			SnapshotJob:    snapshotJob,
+			Created:        time.Now().Unix(),
+		}
+	} else {
+		snapshotSchedule = &schedules[0]
+	}
+
+	snapshotJobContext := cron.NewSnapshotJobContext(endpointService, snapshotter)
+	snapshotJobRunner := cron.NewSnapshotJobRunner(snapshotSchedule, snapshotJobContext)
+
+	err = jobScheduler.ScheduleJob(snapshotJobRunner)
+	if err != nil {
+		return err
+	}
+
+	if len(schedules) == 0 {
+		return scheduleService.CreateSchedule(snapshotSchedule)
+	}
+	return nil
+}
+
+func loadEndpointSyncSystemSchedule(jobScheduler portainer.JobScheduler, scheduleService portainer.ScheduleService, endpointService portainer.EndpointService, flags *portainer.CLIFlags) error {
+	if *flags.ExternalEndpoints == "" {
+		return nil
+	}
+
+	log.Println("Using external endpoint definition. Endpoint management via the API will be disabled.")
+
+	schedules, err := scheduleService.SchedulesByJobType(portainer.EndpointSyncJobType)
+	if err != nil {
+		return err
+	}
+
+	if len(schedules) != 0 {
+		return nil
+	}
+
+	endpointSyncJob := &portainer.EndpointSyncJob{}
+
+	endpointSyncSchedule := &portainer.Schedule{
+		ID:              portainer.ScheduleID(scheduleService.GetNextIdentifier()),
+		Name:            "system_endpointsync",
+		CronExpression:  "@every " + *flags.SyncInterval,
+		Recurring:       true,
+		JobType:         portainer.EndpointSyncJobType,
+		EndpointSyncJob: endpointSyncJob,
+		Created:         time.Now().Unix(),
+	}
+
+	endpointSyncJobContext := cron.NewEndpointSyncJobContext(endpointService, *flags.ExternalEndpoints)
+	endpointSyncJobRunner := cron.NewEndpointSyncJobRunner(endpointSyncSchedule, endpointSyncJobContext)
+
+	err = jobScheduler.ScheduleJob(endpointSyncJobRunner)
+	if err != nil {
+		return err
+	}
+
+	return scheduleService.CreateSchedule(endpointSyncSchedule)
+}
+
+func loadSchedulesFromDatabase(jobScheduler portainer.JobScheduler, jobService portainer.JobService, scheduleService portainer.ScheduleService, endpointService portainer.EndpointService, fileService portainer.FileService, reverseTunnelService portainer.ReverseTunnelService) error {
+	schedules, err := scheduleService.Schedules()
+	if err != nil {
+		return err
+	}
+
+	for _, schedule := range schedules {
+
+		if schedule.JobType == portainer.ScriptExecutionJobType {
+			jobContext := cron.NewScriptExecutionJobContext(jobService, endpointService, fileService)
+			jobRunner := cron.NewScriptExecutionJobRunner(&schedule, jobContext)
+
+			err = jobScheduler.ScheduleJob(jobRunner)
+			if err != nil {
+				return err
+			}
+		}
+
+		if schedule.EdgeSchedule != nil {
+			for _, endpointID := range schedule.EdgeSchedule.Endpoints {
+				reverseTunnelService.AddSchedule(endpointID, schedule.EdgeSchedule)
+			}
+		}
+
+	}
+
+	return nil
+}
+
+func initStatus(endpointManagement, snapshot bool, flags *portainer.CLIFlags) *portainer.Status {
+	return &portainer.Status{
+		Analytics:          !*flags.NoAnalytics,
+		Authentication:     !*flags.NoAuth,
+		EndpointManagement: endpointManagement,
+		Snapshot:           snapshot,
+		Version:            portainer.APIVersion,
+	}
+}
+
+func initDockerHub(dockerHubService portainer.DockerHubService) error {
+	_, err := dockerHubService.DockerHub()
+	if err == portainer.ErrObjectNotFound {
+		dockerhub := &portainer.DockerHub{
+			Authentication: false,
+			Username:       "",
+			Password:       "",
+		}
+		return dockerHubService.UpdateDockerHub(dockerhub)
+	} else if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func initSettings(settingsService portainer.SettingsService, flags *portainer.CLIFlags) error {
+	_, err := settingsService.Settings()
+	if err == portainer.ErrObjectNotFound {
+		settings := &portainer.Settings{
+			LogoURL:              *flags.Logo,
+			AuthenticationMethod: portainer.AuthenticationInternal,
+			LDAPSettings: portainer.LDAPSettings{
+				AnonymousMode:   true,
+				AutoCreateUsers: true,
+				TLSConfig:       portainer.TLSConfiguration{},
+				SearchSettings: []portainer.LDAPSearchSettings{
+					portainer.LDAPSearchSettings{},
+				},
+				GroupSearchSettings: []portainer.LDAPGroupSearchSettings{
+					portainer.LDAPGroupSearchSettings{},
+				},
+			},
+			OAuthSettings:                       portainer.OAuthSettings{},
+			AllowBindMountsForRegularUsers:      true,
+			AllowPrivilegedModeForRegularUsers:  true,
+			AllowVolumeBrowserForRegularUsers:   false,
+			AllowDeviceMappingForRegularUsers:   true,
+			AllowStackManagementForRegularUsers: true,
+			EnableHostManagementFeatures:        false,
+			AllowHostNamespaceForRegularUsers:   true,
+			SnapshotInterval:                    *flags.SnapshotInterval,
+			EdgeAgentCheckinInterval:            portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
+		}
+
+		if *flags.Templates != "" {
+			settings.TemplatesURL = *flags.Templates
+		}
+
+		if *flags.Labels != nil {
+			settings.BlackListedLabels = *flags.Labels
+		} else {
+			settings.BlackListedLabels = make([]portainer.Pair, 0)
+		}
+
+		return settingsService.UpdateSettings(settings)
+	} else if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func initTemplates(templateService portainer.TemplateService, fileService portainer.FileService, templateURL, templateFile string) error {
+	if templateURL != "" {
+		log.Printf("Portainer started with the --templates flag. Using external templates, template management will be disabled.")
+		return nil
+	}
+
+	existingTemplates, err := templateService.Templates()
+	if err != nil {
+		return err
+	}
+
+	if len(existingTemplates) != 0 {
+		log.Printf("Templates already registered inside the database. Skipping template import.")
+		return nil
+	}
+
+	templatesJSON, err := fileService.GetFileContent(templateFile)
+	if err != nil {
+		log.Println("Unable to retrieve template definitions via filesystem")
+		return err
+	}
+
+	var templates []portainer.Template
+	err = json.Unmarshal(templatesJSON, &templates)
+	if err != nil {
+		log.Println("Unable to parse templates file. Please review your template definition file.")
+		return err
+	}
+
+	for _, template := range templates {
+		err := templateService.CreateTemplate(&template)
+		if err != nil {
+			return err
 		}
 	}

 	return nil
 }

-func initStatus(flags *portainer.CLIFlags) *portainer.Status {
-	return &portainer.Status{
-		Version: portainer.APIVersion,
-	}
-}
-
-func updateSettingsFromFlags(dataStore portainer.DataStore, flags *portainer.CLIFlags) error {
-	settings, err := dataStore.Settings().Settings()
+func retrieveFirstEndpointFromDatabase(endpointService portainer.EndpointService) *portainer.Endpoint {
+	endpoints, err := endpointService.Endpoints()
 	if err != nil {
-		return err
+		log.Fatal(err)
 	}
-
-	settings.LogoURL = *flags.Logo
-	settings.SnapshotInterval = *flags.SnapshotInterval
-	settings.EnableEdgeComputeFeatures = *flags.EnableEdgeComputeFeatures
-	settings.EnableTelemetry = true
-
-	if *flags.Templates != "" {
-		settings.TemplatesURL = *flags.Templates
-	}
-
-	if *flags.Labels != nil {
-		settings.BlackListedLabels = *flags.Labels
-	}
-
-	return dataStore.Settings().UpdateSettings(settings)
+	return &endpoints[0]
 }

 func loadAndParseKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
@@ -208,7 +414,7 @@ func initKeyPair(fileService portainer.FileService, signatureService portainer.D
 	return generateAndStoreKeyPair(fileService, signatureService)
 }

-func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore portainer.DataStore, snapshotService portainer.SnapshotService) error {
+func createTLSSecuredEndpoint(flags *portainer.CLIFlags, endpointService portainer.EndpointService, snapshotter portainer.Snapshotter) error {
 	tlsConfiguration := portainer.TLSConfiguration{
 		TLS:           *flags.TLS,
 		TLSSkipVerify: *flags.TLSSkipVerify,
@@ -222,7 +428,7 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore portainer.Dat
 		tlsConfiguration.TLS = true
 	}

-	endpointID := dataStore.Endpoint().GetNextIdentifier()
+	endpointID := endpointService.GetNextIdentifier()
 	endpoint := &portainer.Endpoint{
 		ID:                 portainer.EndpointID(endpointID),
 		Name:               "primary",
@@ -235,8 +441,7 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore portainer.Dat
 		Extensions:         []portainer.EndpointExtension{},
 		TagIDs:             []portainer.TagID{},
 		Status:             portainer.EndpointStatusUp,
-		Snapshots:          []portainer.DockerSnapshot{},
-		Kubernetes:         portainer.KubernetesDefault(),
+		Snapshots:          []portainer.Snapshot{},
 	}

 	if strings.HasPrefix(endpoint.URL, "tcp://") {
@@ -255,15 +460,10 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore portainer.Dat
 		}
 	}

-	err := snapshotService.SnapshotEndpoint(endpoint)
-	if err != nil {
-		log.Printf("http error: endpoint snapshot error (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
-	}
-
-	return dataStore.Endpoint().CreateEndpoint(endpoint)
+	return snapshotAndPersistEndpoint(endpoint, endpointService, snapshotter)
 }

-func createUnsecuredEndpoint(endpointURL string, dataStore portainer.DataStore, snapshotService portainer.SnapshotService) error {
+func createUnsecuredEndpoint(endpointURL string, endpointService portainer.EndpointService, snapshotter portainer.Snapshotter) error {
 	if strings.HasPrefix(endpointURL, "tcp://") {
 		_, err := client.ExecutePingOperation(endpointURL, nil)
 		if err != nil {
@@ -271,7 +471,7 @@ func createUnsecuredEndpoint(endpointURL string, dataStore portainer.DataStore,
 		}
 	}

-	endpointID := dataStore.Endpoint().GetNextIdentifier()
+	endpointID := endpointService.GetNextIdentifier()
 	endpoint := &portainer.Endpoint{
 		ID:                 portainer.EndpointID(endpointID),
 		Name:               "primary",
@@ -284,24 +484,32 @@ func createUnsecuredEndpoint(endpointURL string, dataStore portainer.DataStore,
 		Extensions:         []portainer.EndpointExtension{},
 		TagIDs:             []portainer.TagID{},
 		Status:             portainer.EndpointStatusUp,
-		Snapshots:          []portainer.DockerSnapshot{},
-		Kubernetes:         portainer.KubernetesDefault(),
+		Snapshots:          []portainer.Snapshot{},
 	}

-	err := snapshotService.SnapshotEndpoint(endpoint)
+	return snapshotAndPersistEndpoint(endpoint, endpointService, snapshotter)
+}
+
+func snapshotAndPersistEndpoint(endpoint *portainer.Endpoint, endpointService portainer.EndpointService, snapshotter portainer.Snapshotter) error {
+	snapshot, err := snapshotter.CreateSnapshot(endpoint)
+	endpoint.Status = portainer.EndpointStatusUp
 	if err != nil {
 		log.Printf("http error: endpoint snapshot error (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
 	}

-	return dataStore.Endpoint().CreateEndpoint(endpoint)
+	if snapshot != nil {
+		endpoint.Snapshots = []portainer.Snapshot{*snapshot}
+	}
+
+	return endpointService.CreateEndpoint(endpoint)
 }

-func initEndpoint(flags *portainer.CLIFlags, dataStore portainer.DataStore, snapshotService portainer.SnapshotService) error {
+func initEndpoint(flags *portainer.CLIFlags, endpointService portainer.EndpointService, snapshotter portainer.Snapshotter) error {
 	if *flags.EndpointURL == "" {
 		return nil
 	}

-	endpoints, err := dataStore.Endpoint().Endpoints()
+	endpoints, err := endpointService.Endpoints()
 	if err != nil {
 		return err
 	}
@@ -312,16 +520,31 @@ func initEndpoint(flags *portainer.CLIFlags, dataStore portainer.DataStore, snap
 	}

 	if *flags.TLS || *flags.TLSSkipVerify {
-		return createTLSSecuredEndpoint(flags, dataStore, snapshotService)
+		return createTLSSecuredEndpoint(flags, endpointService, snapshotter)
 	}
-	return createUnsecuredEndpoint(*flags.EndpointURL, dataStore, snapshotService)
+	return createUnsecuredEndpoint(*flags.EndpointURL, endpointService, snapshotter)
 }

-func terminateIfNoAdminCreated(dataStore portainer.DataStore) {
+func initJobService(dockerClientFactory *docker.ClientFactory) portainer.JobService {
+	return docker.NewJobService(dockerClientFactory)
+}
+
+func initExtensionManager(fileService portainer.FileService, extensionService portainer.ExtensionService) (portainer.ExtensionManager, error) {
+	extensionManager := exec.NewExtensionManager(fileService, extensionService)
+
+	err := extensionManager.StartExtensions()
+	if err != nil {
+		return nil, err
+	}
+
+	return extensionManager, nil
+}
+
+func terminateIfNoAdminCreated(userService portainer.UserService) {
 	timer1 := time.NewTimer(5 * time.Minute)
 	<-timer1.C

-	users, err := dataStore.User().UsersByRole(portainer.AdministratorRole)
+	users, err := userService.UsersByRole(portainer.AdministratorRole)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -337,44 +560,43 @@ func main() {

 	fileService := initFileService(*flags.Data)

-	dataStore := initDataStore(*flags.Data, fileService)
-	defer dataStore.Close()
+	store := initStore(*flags.Data, fileService)
+	defer store.Close()

-	jwtService, err := initJWTService(dataStore)
-	if err != nil {
-		log.Fatal(err)
-	}
+	jwtService := initJWTService(!*flags.NoAuth)

 	ldapService := initLDAPService()

-	oauthService := initOAuthService()
-
 	gitService := initGitService()

 	cryptoService := initCryptoService()

+	initDemoData(store, cryptoService)
+
 	digitalSignatureService := initDigitalSignatureService()

-	err = initKeyPair(fileService, digitalSignatureService)
+	err := initKeyPair(fileService, digitalSignatureService)
 	if err != nil {
 		log.Fatal(err)
 	}

-	reverseTunnelService := chisel.NewService(dataStore)
-
-	instanceID, err := dataStore.Version().InstanceID()
+	extensionManager, err := initExtensionManager(fileService, store.ExtensionService)
 	if err != nil {
 		log.Fatal(err)
 	}

-	dockerClientFactory := initDockerClientFactory(digitalSignatureService, reverseTunnelService)
-	kubernetesClientFactory := initKubernetesClientFactory(digitalSignatureService, reverseTunnelService, instanceID)
+	reverseTunnelService := chisel.NewService(store.EndpointService, store.TunnelServerService)

-	snapshotService, err := initSnapshotService(*flags.SnapshotInterval, dataStore, dockerClientFactory, kubernetesClientFactory)
-	if err != nil {
-		log.Fatal(err)
+	clientFactory := initClientFactory(digitalSignatureService, reverseTunnelService)
+
+	jobService := initJobService(clientFactory)
+
+	snapshotter := initSnapshotter(clientFactory)
+
+	endpointManagement := true
+	if *flags.ExternalEndpoints != "" {
+		endpointManagement = false
 	}
-	snapshotService.Start()

 	swarmStackManager, err := initSwarmStackManager(*flags.Assets, *flags.Data, digitalSignatureService, fileService, reverseTunnelService)
 	if err != nil {
@@ -383,23 +605,45 @@ func main() {

 	composeStackManager := initComposeStackManager(*flags.Data, reverseTunnelService)

-	kubernetesDeployer := initKubernetesDeployer(*flags.Assets)
+	err = initTemplates(store.TemplateService, fileService, *flags.Templates, *flags.TemplateFile)
+	if err != nil {
+		log.Fatal(err)
+	}

-	if dataStore.IsNew() {
-		err = updateSettingsFromFlags(dataStore, flags)
+	err = initSettings(store.SettingsService, flags)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	jobScheduler := initJobScheduler()
+
+	err = loadSchedulesFromDatabase(jobScheduler, jobService, store.ScheduleService, store.EndpointService, fileService, reverseTunnelService)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	err = loadEndpointSyncSystemSchedule(jobScheduler, store.ScheduleService, store.EndpointService, flags)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if *flags.Snapshot {
+		err = loadSnapshotSystemSchedule(jobScheduler, snapshotter, store.ScheduleService, store.EndpointService, store.SettingsService)
 		if err != nil {
 			log.Fatal(err)
 		}
 	}

-	err = loadEdgeJobsFromDatabase(dataStore, reverseTunnelService)
+	jobScheduler.Start()
+
+	err = initDockerHub(store.DockerHubService)
 	if err != nil {
 		log.Fatal(err)
 	}

-	applicationStatus := initStatus(flags)
+	applicationStatus := initStatus(endpointManagement, *flags.Snapshot, flags)

-	err = initEndpoint(flags, dataStore, snapshotService)
+	err = initEndpoint(flags, store.EndpointService, snapshotter)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -419,7 +663,7 @@ func main() {
 	}

 	if adminPasswordHash != "" {
-		users, err := dataStore.User().UsersByRole(portainer.AdministratorRole)
+		users, err := store.UserService.UsersByRole(portainer.AdministratorRole)
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -427,11 +671,12 @@ func main() {
 		if len(users) == 0 {
 			log.Println("Created admin user with the given password.")
 			user := &portainer.User{
-				Username: "admin",
-				Role:     portainer.AdministratorRole,
-				Password: adminPasswordHash,
+				Username:                "admin",
+				Role:                    portainer.AdministratorRole,
+				Password:                adminPasswordHash,
+				PortainerAuthorizations: portainer.DefaultPortainerAuthorizations(),
 			}
-			err := dataStore.User().CreateUser(user)
+			err := store.UserService.CreateUser(user)
 			if err != nil {
 				log.Fatal(err)
 			}
@@ -440,9 +685,11 @@ func main() {
 		}
 	}

-	go terminateIfNoAdminCreated(dataStore)
+	if !*flags.NoAuth {
+		go terminateIfNoAdminCreated(store.UserService)
+	}

-	err = reverseTunnelService.StartTunnelServer(*flags.TunnelAddr, *flags.TunnelPort, snapshotService)
+	err = reverseTunnelService.StartTunnelServer(*flags.TunnelAddr, *flags.TunnelPort, snapshotter)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -452,23 +699,43 @@ func main() {
 		Status:                  applicationStatus,
 		BindAddress:             *flags.Addr,
 		AssetsPath:              *flags.Assets,
-		DataStore:               dataStore,
+		AuthDisabled:            *flags.NoAuth,
+		EndpointManagement:      endpointManagement,
+		RoleService:             store.RoleService,
+		UserService:             store.UserService,
+		TeamService:             store.TeamService,
+		TeamMembershipService:   store.TeamMembershipService,
+		EdgeGroupService:        store.EdgeGroupService,
+		EdgeStackService:        store.EdgeStackService,
+		EndpointService:         store.EndpointService,
+		EndpointGroupService:    store.EndpointGroupService,
+		EndpointRelationService: store.EndpointRelationService,
+		ExtensionService:        store.ExtensionService,
+		ResourceControlService:  store.ResourceControlService,
+		SettingsService:         store.SettingsService,
+		RegistryService:         store.RegistryService,
+		DockerHubService:        store.DockerHubService,
+		StackService:            store.StackService,
+		ScheduleService:         store.ScheduleService,
+		TagService:              store.TagService,
+		TemplateService:         store.TemplateService,
+		WebhookService:          store.WebhookService,
 		SwarmStackManager:       swarmStackManager,
 		ComposeStackManager:     composeStackManager,
-		KubernetesDeployer:      kubernetesDeployer,
+		ExtensionManager:        extensionManager,
 		CryptoService:           cryptoService,
 		JWTService:              jwtService,
 		FileService:             fileService,
 		LDAPService:             ldapService,
-		OAuthService:            oauthService,
 		GitService:              gitService,
 		SignatureService:        digitalSignatureService,
-		SnapshotService:         snapshotService,
+		JobScheduler:            jobScheduler,
+		Snapshotter:             snapshotter,
 		SSL:                     *flags.SSL,
 		SSLCert:                 *flags.SSLCert,
 		SSLKey:                  *flags.SSLKey,
-		DockerClientFactory:     dockerClientFactory,
-		KubernetesClientFactory: kubernetesClientFactory,
+		DockerClientFactory:     clientFactory,
+		JobService:              jobService,
 	}

 	log.Printf("Starting Portainer %s on %s", portainer.APIVersion, *flags.Addr)
--- a/api/cron/job_endpoint_sync.go
+++ b/api/cron/job_endpoint_sync.go
@@ -0,0 +1,214 @@
+package cron
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"log"
+	"strings"
+
+	"github.com/portainer/portainer/api"
+)
+
+// EndpointSyncJobRunner is used to run a EndpointSyncJob
+type EndpointSyncJobRunner struct {
+	schedule *portainer.Schedule
+	context  *EndpointSyncJobContext
+}
+
+// EndpointSyncJobContext represents the context of execution of a EndpointSyncJob
+type EndpointSyncJobContext struct {
+	endpointService  portainer.EndpointService
+	endpointFilePath string
+}
+
+// NewEndpointSyncJobContext returns a new context that can be used to execute a EndpointSyncJob
+func NewEndpointSyncJobContext(endpointService portainer.EndpointService, endpointFilePath string) *EndpointSyncJobContext {
+	return &EndpointSyncJobContext{
+		endpointService:  endpointService,
+		endpointFilePath: endpointFilePath,
+	}
+}
+
+// NewEndpointSyncJobRunner returns a new runner that can be scheduled
+func NewEndpointSyncJobRunner(schedule *portainer.Schedule, context *EndpointSyncJobContext) *EndpointSyncJobRunner {
+	return &EndpointSyncJobRunner{
+		schedule: schedule,
+		context:  context,
+	}
+}
+
+type synchronization struct {
+	endpointsToCreate []*portainer.Endpoint
+	endpointsToUpdate []*portainer.Endpoint
+	endpointsToDelete []*portainer.Endpoint
+}
+
+type fileEndpoint struct {
+	Name          string `json:"Name"`
+	URL           string `json:"URL"`
+	TLS           bool   `json:"TLS,omitempty"`
+	TLSSkipVerify bool   `json:"TLSSkipVerify,omitempty"`
+	TLSCACert     string `json:"TLSCACert,omitempty"`
+	TLSCert       string `json:"TLSCert,omitempty"`
+	TLSKey        string `json:"TLSKey,omitempty"`
+}
+
+// GetSchedule returns the schedule associated to the runner
+func (runner *EndpointSyncJobRunner) GetSchedule() *portainer.Schedule {
+	return runner.schedule
+}
+
+// Run triggers the execution of the endpoint synchronization process.
+func (runner *EndpointSyncJobRunner) Run() {
+	data, err := ioutil.ReadFile(runner.context.endpointFilePath)
+	if endpointSyncError(err) {
+		return
+	}
+
+	var fileEndpoints []fileEndpoint
+	err = json.Unmarshal(data, &fileEndpoints)
+	if endpointSyncError(err) {
+		return
+	}
+
+	if len(fileEndpoints) == 0 {
+		log.Println("background job error (endpoint synchronization). External endpoint source is empty")
+		return
+	}
+
+	storedEndpoints, err := runner.context.endpointService.Endpoints()
+	if endpointSyncError(err) {
+		return
+	}
+
+	convertedFileEndpoints := convertFileEndpoints(fileEndpoints)
+
+	sync := prepareSyncData(storedEndpoints, convertedFileEndpoints)
+	if sync.requireSync() {
+		err = runner.context.endpointService.Synchronize(sync.endpointsToCreate, sync.endpointsToUpdate, sync.endpointsToDelete)
+		if endpointSyncError(err) {
+			return
+		}
+		log.Printf("Endpoint synchronization ended. [created: %v] [updated: %v] [deleted: %v]", len(sync.endpointsToCreate), len(sync.endpointsToUpdate), len(sync.endpointsToDelete))
+	}
+}
+
+func endpointSyncError(err error) bool {
+	if err != nil {
+		log.Printf("background job error (endpoint synchronization). Unable to synchronize endpoints (err=%s)\n", err)
+		return true
+	}
+	return false
+}
+
+func isValidEndpoint(endpoint *portainer.Endpoint) bool {
+	if endpoint.Name != "" && endpoint.URL != "" {
+		if !strings.HasPrefix(endpoint.URL, "unix://") && !strings.HasPrefix(endpoint.URL, "tcp://") {
+			return false
+		}
+		return true
+	}
+	return false
+}
+
+func convertFileEndpoints(fileEndpoints []fileEndpoint) []portainer.Endpoint {
+	convertedEndpoints := make([]portainer.Endpoint, 0)
+
+	for _, e := range fileEndpoints {
+		endpoint := portainer.Endpoint{
+			Name:      e.Name,
+			URL:       e.URL,
+			TLSConfig: portainer.TLSConfiguration{},
+		}
+		if e.TLS {
+			endpoint.TLSConfig.TLS = true
+			endpoint.TLSConfig.TLSSkipVerify = e.TLSSkipVerify
+			endpoint.TLSConfig.TLSCACertPath = e.TLSCACert
+			endpoint.TLSConfig.TLSCertPath = e.TLSCert
+			endpoint.TLSConfig.TLSKeyPath = e.TLSKey
+		}
+		convertedEndpoints = append(convertedEndpoints, endpoint)
+	}
+
+	return convertedEndpoints
+}
+
+func endpointExists(endpoint *portainer.Endpoint, endpoints []portainer.Endpoint) int {
+	for idx, v := range endpoints {
+		if endpoint.Name == v.Name && isValidEndpoint(&v) {
+			return idx
+		}
+	}
+	return -1
+}
+
+func mergeEndpointIfRequired(original, updated *portainer.Endpoint) *portainer.Endpoint {
+	var endpoint *portainer.Endpoint
+	if original.URL != updated.URL || original.TLSConfig.TLS != updated.TLSConfig.TLS ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSSkipVerify != updated.TLSConfig.TLSSkipVerify) ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSCACertPath != updated.TLSConfig.TLSCACertPath) ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSCertPath != updated.TLSConfig.TLSCertPath) ||
+		(updated.TLSConfig.TLS && original.TLSConfig.TLSKeyPath != updated.TLSConfig.TLSKeyPath) {
+		endpoint = original
+		endpoint.URL = updated.URL
+		if updated.TLSConfig.TLS {
+			endpoint.TLSConfig.TLS = true
+			endpoint.TLSConfig.TLSSkipVerify = updated.TLSConfig.TLSSkipVerify
+			endpoint.TLSConfig.TLSCACertPath = updated.TLSConfig.TLSCACertPath
+			endpoint.TLSConfig.TLSCertPath = updated.TLSConfig.TLSCertPath
+			endpoint.TLSConfig.TLSKeyPath = updated.TLSConfig.TLSKeyPath
+		} else {
+			endpoint.TLSConfig.TLS = false
+			endpoint.TLSConfig.TLSSkipVerify = false
+			endpoint.TLSConfig.TLSCACertPath = ""
+			endpoint.TLSConfig.TLSCertPath = ""
+			endpoint.TLSConfig.TLSKeyPath = ""
+		}
+	}
+	return endpoint
+}
+
+func (sync synchronization) requireSync() bool {
+	if len(sync.endpointsToCreate) != 0 || len(sync.endpointsToUpdate) != 0 || len(sync.endpointsToDelete) != 0 {
+		return true
+	}
+	return false
+}
+
+func prepareSyncData(storedEndpoints, fileEndpoints []portainer.Endpoint) *synchronization {
+	endpointsToCreate := make([]*portainer.Endpoint, 0)
+	endpointsToUpdate := make([]*portainer.Endpoint, 0)
+	endpointsToDelete := make([]*portainer.Endpoint, 0)
+
+	for idx := range storedEndpoints {
+		fidx := endpointExists(&storedEndpoints[idx], fileEndpoints)
+		if fidx != -1 {
+			endpoint := mergeEndpointIfRequired(&storedEndpoints[idx], &fileEndpoints[fidx])
+			if endpoint != nil {
+				log.Printf("New definition for a stored endpoint found in file, updating database. [name: %v] [url: %v]\n", endpoint.Name, endpoint.URL)
+				endpointsToUpdate = append(endpointsToUpdate, endpoint)
+			}
+		} else {
+			log.Printf("Stored endpoint not found in file (definition might be invalid), removing from database. [name: %v] [url: %v]", storedEndpoints[idx].Name, storedEndpoints[idx].URL)
+			endpointsToDelete = append(endpointsToDelete, &storedEndpoints[idx])
+		}
+	}
+
+	for idx, endpoint := range fileEndpoints {
+		if !isValidEndpoint(&endpoint) {
+			log.Printf("Invalid file endpoint definition, skipping. [name: %v] [url: %v]", endpoint.Name, endpoint.URL)
+			continue
+		}
+		sidx := endpointExists(&fileEndpoints[idx], storedEndpoints)
+		if sidx == -1 {
+			log.Printf("File endpoint not found in database, adding to database. [name: %v] [url: %v]", fileEndpoints[idx].Name, fileEndpoints[idx].URL)
+			endpointsToCreate = append(endpointsToCreate, &fileEndpoints[idx])
+		}
+	}
+
+	return &synchronization{
+		endpointsToCreate: endpointsToCreate,
+		endpointsToUpdate: endpointsToUpdate,
+		endpointsToDelete: endpointsToDelete,
+	}
+}
--- a/api/cron/job_script_execution.go
+++ b/api/cron/job_script_execution.go
@@ -0,0 +1,96 @@
+package cron
+
+import (
+	"log"
+	"time"
+
+	"github.com/portainer/portainer/api"
+)
+
+// ScriptExecutionJobRunner is used to run a ScriptExecutionJob
+type ScriptExecutionJobRunner struct {
+	schedule     *portainer.Schedule
+	context      *ScriptExecutionJobContext
+	executedOnce bool
+}
+
+// ScriptExecutionJobContext represents the context of execution of a ScriptExecutionJob
+type ScriptExecutionJobContext struct {
+	jobService      portainer.JobService
+	endpointService portainer.EndpointService
+	fileService     portainer.FileService
+}
+
+// NewScriptExecutionJobContext returns a new context that can be used to execute a ScriptExecutionJob
+func NewScriptExecutionJobContext(jobService portainer.JobService, endpointService portainer.EndpointService, fileService portainer.FileService) *ScriptExecutionJobContext {
+	return &ScriptExecutionJobContext{
+		jobService:      jobService,
+		endpointService: endpointService,
+		fileService:     fileService,
+	}
+}
+
+// NewScriptExecutionJobRunner returns a new runner that can be scheduled
+func NewScriptExecutionJobRunner(schedule *portainer.Schedule, context *ScriptExecutionJobContext) *ScriptExecutionJobRunner {
+	return &ScriptExecutionJobRunner{
+		schedule:     schedule,
+		context:      context,
+		executedOnce: false,
+	}
+}
+
+// Run triggers the execution of the job.
+// It will iterate through all the endpoints specified in the context to
+// execute the script associated to the job.
+func (runner *ScriptExecutionJobRunner) Run() {
+	if !runner.schedule.Recurring && runner.executedOnce {
+		return
+	}
+	runner.executedOnce = true
+
+	scriptFile, err := runner.context.fileService.GetFileContent(runner.schedule.ScriptExecutionJob.ScriptPath)
+	if err != nil {
+		log.Printf("scheduled job error (script execution). Unable to retrieve script file (err=%s)\n", err)
+		return
+	}
+
+	targets := make([]*portainer.Endpoint, 0)
+	for _, endpointID := range runner.schedule.ScriptExecutionJob.Endpoints {
+		endpoint, err := runner.context.endpointService.Endpoint(endpointID)
+		if err != nil {
+			log.Printf("scheduled job error (script execution). Unable to retrieve information about endpoint (id=%d) (err=%s)\n", endpointID, err)
+			return
+		}
+
+		targets = append(targets, endpoint)
+	}
+
+	runner.executeAndRetry(targets, scriptFile, 0)
+}
+
+func (runner *ScriptExecutionJobRunner) executeAndRetry(endpoints []*portainer.Endpoint, script []byte, retryCount int) {
+	retryTargets := make([]*portainer.Endpoint, 0)
+
+	for _, endpoint := range endpoints {
+		err := runner.context.jobService.ExecuteScript(endpoint, "", runner.schedule.ScriptExecutionJob.Image, script, runner.schedule)
+		if err == portainer.ErrUnableToPingEndpoint {
+			retryTargets = append(retryTargets, endpoint)
+		} else if err != nil {
+			log.Printf("scheduled job error (script execution). Unable to execute script (endpoint=%s) (err=%s)\n", endpoint.Name, err)
+		}
+	}
+
+	retryCount++
+	if retryCount >= runner.schedule.ScriptExecutionJob.RetryCount {
+		return
+	}
+
+	time.Sleep(time.Duration(runner.schedule.ScriptExecutionJob.RetryInterval) * time.Second)
+
+	runner.executeAndRetry(retryTargets, script, retryCount)
+}
+
+// GetSchedule returns the schedule associated to the runner
+func (runner *ScriptExecutionJobRunner) GetSchedule() *portainer.Schedule {
+	return runner.schedule
+}
--- a/api/cron/job_snapshot.go
+++ b/api/cron/job_snapshot.go
@@ -0,0 +1,85 @@
+package cron
+
+import (
+	"log"
+
+	"github.com/portainer/portainer/api"
+)
+
+// SnapshotJobRunner is used to run a SnapshotJob
+type SnapshotJobRunner struct {
+	schedule *portainer.Schedule
+	context  *SnapshotJobContext
+}
+
+// SnapshotJobContext represents the context of execution of a SnapshotJob
+type SnapshotJobContext struct {
+	endpointService portainer.EndpointService
+	snapshotter     portainer.Snapshotter
+}
+
+// NewSnapshotJobContext returns a new context that can be used to execute a SnapshotJob
+func NewSnapshotJobContext(endpointService portainer.EndpointService, snapshotter portainer.Snapshotter) *SnapshotJobContext {
+	return &SnapshotJobContext{
+		endpointService: endpointService,
+		snapshotter:     snapshotter,
+	}
+}
+
+// NewSnapshotJobRunner returns a new runner that can be scheduled
+func NewSnapshotJobRunner(schedule *portainer.Schedule, context *SnapshotJobContext) *SnapshotJobRunner {
+	return &SnapshotJobRunner{
+		schedule: schedule,
+		context:  context,
+	}
+}
+
+// GetSchedule returns the schedule associated to the runner
+func (runner *SnapshotJobRunner) GetSchedule() *portainer.Schedule {
+	return runner.schedule
+}
+
+// Run triggers the execution of the schedule.
+// It will iterate through all the endpoints available in the database to
+// create a snapshot of each one of them.
+// As a snapshot can be a long process, to avoid any concurrency issue we
+// retrieve the latest version of the endpoint right after a snapshot.
+func (runner *SnapshotJobRunner) Run() {
+	go func() {
+		endpoints, err := runner.context.endpointService.Endpoints()
+		if err != nil {
+			log.Printf("background schedule error (endpoint snapshot). Unable to retrieve endpoint list (err=%s)\n", err)
+			return
+		}
+
+		for _, endpoint := range endpoints {
+			if endpoint.Type == portainer.AzureEnvironment || endpoint.Type == portainer.EdgeAgentEnvironment {
+				continue
+			}
+
+			snapshot, snapshotError := runner.context.snapshotter.CreateSnapshot(&endpoint)
+
+			latestEndpointReference, err := runner.context.endpointService.Endpoint(endpoint.ID)
+			if latestEndpointReference == nil {
+				log.Printf("background schedule error (endpoint snapshot). Endpoint not found inside the database anymore (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
+				continue
+			}
+
+			latestEndpointReference.Status = portainer.EndpointStatusUp
+			if snapshotError != nil {
+				log.Printf("background schedule error (endpoint snapshot). Unable to create snapshot (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, snapshotError)
+				latestEndpointReference.Status = portainer.EndpointStatusDown
+			}
+
+			if snapshot != nil {
+				latestEndpointReference.Snapshots = []portainer.Snapshot{*snapshot}
+			}
+
+			err = runner.context.endpointService.UpdateEndpoint(latestEndpointReference.ID, latestEndpointReference)
+			if err != nil {
+				log.Printf("background schedule error (endpoint snapshot). Unable to update endpoint (endpoint=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
+				return
+			}
+		}
+	}()
+}
--- a/api/cron/scheduler.go
+++ b/api/cron/scheduler.go
@@ -0,0 +1,116 @@
+package cron
+
+import (
+	"github.com/portainer/portainer/api"
+	"github.com/robfig/cron/v3"
+)
+
+// JobScheduler represents a service for managing crons
+type JobScheduler struct {
+	cron *cron.Cron
+}
+
+// NewJobScheduler initializes a new service
+func NewJobScheduler() *JobScheduler {
+	return &JobScheduler{
+		cron: cron.New(),
+	}
+}
+
+// ScheduleJob schedules the execution of a job via a runner
+func (scheduler *JobScheduler) ScheduleJob(runner portainer.JobRunner) error {
+	_, err := scheduler.cron.AddJob(runner.GetSchedule().CronExpression, runner)
+	return err
+}
+
+// UpdateSystemJobSchedule updates the first occurence of the specified
+// scheduled job based on the specified job type.
+// It does so by re-creating a new cron
+// and adding all the existing jobs. It will then re-schedule the new job
+// with the update cron expression passed in parameter.
+// NOTE: the cron library do not support updating schedules directly
+// hence the work-around
+func (scheduler *JobScheduler) UpdateSystemJobSchedule(jobType portainer.JobType, newCronExpression string) error {
+	cronEntries := scheduler.cron.Entries()
+	newCron := cron.New()
+
+	for _, entry := range cronEntries {
+		if entry.Job.(portainer.JobRunner).GetSchedule().JobType == jobType {
+			_, err := newCron.AddJob(newCronExpression, entry.Job)
+			if err != nil {
+				return err
+			}
+			continue
+		}
+
+		newCron.Schedule(entry.Schedule, entry.Job)
+	}
+
+	scheduler.cron.Stop()
+	scheduler.cron = newCron
+	scheduler.cron.Start()
+	return nil
+}
+
+// UpdateJobSchedule updates a specific scheduled job by re-creating a new cron
+// and adding all the existing jobs. It will then re-schedule the new job
+// via the specified JobRunner parameter.
+// NOTE: the cron library do not support updating schedules directly
+// hence the work-around
+func (scheduler *JobScheduler) UpdateJobSchedule(runner portainer.JobRunner) error {
+	cronEntries := scheduler.cron.Entries()
+	newCron := cron.New()
+
+	for _, entry := range cronEntries {
+
+		if entry.Job.(portainer.JobRunner).GetSchedule().ID == runner.GetSchedule().ID {
+
+			var jobRunner cron.Job = runner
+			if entry.Job.(portainer.JobRunner).GetSchedule().JobType == portainer.SnapshotJobType {
+				jobRunner = entry.Job
+			}
+
+			_, err := newCron.AddJob(runner.GetSchedule().CronExpression, jobRunner)
+			if err != nil {
+				return err
+			}
+			continue
+		}
+
+		newCron.Schedule(entry.Schedule, entry.Job)
+	}
+
+	scheduler.cron.Stop()
+	scheduler.cron = newCron
+	scheduler.cron.Start()
+	return nil
+}
+
+// UnscheduleJob remove a scheduled job by re-creating a new cron
+// and adding all the existing jobs except for the one specified via scheduleID.
+// NOTE: the cron library do not support removing schedules directly
+// hence the work-around
+func (scheduler *JobScheduler) UnscheduleJob(scheduleID portainer.ScheduleID) {
+	cronEntries := scheduler.cron.Entries()
+	newCron := cron.New()
+
+	for _, entry := range cronEntries {
+
+		if entry.Job.(portainer.JobRunner).GetSchedule().ID == scheduleID {
+			continue
+		}
+
+		newCron.Schedule(entry.Schedule, entry.Job)
+	}
+
+	scheduler.cron.Stop()
+	scheduler.cron = newCron
+	scheduler.cron.Start()
+}
+
+// Start starts the scheduled jobs
+func (scheduler *JobScheduler) Start() {
+	if len(scheduler.cron.Entries()) > 0 {
+		scheduler.cron.Start()
+	}
+}
--- a/api/crypto/tls.go
+++ b/api/crypto/tls.go
@@ -6,7 +6,7 @@ import (
 	"io/ioutil"
 )

-// CreateServerTLSConfiguration creates a basic tls.Config to be used by servers with recommended TLS settings
+// CreateTLSConfiguration creates a basic tls.Config to be used by servers with recommended TLS settings
 func CreateServerTLSConfiguration() *tls.Config {
 	return &tls.Config{
 		MinVersion: tls.VersionTLS12,
--- a/api/docker/client.go
+++ b/api/docker/client.go
@@ -1,7 +1,6 @@
 package docker

 import (
-	"errors"
 	"fmt"
 	"net/http"
 	"strings"
@@ -12,9 +11,8 @@ import (
 	"github.com/portainer/portainer/api/crypto"
 )

-var errUnsupportedEnvironmentType = errors.New("Environment not supported")
-
 const (
+	unsupportedEnvironmentType  = portainer.Error("Environment not supported")
 	defaultDockerRequestTimeout = 60
 	dockerClientVersion         = "1.37"
 )
@@ -33,15 +31,15 @@ func NewClientFactory(signatureService portainer.DigitalSignatureService, revers
 	}
 }

-// createClient is a generic function to create a Docker client based on
+// CreateClient is a generic function to create a Docker client based on
 // a specific endpoint configuration. The nodeName parameter can be used
 // with an agent enabled endpoint to target a specific node in an agent cluster.
 func (factory *ClientFactory) CreateClient(endpoint *portainer.Endpoint, nodeName string) (*client.Client, error) {
 	if endpoint.Type == portainer.AzureEnvironment {
-		return nil, errUnsupportedEnvironmentType
+		return nil, unsupportedEnvironmentType
 	} else if endpoint.Type == portainer.AgentOnDockerEnvironment {
 		return createAgentClient(endpoint, factory.signatureService, nodeName)
-	} else if endpoint.Type == portainer.EdgeAgentOnDockerEnvironment {
+	} else if endpoint.Type == portainer.EdgeAgentEnvironment {
 		return createEdgeClient(endpoint, factory.reverseTunnelService, nodeName)
 	}

--- a/api/docker/errors.go
+++ b/api/docker/errors.go
@@ -1,8 +0,0 @@
-package docker
-
-import "errors"
-
-// Docker errors
-var (
-	ErrUnableToPingEndpoint = errors.New("Unable to communicate with the endpoint")
-)
--- a/api/docker/job.go
+++ b/api/docker/job.go
@@ -0,0 +1,115 @@
+package docker
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"io/ioutil"
+	"strconv"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/api/types/strslice"
+	"github.com/docker/docker/client"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/archive"
+)
+
+// JobService represents a service that handles the execution of jobs
+type JobService struct {
+	dockerClientFactory *ClientFactory
+}
+
+// NewJobService returns a pointer to a new job service
+func NewJobService(dockerClientFactory *ClientFactory) *JobService {
+	return &JobService{
+		dockerClientFactory: dockerClientFactory,
+	}
+}
+
+// ExecuteScript will leverage a privileged container to execute a script against the specified endpoint/nodename.
+// It will copy the script content specified as a parameter inside a container based on the specified image and execute it.
+func (service *JobService) ExecuteScript(endpoint *portainer.Endpoint, nodeName, image string, script []byte, schedule *portainer.Schedule) error {
+	buffer, err := archive.TarFileInBuffer(script, "script.sh", 0700)
+	if err != nil {
+		return err
+	}
+
+	cli, err := service.dockerClientFactory.CreateClient(endpoint, nodeName)
+	if err != nil {
+		return err
+	}
+	defer cli.Close()
+
+	_, err = cli.Ping(context.Background())
+	if err != nil {
+		return portainer.ErrUnableToPingEndpoint
+	}
+
+	err = pullImage(cli, image)
+	if err != nil {
+		return err
+	}
+
+	containerConfig := &container.Config{
+		AttachStdin:  true,
+		AttachStdout: true,
+		AttachStderr: true,
+		Tty:          true,
+		WorkingDir:   "/tmp",
+		Image:        image,
+		Labels: map[string]string{
+			"io.portainer.job.endpoint": strconv.Itoa(int(endpoint.ID)),
+		},
+		Cmd: strslice.StrSlice([]string{"sh", "/tmp/script.sh"}),
+	}
+
+	if schedule != nil {
+		containerConfig.Labels["io.portainer.schedule.id"] = strconv.Itoa(int(schedule.ID))
+	}
+
+	hostConfig := &container.HostConfig{
+		Binds:       []string{"/:/host", "/etc:/etc:ro", "/usr:/usr:ro", "/run:/run:ro", "/sbin:/sbin:ro", "/var:/var:ro"},
+		NetworkMode: "host",
+		Privileged:  true,
+	}
+
+	networkConfig := &network.NetworkingConfig{}
+
+	body, err := cli.ContainerCreate(context.Background(), containerConfig, hostConfig, networkConfig, "")
+	if err != nil {
+		return err
+	}
+
+	if schedule != nil {
+		err = cli.ContainerRename(context.Background(), body.ID, schedule.Name+"_"+body.ID)
+		if err != nil {
+			return err
+		}
+	}
+
+	copyOptions := types.CopyToContainerOptions{}
+	err = cli.CopyToContainer(context.Background(), body.ID, "/tmp", bytes.NewReader(buffer), copyOptions)
+	if err != nil {
+		return err
+	}
+
+	startOptions := types.ContainerStartOptions{}
+	return cli.ContainerStart(context.Background(), body.ID, startOptions)
+}
+
+func pullImage(cli *client.Client, image string) error {
+	imageReadCloser, err := cli.ImagePull(context.Background(), image, types.ImagePullOptions{})
+	if err != nil {
+		return err
+	}
+	defer imageReadCloser.Close()
+
+	_, err = io.Copy(ioutil.Discard, imageReadCloser)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/api/docker/snapshot.go
+++ b/api/docker/snapshot.go
@@ -12,36 +12,13 @@ import (
 	"github.com/portainer/portainer/api"
 )

-// Snapshotter represents a service used to create endpoint snapshots
-type Snapshotter struct {
-	clientFactory *ClientFactory
-}
-
-// NewSnapshotter returns a new Snapshotter instance
-func NewSnapshotter(clientFactory *ClientFactory) *Snapshotter {
-	return &Snapshotter{
-		clientFactory: clientFactory,
-	}
-}
-
-// CreateSnapshot creates a snapshot of a specific Docker endpoint
-func (snapshotter *Snapshotter) CreateSnapshot(endpoint *portainer.Endpoint) (*portainer.DockerSnapshot, error) {
-	cli, err := snapshotter.clientFactory.CreateClient(endpoint, "")
-	if err != nil {
-		return nil, err
-	}
-	defer cli.Close()
-
-	return snapshot(cli, endpoint)
-}
-
-func snapshot(cli *client.Client, endpoint *portainer.Endpoint) (*portainer.DockerSnapshot, error) {
+func snapshot(cli *client.Client, endpoint *portainer.Endpoint) (*portainer.Snapshot, error) {
 	_, err := cli.Ping(context.Background())
 	if err != nil {
 		return nil, err
 	}

-	snapshot := &portainer.DockerSnapshot{
+	snapshot := &portainer.Snapshot{
 		StackCount: 0,
 	}

@@ -91,7 +68,7 @@ func snapshot(cli *client.Client, endpoint *portainer.Endpoint) (*portainer.Dock
 	return snapshot, nil
 }

-func snapshotInfo(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
+func snapshotInfo(snapshot *portainer.Snapshot, cli *client.Client) error {
 	info, err := cli.Info(context.Background())
 	if err != nil {
 		return err
@@ -105,7 +82,7 @@ func snapshotInfo(snapshot *portainer.DockerSnapshot, cli *client.Client) error
 	return nil
 }

-func snapshotNodes(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
+func snapshotNodes(snapshot *portainer.Snapshot, cli *client.Client) error {
 	nodes, err := cli.NodeList(context.Background(), types.NodeListOptions{})
 	if err != nil {
 		return err
@@ -121,7 +98,7 @@ func snapshotNodes(snapshot *portainer.DockerSnapshot, cli *client.Client) error
 	return nil
 }

-func snapshotSwarmServices(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
+func snapshotSwarmServices(snapshot *portainer.Snapshot, cli *client.Client) error {
 	stacks := make(map[string]struct{})

 	services, err := cli.ServiceList(context.Background(), types.ServiceListOptions{})
@@ -142,7 +119,7 @@ func snapshotSwarmServices(snapshot *portainer.DockerSnapshot, cli *client.Clien
 	return nil
 }

-func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
+func snapshotContainers(snapshot *portainer.Snapshot, cli *client.Client) error {
 	containers, err := cli.ContainerList(context.Background(), types.ContainerListOptions{All: true})
 	if err != nil {
 		return err
@@ -182,7 +159,7 @@ func snapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client)
 	return nil
 }

-func snapshotImages(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
+func snapshotImages(snapshot *portainer.Snapshot, cli *client.Client) error {
 	images, err := cli.ImageList(context.Background(), types.ImageListOptions{})
 	if err != nil {
 		return err
@@ -193,7 +170,7 @@ func snapshotImages(snapshot *portainer.DockerSnapshot, cli *client.Client) erro
 	return nil
 }

-func snapshotVolumes(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
+func snapshotVolumes(snapshot *portainer.Snapshot, cli *client.Client) error {
 	volumes, err := cli.VolumeList(context.Background(), filters.Args{})
 	if err != nil {
 		return err
@@ -204,7 +181,7 @@ func snapshotVolumes(snapshot *portainer.DockerSnapshot, cli *client.Client) err
 	return nil
 }

-func snapshotNetworks(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
+func snapshotNetworks(snapshot *portainer.Snapshot, cli *client.Client) error {
 	networks, err := cli.NetworkList(context.Background(), types.NetworkListOptions{})
 	if err != nil {
 		return err
@@ -213,7 +190,7 @@ func snapshotNetworks(snapshot *portainer.DockerSnapshot, cli *client.Client) er
 	return nil
 }

-func snapshotVersion(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
+func snapshotVersion(snapshot *portainer.Snapshot, cli *client.Client) error {
 	version, err := cli.ServerVersion(context.Background())
 	if err != nil {
 		return err
--- a/api/docker/snapshotter.go
+++ b/api/docker/snapshotter.go
@@ -0,0 +1,28 @@
+package docker
+
+import (
+	"github.com/portainer/portainer/api"
+)
+
+// Snapshotter represents a service used to create endpoint snapshots
+type Snapshotter struct {
+	clientFactory *ClientFactory
+}
+
+// NewSnapshotter returns a new Snapshotter instance
+func NewSnapshotter(clientFactory *ClientFactory) *Snapshotter {
+	return &Snapshotter{
+		clientFactory: clientFactory,
+	}
+}
+
+// CreateSnapshot creates a snapshot of a specific endpoint
+func (snapshotter *Snapshotter) CreateSnapshot(endpoint *portainer.Endpoint) (*portainer.Snapshot, error) {
+	cli, err := snapshotter.clientFactory.CreateClient(endpoint, "")
+	if err != nil {
+		return nil, err
+	}
+	defer cli.Close()
+
+	return snapshot(cli, endpoint)
+}
--- a/api/edgegroup.go
+++ b/api/edgegroup.go
@@ -0,0 +1,54 @@
+package portainer
+
+// EdgeGroupRelatedEndpoints returns a list of endpoints related to this Edge group
+func EdgeGroupRelatedEndpoints(edgeGroup *EdgeGroup, endpoints []Endpoint, endpointGroups []EndpointGroup) []EndpointID {
+	if !edgeGroup.Dynamic {
+		return edgeGroup.Endpoints
+	}
+
+	endpointIDs := []EndpointID{}
+	for _, endpoint := range endpoints {
+		if endpoint.Type != EdgeAgentEnvironment {
+			continue
+		}
+
+		var endpointGroup EndpointGroup
+		for _, group := range endpointGroups {
+			if endpoint.GroupID == group.ID {
+				endpointGroup = group
+				break
+			}
+		}
+
+		if edgeGroupRelatedToEndpoint(edgeGroup, &endpoint, &endpointGroup) {
+			endpointIDs = append(endpointIDs, endpoint.ID)
+		}
+	}
+
+	return endpointIDs
+}
+
+// edgeGroupRelatedToEndpoint returns true is edgeGroup is associated with endpoint
+func edgeGroupRelatedToEndpoint(edgeGroup *EdgeGroup, endpoint *Endpoint, endpointGroup *EndpointGroup) bool {
+	if !edgeGroup.Dynamic {
+		for _, endpointID := range edgeGroup.Endpoints {
+			if endpoint.ID == endpointID {
+				return true
+			}
+		}
+		return false
+	}
+
+	endpointTags := TagSet(endpoint.TagIDs)
+	if endpointGroup.TagIDs != nil {
+		endpointTags = TagUnion(endpointTags, TagSet(endpointGroup.TagIDs))
+	}
+	edgeGroupTags := TagSet(edgeGroup.TagIDs)
+
+	if edgeGroup.PartialMatch {
+		intersection := TagIntersection(endpointTags, edgeGroupTags)
+		return len(intersection) != 0
+	}
+
+	return TagContains(edgeGroupTags, endpointTags)
+}
--- a/api/internal/edge/edgestack.go
+++ b/api/internal/edge/edgestack.go
@@ -1,16 +1,13 @@
-package edge
+package portainer

-import (
-	"errors"
-	"github.com/portainer/portainer/api"
-)
+import "errors"

 // EdgeStackRelatedEndpoints returns a list of endpoints related to this Edge stack
-func EdgeStackRelatedEndpoints(edgeGroupIDs []portainer.EdgeGroupID, endpoints []portainer.Endpoint, endpointGroups []portainer.EndpointGroup, edgeGroups []portainer.EdgeGroup) ([]portainer.EndpointID, error) {
-	edgeStackEndpoints := []portainer.EndpointID{}
+func EdgeStackRelatedEndpoints(edgeGroupIDs []EdgeGroupID, endpoints []Endpoint, endpointGroups []EndpointGroup, edgeGroups []EdgeGroup) ([]EndpointID, error) {
+	edgeStackEndpoints := []EndpointID{}

 	for _, edgeGroupID := range edgeGroupIDs {
-		var edgeGroup *portainer.EdgeGroup
+		var edgeGroup *EdgeGroup

 		for _, group := range edgeGroups {
 			if group.ID == edgeGroupID {
--- a/api/internal/edge/endpoint.go
+++ b/api/internal/edge/endpoint.go
@@ -1,10 +1,8 @@
-package edge
-
-import "github.com/portainer/portainer/api"
+package portainer

 // EndpointRelatedEdgeStacks returns a list of Edge stacks related to this Endpoint
-func EndpointRelatedEdgeStacks(endpoint *portainer.Endpoint, endpointGroup *portainer.EndpointGroup, edgeGroups []portainer.EdgeGroup, edgeStacks []portainer.EdgeStack) []portainer.EdgeStackID {
-	relatedEdgeGroupsSet := map[portainer.EdgeGroupID]bool{}
+func EndpointRelatedEdgeStacks(endpoint *Endpoint, endpointGroup *EndpointGroup, edgeGroups []EdgeGroup, edgeStacks []EdgeStack) []EdgeStackID {
+	relatedEdgeGroupsSet := map[EdgeGroupID]bool{}

 	for _, edgeGroup := range edgeGroups {
 		if edgeGroupRelatedToEndpoint(&edgeGroup, endpoint, endpointGroup) {
@@ -12,7 +10,7 @@ func EndpointRelatedEdgeStacks(endpoint *portainer.Endpoint, endpointGroup *port
 		}
 	}

-	relatedEdgeStacks := []portainer.EdgeStackID{}
+	relatedEdgeStacks := []EdgeStackID{}
 	for _, edgeStack := range edgeStacks {
 		for _, edgeGroupID := range edgeStack.EdgeGroups {
 			if relatedEdgeGroupsSet[edgeGroupID] {
--- a/api/errors.go
+++ b/api/errors.go
@@ -0,0 +1,122 @@
+package portainer
+
+// General errors.
+const (
+	ErrUnauthorized           = Error("Unauthorized")
+	ErrResourceAccessDenied   = Error("Access denied to resource")
+	ErrAuthorizationRequired  = Error("Authorization required for this operation")
+	ErrObjectNotFound         = Error("Object not found inside the database")
+	ErrMissingSecurityContext = Error("Unable to find security details in request context")
+)
+
+// User errors.
+const (
+	ErrUserAlreadyExists          = Error("User already exists")
+	ErrInvalidUsername            = Error("Invalid username. White spaces are not allowed")
+	ErrAdminAlreadyInitialized    = Error("An administrator user already exists")
+	ErrAdminCannotRemoveSelf      = Error("Cannot remove your own user account. Contact another administrator")
+	ErrCannotRemoveLastLocalAdmin = Error("Cannot remove the last local administrator account")
+)
+
+// Team errors.
+const (
+	ErrTeamAlreadyExists = Error("Team already exists")
+)
+
+// TeamMembership errors.
+const (
+	ErrTeamMembershipAlreadyExists = Error("Team membership already exists for this user and team")
+)
+
+// ResourceControl errors.
+const (
+	ErrResourceControlAlreadyExists = Error("A resource control is already applied on this resource")
+	ErrInvalidResourceControlType   = Error("Unsupported resource control type")
+)
+
+// Endpoint errors.
+const (
+	ErrEndpointAccessDenied = Error("Access denied to endpoint")
+)
+
+// Azure environment errors
+const (
+	ErrAzureInvalidCredentials = Error("Invalid Azure credentials")
+)
+
+// Endpoint group errors.
+const (
+	ErrCannotRemoveDefaultGroup = Error("Cannot remove the default endpoint group")
+)
+
+// Registry errors.
+const (
+	ErrRegistryAlreadyExists = Error("A registry is already defined for this URL")
+)
+
+// Stack errors
+const (
+	ErrStackAlreadyExists              = Error("A stack already exists with this name")
+	ErrComposeFileNotFoundInRepository = Error("Unable to find a Compose file in the repository")
+	ErrStackNotExternal                = Error("Not an external stack")
+)
+
+// Tag errors
+const (
+	ErrTagAlreadyExists = Error("A tag already exists with this name")
+)
+
+// Endpoint extensions error
+const (
+	ErrEndpointExtensionNotSupported      = Error("This extension is not supported")
+	ErrEndpointExtensionAlreadyAssociated = Error("This extension is already associated to the endpoint")
+)
+
+// Crypto errors.
+const (
+	ErrCryptoHashFailure = Error("Unable to hash data")
+)
+
+// JWT errors.
+const (
+	ErrSecretGeneration   = Error("Unable to generate secret key")
+	ErrInvalidJWTToken    = Error("Invalid JWT token")
+	ErrMissingContextData = Error("Unable to find JWT data in request context")
+)
+
+// File errors.
+const (
+	ErrUndefinedTLSFileType = Error("Undefined TLS file type")
+)
+
+// Demo errors.
+const (
+	ErrNotAvailableInDemo = Error("This feature is not available in the demo version of Portainer")
+)
+
+// Extension errors.
+const (
+	ErrExtensionAlreadyEnabled = Error("This extension is already enabled")
+)
+
+// Docker errors.
+const (
+	ErrUnableToPingEndpoint = Error("Unable to communicate with the endpoint")
+)
+
+// Schedule errors.
+const (
+	ErrHostManagementFeaturesDisabled = Error("Host management features are disabled")
+)
+
+// Error represents an application error.
+type Error string
+
+// Error returns the error message.
+func (e Error) Error() string { return string(e) }
+
+// Webhook errors
+const (
+	ErrWebhookAlreadyExists   = Error("A webhook for this resource already exists")
+	ErrUnsupportedWebhookType = Error("Webhooks for this resource are not currently supported")
+)
--- a/api/exec/extension.go
+++ b/api/exec/extension.go
@@ -0,0 +1,313 @@
+package exec
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"path"
+	"regexp"
+	"runtime"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/coreos/go-semver/semver"
+
+	"github.com/orcaman/concurrent-map"
+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/client"
+)
+
+var extensionDownloadBaseURL = portainer.AssetsServerURL + "/extensions/"
+var extensionVersionRegexp = regexp.MustCompile(`\d+(\.\d+)+`)
+
+var extensionBinaryMap = map[portainer.ExtensionID]string{
+	portainer.RegistryManagementExtension:  "extension-registry-management",
+	portainer.OAuthAuthenticationExtension: "extension-oauth-authentication",
+	portainer.RBACExtension:                "extension-rbac",
+}
+
+// ExtensionManager represents a service used to
+// manage extension processes.
+type ExtensionManager struct {
+	processes        cmap.ConcurrentMap
+	fileService      portainer.FileService
+	extensionService portainer.ExtensionService
+}
+
+// NewExtensionManager returns a pointer to an ExtensionManager
+func NewExtensionManager(fileService portainer.FileService, extensionService portainer.ExtensionService) *ExtensionManager {
+	return &ExtensionManager{
+		processes:        cmap.New(),
+		fileService:      fileService,
+		extensionService: extensionService,
+	}
+}
+
+func processKey(ID portainer.ExtensionID) string {
+	return strconv.Itoa(int(ID))
+}
+
+func buildExtensionURL(extension *portainer.Extension) string {
+	return fmt.Sprintf("%s%s-%s-%s-%s.zip", extensionDownloadBaseURL, extensionBinaryMap[extension.ID], runtime.GOOS, runtime.GOARCH, extension.Version)
+}
+
+func buildExtensionPath(binaryPath string, extension *portainer.Extension) string {
+	extensionFilename := fmt.Sprintf("%s-%s-%s-%s", extensionBinaryMap[extension.ID], runtime.GOOS, runtime.GOARCH, extension.Version)
+	if runtime.GOOS == "windows" {
+		extensionFilename += ".exe"
+	}
+
+	extensionPath := path.Join(
+		binaryPath,
+		extensionFilename)
+
+	return extensionPath
+}
+
+// FetchExtensionDefinitions will fetch the list of available
+// extension definitions from the official Portainer assets server.
+// If it cannot retrieve the data from the Internet it will fallback to the locally cached
+// manifest file.
+func (manager *ExtensionManager) FetchExtensionDefinitions() ([]portainer.Extension, error) {
+	var extensionData []byte
+
+	extensionData, err := client.Get(portainer.ExtensionDefinitionsURL, 5)
+	if err != nil {
+		log.Printf("[WARN] [exec,extensions] [message: unable to retrieve extensions manifest via Internet. Extensions will be retrieved from local cache and might not be up to date] [err: %s]", err)
+
+		extensionData, err = manager.fileService.GetFileContent(portainer.LocalExtensionManifestFile)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	var extensions []portainer.Extension
+	err = json.Unmarshal(extensionData, &extensions)
+	if err != nil {
+		return nil, err
+	}
+
+	return extensions, nil
+}
+
+// InstallExtension will install the extension from an archive. It will extract the extension version number from
+// the archive file name first and return an error if the file name is not valid (cannot find extension version).
+// It will then extract the archive and execute the EnableExtension function to enable the extension.
+// Since we're missing information about this extension (stored on Portainer.io server) we need to assume
+// default information based on the extension ID.
+func (manager *ExtensionManager) InstallExtension(extension *portainer.Extension, licenseKey string, archiveFileName string, extensionArchive []byte) error {
+	extensionVersion := extensionVersionRegexp.FindString(archiveFileName)
+	if extensionVersion == "" {
+		return errors.New("invalid extension archive filename: unable to retrieve extension version")
+	}
+
+	err := manager.fileService.ExtractExtensionArchive(extensionArchive)
+	if err != nil {
+		return err
+	}
+
+	switch extension.ID {
+	case portainer.RegistryManagementExtension:
+		extension.Name = "Registry Manager"
+	case portainer.OAuthAuthenticationExtension:
+		extension.Name = "External Authentication"
+	case portainer.RBACExtension:
+		extension.Name = "Role-Based Access Control"
+	}
+	extension.ShortDescription = "Extension enabled offline"
+	extension.Version = extensionVersion
+	extension.Available = true
+
+	return manager.EnableExtension(extension, licenseKey)
+}
+
+// EnableExtension will check for the existence of the extension binary on the filesystem
+// first. If it does not exist, it will download it from the official Portainer assets server.
+// After installing the binary on the filesystem, it will execute the binary in license check
+// mode to validate the extension license. If the license is valid, it will then start
+// the extension process and register it in the processes map.
+func (manager *ExtensionManager) EnableExtension(extension *portainer.Extension, licenseKey string) error {
+	extensionBinaryPath := buildExtensionPath(manager.fileService.GetBinaryFolder(), extension)
+	extensionBinaryExists, err := manager.fileService.FileExists(extensionBinaryPath)
+	if err != nil {
+		return err
+	}
+
+	if !extensionBinaryExists {
+		err := manager.downloadExtension(extension)
+		if err != nil {
+			return err
+		}
+	}
+
+	licenseDetails, err := validateLicense(extensionBinaryPath, licenseKey)
+	if err != nil {
+		return err
+	}
+
+	extension.License = portainer.LicenseInformation{
+		LicenseKey: licenseKey,
+		Company:    licenseDetails[0],
+		Expiration: licenseDetails[1],
+		Valid:      true,
+	}
+	extension.Version = licenseDetails[2]
+
+	return manager.startExtensionProcess(extension, extensionBinaryPath)
+}
+
+// DisableExtension will retrieve the process associated to the extension
+// from the processes map and kill the process. It will then remove the process
+// from the processes map and remove the binary associated to the extension
+// from the filesystem
+func (manager *ExtensionManager) DisableExtension(extension *portainer.Extension) error {
+	process, ok := manager.processes.Get(processKey(extension.ID))
+	if !ok {
+		return nil
+	}
+
+	err := process.(*exec.Cmd).Process.Kill()
+	if err != nil {
+		return err
+	}
+
+	manager.processes.Remove(processKey(extension.ID))
+
+	extensionBinaryPath := buildExtensionPath(manager.fileService.GetBinaryFolder(), extension)
+	return manager.fileService.RemoveDirectory(extensionBinaryPath)
+}
+
+// StartExtensions will retrieve the extensions definitions from the Internet and check if a new version of each
+// extension is available. If so, it will automatically install the new version of the extension. If no update is
+// available it will simply start the extension.
+// The purpose of this function is to be ran at startup, as such most of the error handling won't block the program execution
+// and will log warning messages instead.
+func (manager *ExtensionManager) StartExtensions() error {
+	extensions, err := manager.extensionService.Extensions()
+	if err != nil {
+		return err
+	}
+
+	definitions, err := manager.FetchExtensionDefinitions()
+	if err != nil {
+		log.Printf("[WARN] [exec,extensions] [message: unable to retrieve extension information from Internet. Skipping extensions update check.] [err: %s]", err)
+		return nil
+	}
+
+	return manager.updateAndStartExtensions(extensions, definitions)
+}
+
+func (manager *ExtensionManager) updateAndStartExtensions(extensions []portainer.Extension, definitions []portainer.Extension) error {
+	for _, definition := range definitions {
+		for _, extension := range extensions {
+			if extension.ID == definition.ID {
+				definitionVersion := semver.New(definition.Version)
+				extensionVersion := semver.New(extension.Version)
+
+				if extensionVersion.LessThan(*definitionVersion) {
+					log.Printf("[INFO] [exec,extensions] [message: new version detected, updating extension] [extension: %s] [current_version: %s] [available_version: %s]", extension.Name, extension.Version, definition.Version)
+					err := manager.UpdateExtension(&extension, definition.Version)
+					if err != nil {
+						log.Printf("[WARN] [exec,extensions] [message: unable to update extension automatically] [extension: %s] [current_version: %s] [available_version: %s] [err: %s]", extension.Name, extension.Version, definition.Version, err)
+					}
+				} else {
+					err := manager.EnableExtension(&extension, extension.License.LicenseKey)
+					if err != nil {
+						log.Printf("[WARN] [exec,extensions] [message: unable to start extension] [extension: %s] [err: %s]", extension.Name, err)
+						extension.Enabled = false
+						extension.License.Valid = false
+					}
+				}
+
+				err := manager.extensionService.Persist(&extension)
+				if err != nil {
+					return err
+				}
+
+				break
+			}
+		}
+	}
+
+	return nil
+}
+
+// UpdateExtension will download the new extension binary from the official Portainer assets
+// server, disable the previous extension via DisableExtension, trigger a license check
+// and then start the extension process and add it to the processes map
+func (manager *ExtensionManager) UpdateExtension(extension *portainer.Extension, version string) error {
+	oldVersion := extension.Version
+
+	extension.Version = version
+	err := manager.downloadExtension(extension)
+	if err != nil {
+		return err
+	}
+
+	extension.Version = oldVersion
+	err = manager.DisableExtension(extension)
+	if err != nil {
+		return err
+	}
+
+	extension.Version = version
+	extensionBinaryPath := buildExtensionPath(manager.fileService.GetBinaryFolder(), extension)
+
+	licenseDetails, err := validateLicense(extensionBinaryPath, extension.License.LicenseKey)
+	if err != nil {
+		return err
+	}
+
+	extension.Version = licenseDetails[2]
+
+	return manager.startExtensionProcess(extension, extensionBinaryPath)
+}
+
+func (manager *ExtensionManager) downloadExtension(extension *portainer.Extension) error {
+	extensionURL := buildExtensionURL(extension)
+
+	data, err := client.Get(extensionURL, 30)
+	if err != nil {
+		return err
+	}
+
+	return manager.fileService.ExtractExtensionArchive(data)
+}
+
+func validateLicense(binaryPath, licenseKey string) ([]string, error) {
+	licenseCheckProcess := exec.Command(binaryPath, "-license", licenseKey, "-check")
+	cmdOutput := &bytes.Buffer{}
+	licenseCheckProcess.Stdout = cmdOutput
+
+	err := licenseCheckProcess.Run()
+	if err != nil {
+		log.Printf("[DEBUG] [exec,extension] [message: unable to run extension process] [err: %s]", err)
+		return nil, errors.New("invalid extension license key")
+	}
+
+	output := string(cmdOutput.Bytes())
+
+	return strings.Split(output, "|"), nil
+}
+
+func (manager *ExtensionManager) startExtensionProcess(extension *portainer.Extension, binaryPath string) error {
+	extensionProcess := exec.Command(binaryPath, "-license", extension.License.LicenseKey)
+	extensionProcess.Stdout = os.Stdout
+	extensionProcess.Stderr = os.Stderr
+
+	err := extensionProcess.Start()
+	if err != nil {
+		log.Printf("[DEBUG] [exec,extension] [message: unable to start extension process] [err: %s]", err)
+		return err
+	}
+
+	time.Sleep(3 * time.Second)
+
+	manager.processes.Set(processKey(extension.ID), extensionProcess)
+	return nil
+}
--- a/api/exec/kubernetes_deploy.go
+++ b/api/exec/kubernetes_deploy.go
@@ -1,89 +0,0 @@
-package exec
-
-import (
-	"bytes"
-	"errors"
-	"io/ioutil"
-	"os/exec"
-	"path"
-	"runtime"
-	"strings"
-
-	portainer "github.com/portainer/portainer/api"
-)
-
-// KubernetesDeployer represents a service to deploy resources inside a Kubernetes environment.
-type KubernetesDeployer struct {
-	binaryPath string
-}
-
-// NewKubernetesDeployer initializes a new KubernetesDeployer service.
-func NewKubernetesDeployer(binaryPath string) *KubernetesDeployer {
-	return &KubernetesDeployer{
-		binaryPath: binaryPath,
-	}
-}
-
-// Deploy will deploy a Kubernetes manifest inside a specific namespace in a Kubernetes endpoint.
-// If composeFormat is set to true, it will leverage the kompose binary to deploy a compose compliant manifest.
-// Otherwise it will use kubectl to deploy the manifest.
-func (deployer *KubernetesDeployer) Deploy(endpoint *portainer.Endpoint, data string, composeFormat bool, namespace string) ([]byte, error) {
-	if composeFormat {
-		convertedData, err := deployer.convertComposeData(data)
-		if err != nil {
-			return nil, err
-		}
-		data = string(convertedData)
-	}
-
-	token, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
-	if err != nil {
-		return nil, err
-	}
-
-	command := path.Join(deployer.binaryPath, "kubectl")
-	if runtime.GOOS == "windows" {
-		command = path.Join(deployer.binaryPath, "kubectl.exe")
-	}
-
-	args := make([]string, 0)
-	args = append(args, "--server", endpoint.URL)
-	args = append(args, "--insecure-skip-tls-verify")
-	args = append(args, "--token", string(token))
-	args = append(args, "--namespace", namespace)
-	args = append(args, "apply", "-f", "-")
-
-	var stderr bytes.Buffer
-	cmd := exec.Command(command, args...)
-	cmd.Stderr = &stderr
-	cmd.Stdin = strings.NewReader(data)
-
-	output, err := cmd.Output()
-	if err != nil {
-		return nil, errors.New(stderr.String())
-	}
-
-	return output, nil
-}
-
-func (deployer *KubernetesDeployer) convertComposeData(data string) ([]byte, error) {
-	command := path.Join(deployer.binaryPath, "kompose")
-	if runtime.GOOS == "windows" {
-		command = path.Join(deployer.binaryPath, "kompose.exe")
-	}
-
-	args := make([]string, 0)
-	args = append(args, "convert", "-f", "-", "--stdout")
-
-	var stderr bytes.Buffer
-	cmd := exec.Command(command, args...)
-	cmd.Stderr = &stderr
-	cmd.Stdin = strings.NewReader(data)
-
-	output, err := cmd.Output()
-	if err != nil {
-		return nil, errors.New(stderr.String())
-	}
-
-	return output, nil
-}
--- a/api/exec/swarm_stack.go
+++ b/api/exec/swarm_stack.go
@@ -3,7 +3,6 @@ package exec
 import (
 	"bytes"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"os"
 	"os/exec"
@@ -104,7 +103,7 @@ func runCommandAndCaptureStdErr(command string, args []string, env []string, wor

 	err := cmd.Run()
 	if err != nil {
-		return errors.New(stderr.String())
+		return portainer.Error(stderr.String())
 	}

 	return nil
@@ -122,7 +121,7 @@ func (manager *SwarmStackManager) prepareDockerCommandAndArgs(binaryPath, dataPa
 	args = append(args, "--config", dataPath)

 	endpointURL := endpoint.URL
-	if endpoint.Type == portainer.EdgeAgentOnDockerEnvironment {
+	if endpoint.Type == portainer.EdgeAgentEnvironment {
 		tunnel := manager.reverseTunnelService.GetTunnelDetails(endpoint.ID)
 		endpointURL = fmt.Sprintf("tcp://127.0.0.1:%d", tunnel.Port)
 	}
--- a/api/filesystem/filesystem.go
+++ b/api/filesystem/filesystem.go
@@ -4,12 +4,10 @@ import (
 	"bytes"
 	"encoding/json"
 	"encoding/pem"
-	"errors"
-	"fmt"
 	"io/ioutil"

-	"github.com/gofrs/uuid"
 	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/archive"

 	"io"
 	"os"
@@ -39,20 +37,13 @@ const (
 	PublicKeyFile = "portainer.pub"
 	// BinaryStorePath represents the subfolder where binaries are stored in the file store folder.
 	BinaryStorePath = "bin"
-	// EdgeJobStorePath represents the subfolder where schedule files are stored.
-	EdgeJobStorePath = "edge_jobs"
+	// ScheduleStorePath represents the subfolder where schedule files are stored.
+	ScheduleStorePath = "schedules"
 	// ExtensionRegistryManagementStorePath represents the subfolder where files related to the
 	// registry management extension are stored.
 	ExtensionRegistryManagementStorePath = "extensions"
-	// CustomTemplateStorePath represents the subfolder where custom template files are stored in the file store folder.
-	CustomTemplateStorePath = "custom_templates"
-	// TempPath represent the subfolder where temporary files are saved
-	TempPath = "tmp"
 )

-// ErrUndefinedTLSFileType represents an error returned on undefined TLS file type
-var ErrUndefinedTLSFileType = errors.New("Undefined TLS file type")
-
 // Service represents a service for managing files and directories.
 type Service struct {
 	dataStorePath string
@@ -95,6 +86,12 @@ func (service *Service) GetBinaryFolder() string {
 	return path.Join(service.fileStorePath, BinaryStorePath)
 }

+// ExtractExtensionArchive extracts the content of an extension archive
+// specified as raw data into the binary store on the filesystem
+func (service *Service) ExtractExtensionArchive(data []byte) error {
+	return archive.UnzipArchive(data, path.Join(service.fileStorePath, BinaryStorePath))
+}
+
 // RemoveDirectory removes a directory on the filesystem.
 func (service *Service) RemoveDirectory(directoryPath string) error {
 	return os.RemoveAll(directoryPath)
@@ -191,7 +188,7 @@ func (service *Service) StoreTLSFileFromBytes(folder string, fileType portainer.
 	case portainer.TLSFileKey:
 		fileName = TLSKeyFile
 	default:
-		return "", ErrUndefinedTLSFileType
+		return "", portainer.ErrUndefinedTLSFileType
 	}

 	tlsFilePath := path.Join(storePath, fileName)
@@ -214,7 +211,7 @@ func (service *Service) GetPathForTLSFile(folder string, fileType portainer.TLSF
 	case portainer.TLSFileKey:
 		fileName = TLSKeyFile
 	default:
-		return "", ErrUndefinedTLSFileType
+		return "", portainer.ErrUndefinedTLSFileType
 	}
 	return path.Join(service.fileStorePath, TLSStorePath, folder, fileName), nil
 }
@@ -240,7 +237,7 @@ func (service *Service) DeleteTLSFile(folder string, fileType portainer.TLSFileT
 	case portainer.TLSFileKey:
 		fileName = TLSKeyFile
 	default:
-		return ErrUndefinedTLSFileType
+		return portainer.ErrUndefinedTLSFileType
 	}

 	filePath := path.Join(service.fileStorePath, TLSStorePath, folder, fileName)
@@ -395,48 +392,22 @@ func (service *Service) getContentFromPEMFile(filePath string) ([]byte, error) {
 	return block.Bytes, nil
 }

-// GetCustomTemplateProjectPath returns the absolute path on the FS for a custom template based
+// GetScheduleFolder returns the absolute path on the filesystem for a schedule based
 // on its identifier.
-func (service *Service) GetCustomTemplateProjectPath(identifier string) string {
-	return path.Join(service.fileStorePath, CustomTemplateStorePath, identifier)
+func (service *Service) GetScheduleFolder(identifier string) string {
+	return path.Join(service.fileStorePath, ScheduleStorePath, identifier)
 }

-// StoreCustomTemplateFileFromBytes creates a subfolder in the CustomTemplateStorePath and stores a new file from bytes.
+// StoreScheduledJobFileFromBytes creates a subfolder in the ScheduleStorePath and stores a new file from bytes.
 // It returns the path to the folder where the file is stored.
-func (service *Service) StoreCustomTemplateFileFromBytes(identifier, fileName string, data []byte) (string, error) {
-	customTemplateStorePath := path.Join(CustomTemplateStorePath, identifier)
-	err := service.createDirectoryInStore(customTemplateStorePath)
+func (service *Service) StoreScheduledJobFileFromBytes(identifier string, data []byte) (string, error) {
+	scheduleStorePath := path.Join(ScheduleStorePath, identifier)
+	err := service.createDirectoryInStore(scheduleStorePath)
 	if err != nil {
 		return "", err
 	}

-	templateFilePath := path.Join(customTemplateStorePath, fileName)
-	r := bytes.NewReader(data)
-
-	err = service.createFileInStore(templateFilePath, r)
-	if err != nil {
-		return "", err
-	}
-
-	return path.Join(service.fileStorePath, customTemplateStorePath), nil
-}
-
-// GetEdgeJobFolder returns the absolute path on the filesystem for an Edge job based
-// on its identifier.
-func (service *Service) GetEdgeJobFolder(identifier string) string {
-	return path.Join(service.fileStorePath, EdgeJobStorePath, identifier)
-}
-
-// StoreEdgeJobFileFromBytes creates a subfolder in the EdgeJobStorePath and stores a new file from bytes.
-// It returns the path to the folder where the file is stored.
-func (service *Service) StoreEdgeJobFileFromBytes(identifier string, data []byte) (string, error) {
-	edgeJobStorePath := path.Join(EdgeJobStorePath, identifier)
-	err := service.createDirectoryInStore(edgeJobStorePath)
-	if err != nil {
-		return "", err
-	}
-
-	filePath := path.Join(edgeJobStorePath, createEdgeJobFileName(identifier))
+	filePath := path.Join(scheduleStorePath, createScheduledJobFileName(identifier))
 	r := bytes.NewReader(data)
 	err = service.createFileInStore(filePath, r)
 	if err != nil {
@@ -446,62 +417,6 @@ func (service *Service) StoreEdgeJobFileFromBytes(identifier string, data []byte
 	return path.Join(service.fileStorePath, filePath), nil
 }

-func createEdgeJobFileName(identifier string) string {
+func createScheduledJobFileName(identifier string) string {
 	return "job_" + identifier + ".sh"
 }
-
-// ClearEdgeJobTaskLogs clears the Edge job task logs
-func (service *Service) ClearEdgeJobTaskLogs(edgeJobID string, taskID string) error {
-	path := service.getEdgeJobTaskLogPath(edgeJobID, taskID)
-
-	err := os.Remove(path)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// GetEdgeJobTaskLogFileContent fetches the Edge job task logs
-func (service *Service) GetEdgeJobTaskLogFileContent(edgeJobID string, taskID string) (string, error) {
-	path := service.getEdgeJobTaskLogPath(edgeJobID, taskID)
-
-	fileContent, err := ioutil.ReadFile(path)
-	if err != nil {
-		return "", err
-	}
-
-	return string(fileContent), nil
-}
-
-// StoreEdgeJobTaskLogFileFromBytes stores the log file
-func (service *Service) StoreEdgeJobTaskLogFileFromBytes(edgeJobID, taskID string, data []byte) error {
-	edgeJobStorePath := path.Join(EdgeJobStorePath, edgeJobID)
-	err := service.createDirectoryInStore(edgeJobStorePath)
-	if err != nil {
-		return err
-	}
-
-	filePath := path.Join(edgeJobStorePath, fmt.Sprintf("logs_%s", taskID))
-	r := bytes.NewReader(data)
-	err = service.createFileInStore(filePath, r)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (service *Service) getEdgeJobTaskLogPath(edgeJobID string, taskID string) string {
-	return fmt.Sprintf("%s/logs_%s", service.GetEdgeJobFolder(edgeJobID), taskID)
-}
-
-// GetTemporaryPath returns a temp folder
-func (service *Service) GetTemporaryPath() (string, error) {
-	uid, err := uuid.NewV4()
-	if err != nil {
-		return "", err
-	}
-
-	return path.Join(service.fileStorePath, TempPath, uid.String()), nil
-}
--- a/api/go.mod
+++ b/api/go.mod
@@ -13,7 +13,6 @@ require (
 	github.com/docker/cli v0.0.0-20191126203649-54d085b857e9
 	github.com/docker/docker v0.0.0-00010101000000-000000000000
 	github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814
-	github.com/go-ldap/ldap/v3 v3.1.8
 	github.com/gofrs/uuid v3.2.0+incompatible
 	github.com/gorilla/mux v1.7.3
 	github.com/gorilla/securecookie v1.1.1
@@ -28,14 +27,14 @@ require (
 	github.com/portainer/libcompose v0.5.3
 	github.com/portainer/libcrypto v0.0.0-20190723020515-23ebe86ab2c2
 	github.com/portainer/libhttp v0.0.0-20190806161843-ba068f58be33
+	github.com/robfig/cron/v3 v3.0.0
 	golang.org/x/crypto v0.0.0-20191128160524-b544559bb6d1
-	golang.org/x/net v0.0.0-20191126235420-ef20fe5d7933 // indirect
-	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
+	gopkg.in/asn1-ber.v1 v1.0.0-00010101000000-000000000000 // indirect
+	gopkg.in/ldap.v2 v2.5.1
 	gopkg.in/src-d/go-git.v4 v4.13.1
-	k8s.io/api v0.17.2
-	k8s.io/apimachinery v0.17.2
-	k8s.io/client-go v0.17.2
 )

 replace github.com/docker/docker => github.com/docker/engine v1.4.2-0.20200204220554-5f6d6f3f2203
+
+replace gopkg.in/asn1-ber.v1 => github.com/go-asn1-ber/asn1-ber v1.3.1
--- a/api/go.sum
+++ b/api/go.sum
@@ -1,15 +1,6 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
-github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
-github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
-github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
-github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
-github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Microsoft/go-winio v0.3.8 h1:dvxbxtpTIjdAbx2OtL26p4eq0iEvys/U5yrsTJb3NZI=
 github.com/Microsoft/go-winio v0.3.8/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
@@ -17,9 +8,6 @@ github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+q
 github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
 github.com/Microsoft/hcsshim v0.8.6 h1:ZfF0+zZeYdzMIVMZHKtDKJvLHj76XCuVae/jNkjj0IA=
 github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
-github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
-github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 h1:uSoVVbwJiQipAclBbw+8quDsfcvFjOpI5iCf4p/cqCs=
 github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc h1:cAKDfWh5VpdgMhJosfJnn5/FoN2SRZ4p7fJNX58YPaU=
@@ -48,7 +36,6 @@ github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL
 github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
-github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -63,8 +50,12 @@ github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BU
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker-credential-helpers v0.6.3 h1:zI2p9+1NQYdnG6sMU26EX4aVGlqbInSQxQXLvzJ4RPQ=
 github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
+github.com/docker/engine v1.4.2-0.20191127222017-3152f9436292 h1:qQ7mw+CVWpRj5DWBL4CVHtBbGQdlPCj4j1evDh0ethw=
+github.com/docker/engine v1.4.2-0.20191127222017-3152f9436292/go.mod h1:3CPr2caMgTHxxIAZgEMd3uLYPDlRvPqCpyeRf6ncPcY=
 github.com/docker/engine v1.4.2-0.20200204220554-5f6d6f3f2203 h1:QeBh8wW8pIZKlXxlMOQ8hSCMdJA+2Z/bD/iDyCAS8XU=
 github.com/docker/engine v1.4.2-0.20200204220554-5f6d6f3f2203/go.mod h1:3CPr2caMgTHxxIAZgEMd3uLYPDlRvPqCpyeRf6ncPcY=
+github.com/docker/engine v1.13.1 h1:Cks33UT9YBW5Xyc3MtGDq2IPgqfJtJ+qkFaxc2b0Euc=
+github.com/docker/engine v1.13.1/go.mod h1:3CPr2caMgTHxxIAZgEMd3uLYPDlRvPqCpyeRf6ncPcY=
 github.com/docker/go-connections v0.3.0 h1:3lOnM9cSzgGwx8VfK/NGOW5fLQ0GjIlCkaktF+n1M6o=
 github.com/docker/go-connections v0.3.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82 h1:X0fj836zx99zFu83v/M79DuBn84IL/Syx1SY6Y5ZEMA=
@@ -73,65 +64,36 @@ github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4=
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
-github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96 h1:cenwrSVm+Z7QLSV/BsnenAOcDXdX4cMv4wP0B/5QbPg=
-github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
-github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
 github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
-github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814 h1:gWvniJ4GbFfkf700kykAImbLiEMU0Q3QN9hQ26Js1pU=
 github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814/go.mod h1:secRm32Ro77eD23BmPVbgLbWN+JWDw7pJszenjxI4bI=
-github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0=
 github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
 github.com/go-asn1-ber/asn1-ber v1.3.1 h1:gvPdv/Hr++TRFCl0UbPFHC54P9N9jgsRPnmnr419Uck=
 github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-ldap/ldap/v3 v3.1.8 h1:5vU/2jOh9HqprwXp8aF915s9p6Z8wmbSEVF7/gdTFhM=
-github.com/go-ldap/ldap/v3 v3.1.8/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
-github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
-github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
-github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/gofrs/uuid v3.2.0+incompatible h1:y12jRkkFxsd7GpqdSZ+/KCs/fJbqpEXSGd4+jfEaewE=
 github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/protobuf v1.1.1 h1:72R+M5VuhED/KujmZVcIquuo8mBgX4oVda//DQb3PXo=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d h1:3PaI8p3seN09VjbTYC/QWlUZdZ1qS1zGjy7LH2Wt07I=
-github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
-github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d h1:7XGaL1e6bYS1yIonGp9761ExpPPV1ui0SAC59Yube9k=
-github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/mux v0.0.0-20160317213430-0eeaf8392f5b/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw=
@@ -141,12 +103,6 @@ github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.1 h1:q7AeDBpnBk8AogcD4DSag/Ukw/KV+YhzLj2bP5HvKCM=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/gregjones/httpcache v0.0.0-20170728041850-787624de3eb7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
-github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
-github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ=
 github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
@@ -161,17 +117,13 @@ github.com/jpillora/requestlog v0.0.0-20181015073026-df8817be5f82 h1:7ufdyC3aMxF
 github.com/jpillora/requestlog v0.0.0-20181015073026-df8817be5f82/go.mod h1:w8buj+yNfmLEP0ENlbG/FRnK6bVmuhqXnukYCs9sDvY=
 github.com/jpillora/sizestr v0.0.0-20160130011556-e2ea2fa42fb9 h1:0c9jcgBtHRtDU//jTrcCgWG6UHjMZytiq/3WhraNgUM=
 github.com/jpillora/sizestr v0.0.0-20160130011556-e2ea2fa42fb9/go.mod h1:1ffp+CRe0eAwwRb0/BownUAjMBsmTLwgAvRbfj9dRwE=
-github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok=
 github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd h1:Coekwdh0v2wtGp9Gmz1Ze3eVRAWJMLokvN3QjdzCHLY=
 github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
-github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c h1:N7A4JCA2G+j5fuFxCsJqjFU/sZe0mj8H0sSoSwbaikw=
 github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c/go.mod h1:Nn5wlyECw3iJrzi0AhIWg+AJUb4PlRQVW4/3XHH1LZA=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
@@ -184,11 +136,12 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mattn/go-shellwords v1.0.6 h1:9Jok5pILi5S1MnDirGVTufYGtksUs/V2BWUP3ZkeUUI=
 github.com/mattn/go-shellwords v1.0.6/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/microsoft/go-winio v0.4.8 h1:N4SmTFXUK7/jnn/UG/gm2mrHiYu9LVGvtsvULyody/c=
+github.com/microsoft/go-winio v0.4.8/go.mod h1:kcIxxtKZE55DEncT/EOvFiygPobhUWpSDqDb47poQOU=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
@@ -196,22 +149,12 @@ github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c h1:nXxl5PrvVm2L/wCy8dQu6DMTwH4oIuGN8GJDAlqDdVE=
 github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
-github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420 h1:Yu3681ykYHDfLoI6XVjL4JWmkE+3TX9yfIWwRCh1kFM=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/image-spec v0.0.0-20170515205857-f03dbe35d449 h1:Aq8iG72akPb/kszE7ksZ5ldV+JYPYii/KZOxlpJF07s=
@@ -221,11 +164,9 @@ github.com/opencontainers/runc v0.0.0-20161109192122-51371867a01c/go.mod h1:qT5X
 github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6 h1:lNCW6THrCKBiJBpz8kbVGjC7MgdCGKwuvBgc7LoD6sw=
 github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI=
 github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo=
-github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/portainer/libcompose v0.5.3 h1:tE4WcPuGvo+NKeDkDWpwNavNLZ5GHIJ4RvuZXsI9uI8=
@@ -248,26 +189,22 @@ github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.3 h1:CTwfnzjQ+8dS6MhHHu4YswVAD99sL2wjPqP+VkURmKE=
 github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
+github.com/robfig/cron/v3 v3.0.0 h1:kQ6Cb7aHOHTSzNVNEhmp8EcWKLb4CbiMW9h9VyIhO4E=
+github.com/robfig/cron/v3 v3.0.0/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/sirupsen/logrus v1.2.0 h1:juTguoYk5qI21pwyTXY3B3Y5cOTH3ZUyZCg1v/mihuo=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
-github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/src-d/gcfg v1.4.0 h1:xXbNR5AlLSA315x2UO+fTSSAXCDf+Ar38/6oyGbDKQ4=
 github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce h1:fb190+cK2Xz/dvi9Hv8eCYJYvIGUTN2/KLq1pT6CjEc=
 github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4=
 github.com/urfave/cli v1.21.0/go.mod h1:lxDj6qX9Q6lWQxIrbrT0nwecwUtRnhVZAJjJZrVUZZQ=
@@ -279,58 +216,30 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHo
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.1.0 h1:ngVtJC9TY/lg0AA/1k48FYhBrhRoFlEmWzsehpNAaZg=
 github.com/xeipuuv/gojsonschema v1.1.0/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181015023909-0c41d7ab0a0e/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191128160524-b544559bb6d1 h1:anGSYQpPhQwXlwsu5wmfq0nWkCNaMEMUwAv13Y92hd8=
 golang.org/x/crypto v0.0.0-20191128160524-b544559bb6d1/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181017193950-04a2e542c03f/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80 h1:Ao/3l156eZf2AW5wK8a7/smtodRU+gha3+BeqJ69lRk=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190812203447-cdfb69ac37fc h1:gkKoSkUmnU6bpS/VhkuO27bzQeSA51uaEfbOW5dNb68=
-golang.org/x/net v0.0.0-20190812203447-cdfb69ac37fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191126235420-ef20fe5d7933 h1:e6HwijUxhDe+hPNjZQQn9bA5PW3vNmnN64U2ZW759Lk=
-golang.org/x/net v0.0.0-20191126235420-ef20fe5d7933/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181019160139-8e24a49d80f8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -338,36 +247,20 @@ golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3 h1:4y9KwBHBgBNwDbtu44R5o1fdOCQUEXhbk/P4A9WmJq0=
 golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456 h1:ng0gs1AKnRRuEMZoTLLlbOd+C17zUDepwGQBb/n+JVg=
-golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/sys v0.0.0-20200219091948-cb0a6d8edb6c h1:jceGD5YNJGgGMkJz79agzOln1K9TaZUjv5ird16qniQ=
+golang.org/x/sys v0.0.0-20200219091948-cb0a6d8edb6c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190729092621-ff9f1409240a/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=
-google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8 h1:Nw54tB0rB7hY/N0NQvRW8DG4Yk3Q6T9cu9RcFQDu1tc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7 h1:ZUjXAXmrAyrmmCPHgCA/vChHcpsX27MZ3yBonD/z1KE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.22.1 h1:/7cs52RnTJmD43s3uxzlq2U7nqVTd/37viQwMrMNlOM=
 google.golang.org/grpc v1.22.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
@@ -375,53 +268,19 @@ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLks
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
-gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/ldap.v2 v2.5.1 h1:wiu0okdNfjlBzg6UWvd1Hn8Y+Ux17/u/4nlk4CQr6tU=
+gopkg.in/ldap.v2 v2.5.1/go.mod h1:oI0cpe/D7HRtBQl8aTg+ZmzFUAvu4lsv3eLXMLGFxWk=
 gopkg.in/src-d/go-billy.v4 v4.3.2 h1:0SQA1pRztfTFx2miS8sA97XvooFeNOmvUenF4o0EcVg=
 gopkg.in/src-d/go-billy.v4 v4.3.2/go.mod h1:nDjArDMp+XMs1aFAESLRjfGSgfvoYN0hDfzEk0GjC98=
 gopkg.in/src-d/go-git-fixtures.v3 v3.5.0 h1:ivZFOIltbce2Mo8IjzUHAFoq/IylO9WHhNOAJK+LsJg=
 gopkg.in/src-d/go-git-fixtures.v3 v3.5.0/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzWYqTe3rJR56Ac7g=
 gopkg.in/src-d/go-git.v4 v4.13.1 h1:SRtFyV8Kxc0UP7aCHcijOMQGPxHSmMOPrzulQWolkYE=
 gopkg.in/src-d/go-git.v4 v4.13.1/go.mod h1:nx5NYcxdKxq5fpltdHnPa2Exj4Sx0EclMWZQbYDu2z8=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.0.0-20191114100352-16d7abae0d2a h1:86XISgFlG7lPOWj6wYLxd+xqhhVt/WQjS4Tf39rP09s=
-k8s.io/api v0.0.0-20191114100352-16d7abae0d2a/go.mod h1:qetVJgs5i8jwdFIdoOZ70ks0ecgU+dYwqZ2uD1srwOU=
-k8s.io/api v0.17.2 h1:NF1UFXcKN7/OOv1uxdRz3qfra8AHsPav5M93hlV9+Dc=
-k8s.io/api v0.17.2/go.mod h1:BS9fjjLc4CMuqfSO8vgbHPKMt5+SF0ET6u/RVDihTo4=
-k8s.io/apimachinery v0.0.0-20191028221656-72ed19daf4bb h1:ZUNsbuPdXWrj0rZziRfCWcFg9ZP31OKkziqCbiphznI=
-k8s.io/apimachinery v0.0.0-20191028221656-72ed19daf4bb/go.mod h1:llRdnznGEAqC3DcNm6yEj472xaFVfLM7hnYofMb12tQ=
-k8s.io/apimachinery v0.17.2 h1:hwDQQFbdRlpnnsR64Asdi55GyCaIP/3WQpMmbNBeWr4=
-k8s.io/apimachinery v0.17.2/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
-k8s.io/client-go v0.0.0-20191114101535-6c5935290e33 h1:07mhG/2oEoo3N+sHVOo0L9PJ/qvbk3N5n2dj8IWefnQ=
-k8s.io/client-go v0.0.0-20191114101535-6c5935290e33/go.mod h1:4L/zQOBkEf4pArQJ+CMk1/5xjA30B5oyWv+Bzb44DOw=
-k8s.io/client-go v0.17.2 h1:ndIfkfXEGrNhLIgkr0+qhRguSD3u6DCmonepn1O6NYc=
-k8s.io/client-go v0.17.2/go.mod h1:QAzRgsa0C2xl4/eVpeVAZMvikCn8Nm81yqVx3Kk9XYI=
-k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v0.4.0 h1:lCJCxf/LIowc2IGS9TPjWDyXY4nOmdGdfcwwDQCOURQ=
-k8s.io/klog v0.4.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
-k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
-k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
-k8s.io/kube-openapi v0.0.0-20190816220812-743ec37842bf/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
-k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
-k8s.io/utils v0.0.0-20190801114015-581e00157fb1 h1:+ySTxfHnfzZb9ys375PXNlLhkJPLKgHajBU0N62BDvE=
-k8s.io/utils v0.0.0-20190801114015-581e00157fb1/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
-k8s.io/utils v0.0.0-20191114184206-e782cd3c129f h1:GiPwtSzdP43eI1hpPCbROQCCIgCuiMMNF8YUVLF3vJo=
-k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
-sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
-sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
-sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
--- a/api/http/client/client.go
+++ b/api/http/client/client.go
@@ -3,7 +3,6 @@ package client
 import (
 	"crypto/tls"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io/ioutil"
 	"log"
@@ -15,10 +14,9 @@ import (
 	"github.com/portainer/portainer/api"
 )

-var errInvalidResponseStatus = errors.New("Invalid response status (expecting 200)")
-
 const (
-	defaultHTTPTimeout = 5
+	errInvalidResponseStatus = portainer.Error("Invalid response status (expecting 200)")
+	defaultHTTPTimeout       = 5
 )

 // HTTPClient represents a client to send HTTP requests.
@@ -58,7 +56,7 @@ func (client *HTTPClient) ExecuteAzureAuthenticationRequest(credentials *portain
 	}

 	if response.StatusCode != http.StatusOK {
-		return nil, errors.New("Invalid Azure credentials")
+		return nil, portainer.ErrAzureInvalidCredentials
 	}

 	var token AzureAuthenticationResponse
--- a/api/http/errors/errors.go
+++ b/api/http/errors/errors.go
@@ -1,12 +0,0 @@
-package errors
-
-import "errors"
-
-var (
-	// ErrEndpointAccessDenied Access denied to endpoint error
-	ErrEndpointAccessDenied = errors.New("Access denied to endpoint")
-	// ErrUnauthorized Unauthorized error
-	ErrUnauthorized = errors.New("Unauthorized")
-	// ErrResourceAccessDenied Access denied to resource error
-	ErrResourceAccessDenied = errors.New("Access denied to resource")
-)
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@@ -1,7 +1,6 @@
 package auth

 import (
-	"errors"
 	"log"
 	"net/http"
 	"strings"
@@ -11,8 +10,6 @@ import (
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
 	"github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-	httperrors "github.com/portainer/portainer/api/http/errors"
 )

 type authenticatePayload struct {
@@ -26,40 +23,44 @@ type authenticateResponse struct {

 func (payload *authenticatePayload) Validate(r *http.Request) error {
 	if govalidator.IsNull(payload.Username) {
-		return errors.New("Invalid username")
+		return portainer.Error("Invalid username")
 	}
 	if govalidator.IsNull(payload.Password) {
-		return errors.New("Invalid password")
+		return portainer.Error("Invalid password")
 	}
 	return nil
 }

 func (handler *Handler) authenticate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	if handler.authDisabled {
+		return &httperror.HandlerError{http.StatusServiceUnavailable, "Cannot authenticate user. Portainer was started with the --no-auth flag", ErrAuthDisabled}
+	}
+
 	var payload authenticatePayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
 	}

-	settings, err := handler.DataStore.Settings().Settings()
+	settings, err := handler.SettingsService.Settings()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
 	}

-	u, err := handler.DataStore.User().UserByUsername(payload.Username)
-	if err != nil && err != bolterrors.ErrObjectNotFound {
+	u, err := handler.UserService.UserByUsername(payload.Username)
+	if err != nil && err != portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
 	}

-	if err == bolterrors.ErrObjectNotFound && (settings.AuthenticationMethod == portainer.AuthenticationInternal || settings.AuthenticationMethod == portainer.AuthenticationOAuth) {
-		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized}
+	if err == portainer.ErrObjectNotFound && (settings.AuthenticationMethod == portainer.AuthenticationInternal || settings.AuthenticationMethod == portainer.AuthenticationOAuth) {
+		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", portainer.ErrUnauthorized}
 	}

 	if settings.AuthenticationMethod == portainer.AuthenticationLDAP {
 		if u == nil && settings.LDAPSettings.AutoCreateUsers {
 			return handler.authenticateLDAPAndCreateUser(w, payload.Username, payload.Password, &settings.LDAPSettings)
 		} else if u == nil && !settings.LDAPSettings.AutoCreateUsers {
-			return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized}
+			return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", portainer.ErrUnauthorized}
 		}
 		return handler.authenticateLDAP(w, u, payload.Password, &settings.LDAPSettings)
 	}
@@ -78,13 +79,18 @@ func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.
 		log.Printf("Warning: unable to automatically add user into teams: %s\n", err.Error())
 	}

+	err = handler.AuthorizationService.UpdateUsersAuthorizations()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update user authorizations", err}
+	}
+
 	return handler.writeToken(w, user)
 }

 func (handler *Handler) authenticateInternal(w http.ResponseWriter, user *portainer.User, password string) *httperror.HandlerError {
 	err := handler.CryptoService.CompareHashAndData(user.Password, password)
 	if err != nil {
-		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized}
+		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", portainer.ErrUnauthorized}
 	}

 	return handler.writeToken(w, user)
@@ -97,11 +103,12 @@ func (handler *Handler) authenticateLDAPAndCreateUser(w http.ResponseWriter, use
 	}

 	user := &portainer.User{
-		Username: username,
-		Role:     portainer.StandardUserRole,
+		Username:                username,
+		Role:                    portainer.StandardUserRole,
+		PortainerAuthorizations: portainer.DefaultPortainerAuthorizations(),
 	}

-	err = handler.DataStore.User().CreateUser(user)
+	err = handler.UserService.CreateUser(user)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
 	}
@@ -111,6 +118,11 @@ func (handler *Handler) authenticateLDAPAndCreateUser(w http.ResponseWriter, use
 		log.Printf("Warning: unable to automatically add user into teams: %s\n", err.Error())
 	}

+	err = handler.AuthorizationService.UpdateUsersAuthorizations()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update user authorizations", err}
+	}
+
 	return handler.writeToken(w, user)
 }

@@ -134,7 +146,7 @@ func (handler *Handler) persistAndWriteToken(w http.ResponseWriter, tokenData *p
 }

 func (handler *Handler) addUserIntoTeams(user *portainer.User, settings *portainer.LDAPSettings) error {
-	teams, err := handler.DataStore.Team().Teams()
+	teams, err := handler.TeamService.Teams()
 	if err != nil {
 		return err
 	}
@@ -144,7 +156,7 @@ func (handler *Handler) addUserIntoTeams(user *portainer.User, settings *portain
 		return err
 	}

-	userMemberships, err := handler.DataStore.TeamMembership().TeamMembershipsByUserID(user.ID)
+	userMemberships, err := handler.TeamMembershipService.TeamMembershipsByUserID(user.ID)
 	if err != nil {
 		return err
 	}
@@ -162,7 +174,7 @@ func (handler *Handler) addUserIntoTeams(user *portainer.User, settings *portain
 				Role:   portainer.TeamMember,
 			}

-			err := handler.DataStore.TeamMembership().CreateTeamMembership(membership)
+			err := handler.TeamMembershipService.CreateTeamMembership(membership)
 			if err != nil {
 				return err
 			}
--- a/api/http/handler/auth/authenticate_oauth.go
+++ b/api/http/handler/auth/authenticate_oauth.go
@@ -1,7 +1,8 @@
 package auth

 import (
-	"errors"
+	"encoding/json"
+	"io/ioutil"
 	"log"
 	"net/http"

@@ -9,8 +10,6 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-	httperrors "github.com/portainer/portainer/api/http/errors"
 )

 type oauthPayload struct {
@@ -19,26 +18,57 @@ type oauthPayload struct {

 func (payload *oauthPayload) Validate(r *http.Request) error {
 	if govalidator.IsNull(payload.Code) {
-		return errors.New("Invalid OAuth authorization code")
+		return portainer.Error("Invalid OAuth authorization code")
 	}
 	return nil
 }

-func (handler *Handler) authenticateOAuth(code string, settings *portainer.OAuthSettings) (string, error) {
-	if code == "" {
-		return "", errors.New("Invalid OAuth authorization code")
+func (handler *Handler) authenticateThroughExtension(code, licenseKey string, settings *portainer.OAuthSettings) (string, error) {
+	extensionURL := handler.ProxyManager.GetExtensionURL(portainer.OAuthAuthenticationExtension)
+
+	encodedConfiguration, err := json.Marshal(settings)
+	if err != nil {
+		return "", nil
 	}

-	if settings == nil {
-		return "", errors.New("Invalid OAuth configuration")
-	}
-
-	username, err := handler.OAuthService.Authenticate(code, settings)
+	req, err := http.NewRequest("GET", extensionURL+"/validate", nil)
 	if err != nil {
 		return "", err
 	}

-	return username, nil
+	client := &http.Client{}
+	req.Header.Set("X-OAuth-Config", string(encodedConfiguration))
+	req.Header.Set("X-OAuth-Code", code)
+	req.Header.Set("X-PortainerExtension-License", licenseKey)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+
+	defer resp.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+
+	type extensionResponse struct {
+		Username string `json:"Username,omitempty"`
+		Err      string `json:"err,omitempty"`
+		Details  string `json:"details,omitempty"`
+	}
+
+	var extResp extensionResponse
+	err = json.Unmarshal(body, &extResp)
+	if err != nil {
+		return "", err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return "", portainer.Error(extResp.Err + ":" + extResp.Details)
+	}
+
+	return extResp.Username, nil
 }

 func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
@@ -48,37 +78,45 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
 	}

-	settings, err := handler.DataStore.Settings().Settings()
+	settings, err := handler.SettingsService.Settings()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
 	}

 	if settings.AuthenticationMethod != 3 {
-		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not enabled", errors.New("OAuth authentication is not enabled")}
+		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not enabled", portainer.Error("OAuth authentication is not enabled")}
 	}

-	username, err := handler.authenticateOAuth(payload.Code, &settings.OAuthSettings)
+	extension, err := handler.ExtensionService.Extension(portainer.OAuthAuthenticationExtension)
+	if err == portainer.ErrObjectNotFound {
+		return &httperror.HandlerError{http.StatusNotFound, "Oauth authentication extension is not enabled", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a extension with the specified identifier inside the database", err}
+	}
+
+	username, err := handler.authenticateThroughExtension(payload.Code, extension.License.LicenseKey, &settings.OAuthSettings)
 	if err != nil {
 		log.Printf("[DEBUG] - OAuth authentication error: %s", err)
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate through OAuth", httperrors.ErrUnauthorized}
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate through OAuth", portainer.ErrUnauthorized}
 	}

-	user, err := handler.DataStore.User().UserByUsername(username)
-	if err != nil && err != bolterrors.ErrObjectNotFound {
+	user, err := handler.UserService.UserByUsername(username)
+	if err != nil && err != portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
 	}

 	if user == nil && !settings.OAuthSettings.OAuthAutoCreateUsers {
-		return &httperror.HandlerError{http.StatusForbidden, "Account not created beforehand in Portainer and automatic user provisioning not enabled", httperrors.ErrUnauthorized}
+		return &httperror.HandlerError{http.StatusForbidden, "Account not created beforehand in Portainer and automatic user provisioning not enabled", portainer.ErrUnauthorized}
 	}

 	if user == nil {
 		user = &portainer.User{
-			Username: username,
-			Role:     portainer.StandardUserRole,
+			Username:                username,
+			Role:                    portainer.StandardUserRole,
+			PortainerAuthorizations: portainer.DefaultPortainerAuthorizations(),
 		}

-		err = handler.DataStore.User().CreateUser(user)
+		err = handler.UserService.CreateUser(user)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
 		}
@@ -90,12 +128,16 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 				Role:   portainer.TeamMember,
 			}

-			err = handler.DataStore.TeamMembership().CreateTeamMembership(membership)
+			err = handler.TeamMembershipService.CreateTeamMembership(membership)
 			if err != nil {
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist team membership inside the database", err}
 			}
 		}

+		err = handler.AuthorizationService.UpdateUsersAuthorizations()
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update user authorizations", err}
+		}
 	}

 	return handler.writeToken(w, user)
--- a/api/http/handler/auth/handler.go
+++ b/api/http/handler/auth/handler.go
@@ -7,34 +7,47 @@ import (
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/proxy"
-	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
 	"github.com/portainer/portainer/api/http/security"
 )

+const (
+	// ErrInvalidCredentials is an error raised when credentials for a user are invalid
+	ErrInvalidCredentials = portainer.Error("Invalid credentials")
+	// ErrAuthDisabled is an error raised when trying to access the authentication endpoints
+	// when the server has been started with the --no-auth flag
+	ErrAuthDisabled = portainer.Error("Authentication is disabled")
+)
+
 // Handler is the HTTP handler used to handle authentication operations.
 type Handler struct {
 	*mux.Router
-	DataStore                   portainer.DataStore
-	CryptoService               portainer.CryptoService
-	JWTService                  portainer.JWTService
-	LDAPService                 portainer.LDAPService
-	OAuthService                portainer.OAuthService
-	ProxyManager                *proxy.Manager
-	KubernetesTokenCacheManager *kubernetes.TokenCacheManager
+	authDisabled          bool
+	UserService           portainer.UserService
+	CryptoService         portainer.CryptoService
+	JWTService            portainer.JWTService
+	LDAPService           portainer.LDAPService
+	SettingsService       portainer.SettingsService
+	TeamService           portainer.TeamService
+	TeamMembershipService portainer.TeamMembershipService
+	ExtensionService      portainer.ExtensionService
+	EndpointService       portainer.EndpointService
+	EndpointGroupService  portainer.EndpointGroupService
+	RoleService           portainer.RoleService
+	ProxyManager          *proxy.Manager
+	AuthorizationService  *portainer.AuthorizationService
 }

 // NewHandler creates a handler to manage authentication operations.
-func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimiter) *Handler {
+func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimiter, authDisabled bool) *Handler {
 	h := &Handler{
-		Router: mux.NewRouter(),
+		Router:       mux.NewRouter(),
+		authDisabled: authDisabled,
 	}

 	h.Handle("/auth/oauth/validate",
 		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.validateOAuth)))).Methods(http.MethodPost)
 	h.Handle("/auth",
 		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticate)))).Methods(http.MethodPost)
-	h.Handle("/auth/logout",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.logout))).Methods(http.MethodPost)

 	return h
 }
--- a/api/http/handler/auth/logout.go
+++ b/api/http/handler/auth/logout.go
@@ -1,21 +0,0 @@
-package auth
-
-import (
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api/http/security"
-)
-
-// POST request on /logout
-func (handler *Handler) logout(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	tokenData, err := security.RetrieveTokenData(r)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user details from authentication token", err}
-	}
-
-	handler.KubernetesTokenCacheManager.RemoveUserFromCache(int(tokenData.ID))
-
-	return response.Empty(w)
-}
--- a/api/http/handler/customtemplates/customtemplate_create.go
+++ b/api/http/handler/customtemplates/customtemplate_create.go
@@ -1,290 +0,0 @@
-package customtemplates
-
-import (
-	"errors"
-	"net/http"
-	"strconv"
-
-	"github.com/asaskevich/govalidator"
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/filesystem"
-	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/api/internal/authorization"
-)
-
-func (handler *Handler) customTemplateCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	method, err := request.RetrieveQueryParameter(r, "method", false)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid query parameter: method", err}
-	}
-
-	tokenData, err := security.RetrieveTokenData(r)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user details from authentication token", err}
-	}
-
-	customTemplate, err := handler.createCustomTemplate(method, r)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create custom template", err}
-	}
-
-	customTemplate.CreatedByUserID = tokenData.ID
-
-	customTemplates, err := handler.DataStore.CustomTemplate().CustomTemplates()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve custom templates from the database", err}
-	}
-
-	for _, existingTemplate := range customTemplates {
-		if existingTemplate.Title == customTemplate.Title {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Template name must be unique", errors.New("Template name must be unique")}
-		}
-	}
-
-	err = handler.DataStore.CustomTemplate().CreateCustomTemplate(customTemplate)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create custom template", err}
-	}
-
-	resourceControl := authorization.NewPrivateResourceControl(strconv.Itoa(int(customTemplate.ID)), portainer.CustomTemplateResourceControl, tokenData.ID)
-
-	err = handler.DataStore.ResourceControl().CreateResourceControl(resourceControl)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist resource control inside the database", err}
-	}
-
-	customTemplate.ResourceControl = resourceControl
-
-	return response.JSON(w, customTemplate)
-}
-
-func (handler *Handler) createCustomTemplate(method string, r *http.Request) (*portainer.CustomTemplate, error) {
-	switch method {
-	case "string":
-		return handler.createCustomTemplateFromFileContent(r)
-	case "repository":
-		return handler.createCustomTemplateFromGitRepository(r)
-	case "file":
-		return handler.createCustomTemplateFromFileUpload(r)
-	}
-	return nil, errors.New("Invalid value for query parameter: method. Value must be one of: string, repository or file")
-}
-
-type customTemplateFromFileContentPayload struct {
-	Logo        string
-	Title       string
-	FileContent string
-	Description string
-	Note        string
-	Platform    portainer.CustomTemplatePlatform
-	Type        portainer.StackType
-}
-
-func (payload *customTemplateFromFileContentPayload) Validate(r *http.Request) error {
-	if govalidator.IsNull(payload.Title) {
-		return errors.New("Invalid custom template title")
-	}
-	if govalidator.IsNull(payload.Description) {
-		return errors.New("Invalid custom template description")
-	}
-	if govalidator.IsNull(payload.FileContent) {
-		return errors.New("Invalid file content")
-	}
-	if payload.Platform != portainer.CustomTemplatePlatformLinux && payload.Platform != portainer.CustomTemplatePlatformWindows {
-		return errors.New("Invalid custom template platform")
-	}
-	if payload.Type != portainer.DockerSwarmStack && payload.Type != portainer.DockerComposeStack {
-		return errors.New("Invalid custom template type")
-	}
-	return nil
-}
-
-func (handler *Handler) createCustomTemplateFromFileContent(r *http.Request) (*portainer.CustomTemplate, error) {
-	var payload customTemplateFromFileContentPayload
-	err := request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return nil, err
-	}
-
-	customTemplateID := handler.DataStore.CustomTemplate().GetNextIdentifier()
-	customTemplate := &portainer.CustomTemplate{
-		ID:          portainer.CustomTemplateID(customTemplateID),
-		Title:       payload.Title,
-		EntryPoint:  filesystem.ComposeFileDefaultName,
-		Description: payload.Description,
-		Note:        payload.Note,
-		Platform:    (payload.Platform),
-		Type:        (payload.Type),
-		Logo:        payload.Logo,
-	}
-
-	templateFolder := strconv.Itoa(customTemplateID)
-	projectPath, err := handler.FileService.StoreCustomTemplateFileFromBytes(templateFolder, customTemplate.EntryPoint, []byte(payload.FileContent))
-	if err != nil {
-		return nil, err
-	}
-	customTemplate.ProjectPath = projectPath
-
-	return customTemplate, nil
-}
-
-type customTemplateFromGitRepositoryPayload struct {
-	Logo                        string
-	Title                       string
-	Description                 string
-	Note                        string
-	Platform                    portainer.CustomTemplatePlatform
-	Type                        portainer.StackType
-	RepositoryURL               string
-	RepositoryReferenceName     string
-	RepositoryAuthentication    bool
-	RepositoryUsername          string
-	RepositoryPassword          string
-	ComposeFilePathInRepository string
-}
-
-func (payload *customTemplateFromGitRepositoryPayload) Validate(r *http.Request) error {
-	if govalidator.IsNull(payload.Title) {
-		return errors.New("Invalid custom template title")
-	}
-	if govalidator.IsNull(payload.Description) {
-		return errors.New("Invalid custom template description")
-	}
-	if govalidator.IsNull(payload.RepositoryURL) || !govalidator.IsURL(payload.RepositoryURL) {
-		return errors.New("Invalid repository URL. Must correspond to a valid URL format")
-	}
-	if payload.RepositoryAuthentication && (govalidator.IsNull(payload.RepositoryUsername) || govalidator.IsNull(payload.RepositoryPassword)) {
-		return errors.New("Invalid repository credentials. Username and password must be specified when authentication is enabled")
-	}
-	if govalidator.IsNull(payload.ComposeFilePathInRepository) {
-		payload.ComposeFilePathInRepository = filesystem.ComposeFileDefaultName
-	}
-	if payload.Platform != portainer.CustomTemplatePlatformLinux && payload.Platform != portainer.CustomTemplatePlatformWindows {
-		return errors.New("Invalid custom template platform")
-	}
-	if payload.Type != portainer.DockerSwarmStack && payload.Type != portainer.DockerComposeStack {
-		return errors.New("Invalid custom template type")
-	}
-	return nil
-}
-
-func (handler *Handler) createCustomTemplateFromGitRepository(r *http.Request) (*portainer.CustomTemplate, error) {
-	var payload customTemplateFromGitRepositoryPayload
-	err := request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return nil, err
-	}
-
-	customTemplateID := handler.DataStore.CustomTemplate().GetNextIdentifier()
-	customTemplate := &portainer.CustomTemplate{
-		ID:          portainer.CustomTemplateID(customTemplateID),
-		Title:       payload.Title,
-		EntryPoint:  payload.ComposeFilePathInRepository,
-		Description: payload.Description,
-		Note:        payload.Note,
-		Platform:    payload.Platform,
-		Type:        payload.Type,
-		Logo:        payload.Logo,
-	}
-
-	projectPath := handler.FileService.GetCustomTemplateProjectPath(strconv.Itoa(customTemplateID))
-	customTemplate.ProjectPath = projectPath
-
-	gitCloneParams := &cloneRepositoryParameters{
-		url:            payload.RepositoryURL,
-		referenceName:  payload.RepositoryReferenceName,
-		path:           projectPath,
-		authentication: payload.RepositoryAuthentication,
-		username:       payload.RepositoryUsername,
-		password:       payload.RepositoryPassword,
-	}
-
-	err = handler.cloneGitRepository(gitCloneParams)
-	if err != nil {
-		return nil, err
-	}
-
-	return customTemplate, nil
-}
-
-type customTemplateFromFileUploadPayload struct {
-	Logo        string
-	Title       string
-	Description string
-	Note        string
-	Platform    portainer.CustomTemplatePlatform
-	Type        portainer.StackType
-	FileContent []byte
-}
-
-func (payload *customTemplateFromFileUploadPayload) Validate(r *http.Request) error {
-	title, err := request.RetrieveMultiPartFormValue(r, "Title", false)
-	if err != nil {
-		return errors.New("Invalid custom template title")
-	}
-	payload.Title = title
-
-	description, err := request.RetrieveMultiPartFormValue(r, "Description", false)
-	if err != nil {
-		return errors.New("Invalid custom template description")
-	}
-
-	payload.Description = description
-
-	note, _ := request.RetrieveMultiPartFormValue(r, "Note", true)
-	payload.Note = note
-
-	platform, _ := request.RetrieveNumericMultiPartFormValue(r, "Platform", true)
-	templatePlatform := portainer.CustomTemplatePlatform(platform)
-	if templatePlatform != portainer.CustomTemplatePlatformLinux && templatePlatform != portainer.CustomTemplatePlatformWindows {
-		return errors.New("Invalid custom template platform")
-	}
-	payload.Platform = templatePlatform
-
-	typeNumeral, _ := request.RetrieveNumericMultiPartFormValue(r, "Type", true)
-	templateType := portainer.StackType(typeNumeral)
-	if templateType != portainer.DockerComposeStack && templateType != portainer.DockerSwarmStack {
-		return errors.New("Invalid custom template type")
-	}
-	payload.Type = templateType
-
-	composeFileContent, _, err := request.RetrieveMultiPartFormFile(r, "file")
-	if err != nil {
-		return errors.New("Invalid Compose file. Ensure that the Compose file is uploaded correctly")
-	}
-	payload.FileContent = composeFileContent
-
-	return nil
-}
-
-func (handler *Handler) createCustomTemplateFromFileUpload(r *http.Request) (*portainer.CustomTemplate, error) {
-	payload := &customTemplateFromFileUploadPayload{}
-	err := payload.Validate(r)
-	if err != nil {
-		return nil, err
-	}
-
-	customTemplateID := handler.DataStore.CustomTemplate().GetNextIdentifier()
-	customTemplate := &portainer.CustomTemplate{
-		ID:          portainer.CustomTemplateID(customTemplateID),
-		Title:       payload.Title,
-		Description: payload.Description,
-		Note:        payload.Note,
-		Platform:    payload.Platform,
-		Type:        payload.Type,
-		Logo:        payload.Logo,
-		EntryPoint:  filesystem.ComposeFileDefaultName,
-	}
-
-	templateFolder := strconv.Itoa(customTemplateID)
-	projectPath, err := handler.FileService.StoreCustomTemplateFileFromBytes(templateFolder, customTemplate.EntryPoint, []byte(payload.FileContent))
-	if err != nil {
-		return nil, err
-	}
-	customTemplate.ProjectPath = projectPath
-
-	return customTemplate, nil
-}
--- a/api/http/handler/customtemplates/customtemplate_delete.go
+++ b/api/http/handler/customtemplates/customtemplate_delete.go
@@ -1,63 +0,0 @@
-package customtemplates
-
-import (
-	"net/http"
-	"strconv"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	portainer "github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-	httperrors "github.com/portainer/portainer/api/http/errors"
-	"github.com/portainer/portainer/api/http/security"
-)
-
-func (handler *Handler) customTemplateDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	customTemplateID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Custom template identifier route variable", err}
-	}
-
-	securityContext, err := security.RetrieveRestrictedRequestContext(r)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
-	}
-
-	customTemplate, err := handler.DataStore.CustomTemplate().CustomTemplate(portainer.CustomTemplateID(customTemplateID))
-	if err == bolterrors.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a custom template with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a custom template with the specified identifier inside the database", err}
-	}
-
-	resourceControl, err := handler.DataStore.ResourceControl().ResourceControlByResourceIDAndType(strconv.Itoa(customTemplateID), portainer.CustomTemplateResourceControl)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a resource control associated to the custom template", err}
-	}
-
-	access := userCanEditTemplate(customTemplate, securityContext)
-	if !access {
-		return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", httperrors.ErrResourceAccessDenied}
-	}
-
-	err = handler.DataStore.CustomTemplate().DeleteCustomTemplate(portainer.CustomTemplateID(customTemplateID))
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove the custom template from the database", err}
-	}
-
-	err = handler.FileService.RemoveDirectory(customTemplate.ProjectPath)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove custom template files from disk", err}
-	}
-
-	if resourceControl != nil {
-		err = handler.DataStore.ResourceControl().DeleteResourceControl(resourceControl.ID)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove the associated resource control from the database", err}
-		}
-	}
-
-	return response.Empty(w)
-
-}
--- a/api/http/handler/customtemplates/customtemplate_file.go
+++ b/api/http/handler/customtemplates/customtemplate_file.go
@@ -1,38 +0,0 @@
-package customtemplates
-
-import (
-	"net/http"
-	"path"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-)
-
-type fileResponse struct {
-	FileContent string
-}
-
-// GET request on /api/custom_templates/:id/file
-func (handler *Handler) customTemplateFile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	customTemplateID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid custom template identifier route variable", err}
-	}
-
-	customTemplate, err := handler.DataStore.CustomTemplate().CustomTemplate(portainer.CustomTemplateID(customTemplateID))
-	if err == bolterrors.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a custom template with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a custom template with the specified identifier inside the database", err}
-	}
-
-	fileContent, err := handler.FileService.GetFileContent(path.Join(customTemplate.ProjectPath, customTemplate.EntryPoint))
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve custom template file from disk", err}
-	}
-
-	return response.JSON(w, &fileResponse{FileContent: string(fileContent)})
-}
--- a/api/http/handler/customtemplates/customtemplate_inspect.go
+++ b/api/http/handler/customtemplates/customtemplate_inspect.go
@@ -1,49 +0,0 @@
-package customtemplates
-
-import (
-	"net/http"
-	"strconv"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-	httperrors "github.com/portainer/portainer/api/http/errors"
-	"github.com/portainer/portainer/api/http/security"
-)
-
-func (handler *Handler) customTemplateInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	customTemplateID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Custom template identifier route variable", err}
-	}
-
-	customTemplate, err := handler.DataStore.CustomTemplate().CustomTemplate(portainer.CustomTemplateID(customTemplateID))
-	if err == bolterrors.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a custom template with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a custom template with the specified identifier inside the database", err}
-	}
-
-	securityContext, err := security.RetrieveRestrictedRequestContext(r)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user info from request context", err}
-	}
-
-	resourceControl, err := handler.DataStore.ResourceControl().ResourceControlByResourceIDAndType(strconv.Itoa(customTemplateID), portainer.CustomTemplateResourceControl)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a resource control associated to the custom template", err}
-	}
-
-	access := userCanEditTemplate(customTemplate, securityContext)
-	if !access {
-		return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", httperrors.ErrResourceAccessDenied}
-	}
-
-	if resourceControl != nil {
-		customTemplate.ResourceControl = resourceControl
-	}
-
-	return response.JSON(w, customTemplate)
-}
--- a/api/http/handler/customtemplates/customtemplate_list.go
+++ b/api/http/handler/customtemplates/customtemplate_list.go
@@ -1,67 +0,0 @@
-package customtemplates
-
-import (
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/api/internal/authorization"
-)
-
-func (handler *Handler) customTemplateList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	customTemplates, err := handler.DataStore.CustomTemplate().CustomTemplates()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve custom templates from the database", err}
-	}
-
-	stackType, _ := request.RetrieveNumericQueryParameter(r, "type", true)
-
-	resourceControls, err := handler.DataStore.ResourceControl().ResourceControls()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve resource controls from the database", err}
-	}
-
-	customTemplates = authorization.DecorateCustomTemplates(customTemplates, resourceControls)
-
-	customTemplates = filterTemplatesByEngineType(customTemplates, portainer.StackType(stackType))
-
-	securityContext, err := security.RetrieveRestrictedRequestContext(r)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
-	}
-
-	if !securityContext.IsAdmin {
-		user, err := handler.DataStore.User().User(securityContext.UserID)
-		if err != nil {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve user information from the database", err}
-		}
-
-		userTeamIDs := make([]portainer.TeamID, 0)
-		for _, membership := range securityContext.UserMemberships {
-			userTeamIDs = append(userTeamIDs, membership.TeamID)
-		}
-
-		customTemplates = authorization.FilterAuthorizedCustomTemplates(customTemplates, user, userTeamIDs)
-	}
-
-	return response.JSON(w, customTemplates)
-}
-
-func filterTemplatesByEngineType(templates []portainer.CustomTemplate, stackType portainer.StackType) []portainer.CustomTemplate {
-	if stackType == 0 {
-		return templates
-	}
-
-	filteredTemplates := []portainer.CustomTemplate{}
-
-	for _, template := range templates {
-		if template.Type == stackType {
-			filteredTemplates = append(filteredTemplates, template)
-		}
-	}
-
-	return filteredTemplates
-}
--- a/api/http/handler/customtemplates/customtemplate_update.go
+++ b/api/http/handler/customtemplates/customtemplate_update.go
@@ -1,107 +0,0 @@
-package customtemplates
-
-import (
-	"errors"
-	"net/http"
-	"strconv"
-
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-
-	"github.com/asaskevich/govalidator"
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	portainer "github.com/portainer/portainer/api"
-	httperrors "github.com/portainer/portainer/api/http/errors"
-	"github.com/portainer/portainer/api/http/security"
-)
-
-type customTemplateUpdatePayload struct {
-	Logo        string
-	Title       string
-	Description string
-	Note        string
-	Platform    portainer.CustomTemplatePlatform
-	Type        portainer.StackType
-	FileContent string
-}
-
-func (payload *customTemplateUpdatePayload) Validate(r *http.Request) error {
-	if govalidator.IsNull(payload.Title) {
-		return errors.New("Invalid custom template title")
-	}
-	if govalidator.IsNull(payload.FileContent) {
-		return errors.New("Invalid file content")
-	}
-	if payload.Platform != portainer.CustomTemplatePlatformLinux && payload.Platform != portainer.CustomTemplatePlatformWindows {
-		return errors.New("Invalid custom template platform")
-	}
-	if payload.Type != portainer.DockerComposeStack && payload.Type != portainer.DockerSwarmStack {
-		return errors.New("Invalid custom template type")
-	}
-	if govalidator.IsNull(payload.Description) {
-		return errors.New("Invalid custom template description")
-	}
-	return nil
-}
-
-func (handler *Handler) customTemplateUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	customTemplateID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Custom template identifier route variable", err}
-	}
-
-	var payload customTemplateUpdatePayload
-	err = request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
-	}
-
-	customTemplates, err := handler.DataStore.CustomTemplate().CustomTemplates()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve custom templates from the database", err}
-	}
-
-	for _, existingTemplate := range customTemplates {
-		if existingTemplate.ID != portainer.CustomTemplateID(customTemplateID) && existingTemplate.Title == payload.Title {
-			return &httperror.HandlerError{http.StatusInternalServerError, "Template name must be unique", errors.New("Template name must be unique")}
-		}
-	}
-
-	customTemplate, err := handler.DataStore.CustomTemplate().CustomTemplate(portainer.CustomTemplateID(customTemplateID))
-	if err == bolterrors.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a custom template with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a custom template with the specified identifier inside the database", err}
-	}
-
-	securityContext, err := security.RetrieveRestrictedRequestContext(r)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve info from request context", err}
-	}
-
-	access := userCanEditTemplate(customTemplate, securityContext)
-	if !access {
-		return &httperror.HandlerError{http.StatusForbidden, "Access denied to resource", httperrors.ErrResourceAccessDenied}
-	}
-
-	templateFolder := strconv.Itoa(customTemplateID)
-	_, err = handler.FileService.StoreCustomTemplateFileFromBytes(templateFolder, customTemplate.EntryPoint, []byte(payload.FileContent))
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist updated custom template file on disk", err}
-	}
-
-	customTemplate.Title = payload.Title
-	customTemplate.Logo = payload.Logo
-	customTemplate.Description = payload.Description
-	customTemplate.Note = payload.Note
-	customTemplate.Platform = payload.Platform
-	customTemplate.Type = payload.Type
-
-	err = handler.DataStore.CustomTemplate().UpdateCustomTemplate(customTemplate.ID, customTemplate)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist custom template changes inside the database", err}
-	}
-
-	return response.JSON(w, customTemplate)
-}
--- a/api/http/handler/customtemplates/git.go
+++ b/api/http/handler/customtemplates/git.go
@@ -1,17 +0,0 @@
-package customtemplates
-
-type cloneRepositoryParameters struct {
-	url            string
-	referenceName  string
-	path           string
-	authentication bool
-	username       string
-	password       string
-}
-
-func (handler *Handler) cloneGitRepository(parameters *cloneRepositoryParameters) error {
-	if parameters.authentication {
-		return handler.GitService.ClonePrivateRepositoryWithBasicAuth(parameters.url, parameters.referenceName, parameters.path, parameters.username, parameters.password)
-	}
-	return handler.GitService.ClonePublicRepository(parameters.url, parameters.referenceName, parameters.path)
-}
--- a/api/http/handler/customtemplates/handler.go
+++ b/api/http/handler/customtemplates/handler.go
@@ -1,60 +0,0 @@
-package customtemplates
-
-import (
-	"net/http"
-
-	"github.com/gorilla/mux"
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/api/internal/authorization"
-)
-
-// Handler is the HTTP handler used to handle endpoint group operations.
-type Handler struct {
-	*mux.Router
-	DataStore   portainer.DataStore
-	FileService portainer.FileService
-	GitService  portainer.GitService
-}
-
-// NewHandler creates a handler to manage endpoint group operations.
-func NewHandler(bouncer *security.RequestBouncer) *Handler {
-	h := &Handler{
-		Router: mux.NewRouter(),
-	}
-	h.Handle("/custom_templates",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.customTemplateCreate))).Methods(http.MethodPost)
-	h.Handle("/custom_templates",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.customTemplateList))).Methods(http.MethodGet)
-	h.Handle("/custom_templates/{id}",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.customTemplateInspect))).Methods(http.MethodGet)
-	h.Handle("/custom_templates/{id}/file",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.customTemplateFile))).Methods(http.MethodGet)
-	h.Handle("/custom_templates/{id}",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.customTemplateUpdate))).Methods(http.MethodPut)
-	h.Handle("/custom_templates/{id}",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.customTemplateDelete))).Methods(http.MethodDelete)
-	return h
-}
-
-func userCanEditTemplate(customTemplate *portainer.CustomTemplate, securityContext *security.RestrictedRequestContext) bool {
-	return securityContext.IsAdmin || customTemplate.CreatedByUserID == securityContext.UserID
-}
-
-func userCanAccessTemplate(customTemplate portainer.CustomTemplate, securityContext *security.RestrictedRequestContext, resourceControl *portainer.ResourceControl) bool {
-	if securityContext.IsAdmin || customTemplate.CreatedByUserID == securityContext.UserID {
-		return true
-	}
-
-	userTeamIDs := make([]portainer.TeamID, 0)
-	for _, membership := range securityContext.UserMemberships {
-		userTeamIDs = append(userTeamIDs, membership.TeamID)
-	}
-
-	if resourceControl != nil && authorization.UserCanAccessResource(securityContext.UserID, userTeamIDs, resourceControl) {
-		return true
-	}
-
-	return false
-}
--- a/api/http/handler/dockerhub/dockerhub_inspect.go
+++ b/api/http/handler/dockerhub/dockerhub_inspect.go
@@ -9,7 +9,7 @@ import (

 // GET request on /api/dockerhub
 func (handler *Handler) dockerhubInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	dockerhub, err := handler.DataStore.DockerHub().DockerHub()
+	dockerhub, err := handler.DockerHubService.DockerHub()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve DockerHub details from the database", err}
 	}
--- a/api/http/handler/dockerhub/dockerhub_update.go
+++ b/api/http/handler/dockerhub/dockerhub_update.go
@@ -1,7 +1,6 @@
 package dockerhub

 import (
-	"errors"
 	"net/http"

 	"github.com/asaskevich/govalidator"
@@ -19,7 +18,7 @@ type dockerhubUpdatePayload struct {

 func (payload *dockerhubUpdatePayload) Validate(r *http.Request) error {
 	if payload.Authentication && (govalidator.IsNull(payload.Username) || govalidator.IsNull(payload.Password)) {
-		return errors.New("Invalid credentials. Username and password must be specified when authentication is enabled")
+		return portainer.Error("Invalid credentials. Username and password must be specified when authentication is enabled")
 	}
 	return nil
 }
@@ -44,7 +43,7 @@ func (handler *Handler) dockerhubUpdate(w http.ResponseWriter, r *http.Request)
 		dockerhub.Password = payload.Password
 	}

-	err = handler.DataStore.DockerHub().UpdateDockerHub(dockerhub)
+	err = handler.DockerHubService.UpdateDockerHub(dockerhub)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the Dockerhub changes inside the database", err}
 	}
--- a/api/http/handler/dockerhub/handler.go
+++ b/api/http/handler/dockerhub/handler.go
@@ -16,7 +16,7 @@ func hideFields(dockerHub *portainer.DockerHub) {
 // Handler is the HTTP handler used to handle DockerHub operations.
 type Handler struct {
 	*mux.Router
-	DataStore portainer.DataStore
+	DockerHubService portainer.DockerHubService
 }

 // NewHandler creates a handler to manage Dockerhub operations.
--- a/api/http/handler/edgegroups/associated_endpoints.go
+++ b/api/http/handler/edgegroups/associated_endpoints.go
@@ -11,7 +11,7 @@ func (handler *Handler) getEndpointsByTags(tagIDs []portainer.TagID, partialMatc
 		return []portainer.EndpointID{}, nil
 	}

-	endpoints, err := handler.DataStore.Endpoint().Endpoints()
+	endpoints, err := handler.EndpointService.Endpoints()
 	if err != nil {
 		return nil, err
 	}
@@ -20,7 +20,7 @@ func (handler *Handler) getEndpointsByTags(tagIDs []portainer.TagID, partialMatc

 	tags := []portainer.Tag{}
 	for _, tagID := range tagIDs {
-		tag, err := handler.DataStore.Tag().Tag(tagID)
+		tag, err := handler.TagService.Tag(tagID)
 		if err != nil {
 			return nil, err
 		}
@@ -38,7 +38,7 @@ func (handler *Handler) getEndpointsByTags(tagIDs []portainer.TagID, partialMatc

 	results := []portainer.EndpointID{}
 	for _, endpoint := range endpoints {
-		if _, ok := endpointSet[endpoint.ID]; ok && (endpoint.Type == portainer.EdgeAgentOnDockerEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment) {
+		if _, ok := endpointSet[endpoint.ID]; ok && endpoint.Type == portainer.EdgeAgentEnvironment {
 			results = append(results, endpoint.ID)
 		}
 	}
--- a/api/http/handler/edgegroups/edgegroup_create.go
+++ b/api/http/handler/edgegroups/edgegroup_create.go
@@ -1,7 +1,6 @@
 package edgegroups

 import (
-	"errors"
 	"net/http"

 	"github.com/asaskevich/govalidator"
@@ -21,13 +20,13 @@ type edgeGroupCreatePayload struct {

 func (payload *edgeGroupCreatePayload) Validate(r *http.Request) error {
 	if govalidator.IsNull(payload.Name) {
-		return errors.New("Invalid Edge group name")
+		return portainer.Error("Invalid Edge group name")
 	}
 	if payload.Dynamic && (payload.TagIDs == nil || len(payload.TagIDs) == 0) {
-		return errors.New("TagIDs is mandatory for a dynamic Edge group")
+		return portainer.Error("TagIDs is mandatory for a dynamic Edge group")
 	}
 	if !payload.Dynamic && (payload.Endpoints == nil || len(payload.Endpoints) == 0) {
-		return errors.New("Endpoints is mandatory for a static Edge group")
+		return portainer.Error("Endpoints is mandatory for a static Edge group")
 	}
 	return nil
 }
@@ -39,14 +38,14 @@ func (handler *Handler) edgeGroupCreate(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
 	}

-	edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
+	edgeGroups, err := handler.EdgeGroupService.EdgeGroups()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Edge groups from the database", err}
 	}

 	for _, edgeGroup := range edgeGroups {
 		if edgeGroup.Name == payload.Name {
-			return &httperror.HandlerError{http.StatusBadRequest, "Edge group name must be unique", errors.New("Edge group name must be unique")}
+			return &httperror.HandlerError{http.StatusBadRequest, "Edge group name must be unique", portainer.Error("Edge group name must be unique")}
 		}
 	}

@@ -63,19 +62,19 @@ func (handler *Handler) edgeGroupCreate(w http.ResponseWriter, r *http.Request)
 	} else {
 		endpointIDs := []portainer.EndpointID{}
 		for _, endpointID := range payload.Endpoints {
-			endpoint, err := handler.DataStore.Endpoint().Endpoint(endpointID)
+			endpoint, err := handler.EndpointService.Endpoint(endpointID)
 			if err != nil {
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoint from the database", err}
 			}

-			if endpoint.Type == portainer.EdgeAgentOnDockerEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
+			if endpoint.Type == portainer.EdgeAgentEnvironment {
 				endpointIDs = append(endpointIDs, endpoint.ID)
 			}
 		}
 		edgeGroup.Endpoints = endpointIDs
 	}

-	err = handler.DataStore.EdgeGroup().CreateEdgeGroup(edgeGroup)
+	err = handler.EdgeGroupService.CreateEdgeGroup(edgeGroup)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the Edge group inside the database", err}
 	}
--- a/api/http/handler/edgegroups/edgegroup_delete.go
+++ b/api/http/handler/edgegroups/edgegroup_delete.go
@@ -1,14 +1,12 @@
 package edgegroups

 import (
-	"errors"
 	"net/http"

 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
 	portainer "github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )

 func (handler *Handler) edgeGroupDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
@@ -17,14 +15,14 @@ func (handler *Handler) edgeGroupDelete(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Edge group identifier route variable", err}
 	}

-	_, err = handler.DataStore.EdgeGroup().EdgeGroup(portainer.EdgeGroupID(edgeGroupID))
-	if err == bolterrors.ErrObjectNotFound {
+	_, err = handler.EdgeGroupService.EdgeGroup(portainer.EdgeGroupID(edgeGroupID))
+	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an Edge group with the specified identifier inside the database", err}
 	} else if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an Edge group with the specified identifier inside the database", err}
 	}

-	edgeStacks, err := handler.DataStore.EdgeStack().EdgeStacks()
+	edgeStacks, err := handler.EdgeStackService.EdgeStacks()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Edge stacks from the database", err}
 	}
@@ -32,12 +30,12 @@ func (handler *Handler) edgeGroupDelete(w http.ResponseWriter, r *http.Request)
 	for _, edgeStack := range edgeStacks {
 		for _, groupID := range edgeStack.EdgeGroups {
 			if groupID == portainer.EdgeGroupID(edgeGroupID) {
-				return &httperror.HandlerError{http.StatusForbidden, "Edge group is used by an Edge stack", errors.New("Edge group is used by an Edge stack")}
+				return &httperror.HandlerError{http.StatusForbidden, "Edge group is used by an Edge stack", portainer.Error("Edge group is used by an Edge stack")}
 			}
 		}
 	}

-	err = handler.DataStore.EdgeGroup().DeleteEdgeGroup(portainer.EdgeGroupID(edgeGroupID))
+	err = handler.EdgeGroupService.DeleteEdgeGroup(portainer.EdgeGroupID(edgeGroupID))
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove the Edge group from the database", err}
 	}
--- a/api/http/handler/edgegroups/edgegroup_inspect.go
+++ b/api/http/handler/edgegroups/edgegroup_inspect.go
@@ -7,7 +7,6 @@ import (
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
 	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/errors"
 )

 func (handler *Handler) edgeGroupInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
@@ -16,8 +15,8 @@ func (handler *Handler) edgeGroupInspect(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Edge group identifier route variable", err}
 	}

-	edgeGroup, err := handler.DataStore.EdgeGroup().EdgeGroup(portainer.EdgeGroupID(edgeGroupID))
-	if err == errors.ErrObjectNotFound {
+	edgeGroup, err := handler.EdgeGroupService.EdgeGroup(portainer.EdgeGroupID(edgeGroupID))
+	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an Edge group with the specified identifier inside the database", err}
 	} else if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an Edge group with the specified identifier inside the database", err}
--- a/api/http/handler/edgegroups/edgegroup_list.go
+++ b/api/http/handler/edgegroups/edgegroup_list.go
@@ -14,12 +14,12 @@ type decoratedEdgeGroup struct {
 }

 func (handler *Handler) edgeGroupList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
+	edgeGroups, err := handler.EdgeGroupService.EdgeGroups()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Edge groups from the database", err}
 	}

-	edgeStacks, err := handler.DataStore.EdgeStack().EdgeStacks()
+	edgeStacks, err := handler.EdgeStackService.EdgeStacks()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Edge stacks from the database", err}
 	}
--- a/api/http/handler/edgegroups/edgegroup_update.go
+++ b/api/http/handler/edgegroups/edgegroup_update.go
@@ -1,16 +1,13 @@
 package edgegroups

 import (
-	"errors"
 	"net/http"

 	"github.com/asaskevich/govalidator"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-	"github.com/portainer/portainer/api/internal/edge"
+	portainer "github.com/portainer/portainer/api"
 )

 type edgeGroupUpdatePayload struct {
@@ -23,13 +20,13 @@ type edgeGroupUpdatePayload struct {

 func (payload *edgeGroupUpdatePayload) Validate(r *http.Request) error {
 	if govalidator.IsNull(payload.Name) {
-		return errors.New("Invalid Edge group name")
+		return portainer.Error("Invalid Edge group name")
 	}
 	if payload.Dynamic && (payload.TagIDs == nil || len(payload.TagIDs) == 0) {
-		return errors.New("TagIDs is mandatory for a dynamic Edge group")
+		return portainer.Error("TagIDs is mandatory for a dynamic Edge group")
 	}
 	if !payload.Dynamic && (payload.Endpoints == nil || len(payload.Endpoints) == 0) {
-		return errors.New("Endpoints is mandatory for a static Edge group")
+		return portainer.Error("Endpoints is mandatory for a static Edge group")
 	}
 	return nil
 }
@@ -46,37 +43,37 @@ func (handler *Handler) edgeGroupUpdate(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
 	}

-	edgeGroup, err := handler.DataStore.EdgeGroup().EdgeGroup(portainer.EdgeGroupID(edgeGroupID))
-	if err == bolterrors.ErrObjectNotFound {
+	edgeGroup, err := handler.EdgeGroupService.EdgeGroup(portainer.EdgeGroupID(edgeGroupID))
+	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an Edge group with the specified identifier inside the database", err}
 	} else if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an Edge group with the specified identifier inside the database", err}
 	}

 	if payload.Name != "" {
-		edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
+		edgeGroups, err := handler.EdgeGroupService.EdgeGroups()
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Edge groups from the database", err}
 		}
 		for _, edgeGroup := range edgeGroups {
 			if edgeGroup.Name == payload.Name && edgeGroup.ID != portainer.EdgeGroupID(edgeGroupID) {
-				return &httperror.HandlerError{http.StatusBadRequest, "Edge group name must be unique", errors.New("Edge group name must be unique")}
+				return &httperror.HandlerError{http.StatusBadRequest, "Edge group name must be unique", portainer.Error("Edge group name must be unique")}
 			}
 		}

 		edgeGroup.Name = payload.Name
 	}
-	endpoints, err := handler.DataStore.Endpoint().Endpoints()
+	endpoints, err := handler.EndpointService.Endpoints()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from database", err}
 	}

-	endpointGroups, err := handler.DataStore.EndpointGroup().EndpointGroups()
+	endpointGroups, err := handler.EndpointGroupService.EndpointGroups()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoint groups from database", err}
 	}

-	oldRelatedEndpoints := edge.EdgeGroupRelatedEndpoints(edgeGroup, endpoints, endpointGroups)
+	oldRelatedEndpoints := portainer.EdgeGroupRelatedEndpoints(edgeGroup, endpoints, endpointGroups)

 	edgeGroup.Dynamic = payload.Dynamic
 	if edgeGroup.Dynamic {
@@ -84,12 +81,12 @@ func (handler *Handler) edgeGroupUpdate(w http.ResponseWriter, r *http.Request)
 	} else {
 		endpointIDs := []portainer.EndpointID{}
 		for _, endpointID := range payload.Endpoints {
-			endpoint, err := handler.DataStore.Endpoint().Endpoint(endpointID)
+			endpoint, err := handler.EndpointService.Endpoint(endpointID)
 			if err != nil {
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoint from the database", err}
 			}

-			if endpoint.Type == portainer.EdgeAgentOnDockerEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
+			if endpoint.Type == portainer.EdgeAgentEnvironment {
 				endpointIDs = append(endpointIDs, endpoint.ID)
 			}
 		}
@@ -100,12 +97,12 @@ func (handler *Handler) edgeGroupUpdate(w http.ResponseWriter, r *http.Request)
 		edgeGroup.PartialMatch = *payload.PartialMatch
 	}

-	err = handler.DataStore.EdgeGroup().UpdateEdgeGroup(edgeGroup.ID, edgeGroup)
+	err = handler.EdgeGroupService.UpdateEdgeGroup(edgeGroup.ID, edgeGroup)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist Edge group changes inside the database", err}
 	}

-	newRelatedEndpoints := edge.EdgeGroupRelatedEndpoints(edgeGroup, endpoints, endpointGroups)
+	newRelatedEndpoints := portainer.EdgeGroupRelatedEndpoints(edgeGroup, endpoints, endpointGroups)
 	endpointsToUpdate := append(newRelatedEndpoints, oldRelatedEndpoints...)

 	for _, endpointID := range endpointsToUpdate {
@@ -119,39 +116,39 @@ func (handler *Handler) edgeGroupUpdate(w http.ResponseWriter, r *http.Request)
 }

 func (handler *Handler) updateEndpoint(endpointID portainer.EndpointID) error {
-	relation, err := handler.DataStore.EndpointRelation().EndpointRelation(endpointID)
+	relation, err := handler.EndpointRelationService.EndpointRelation(endpointID)
 	if err != nil {
 		return err
 	}

-	endpoint, err := handler.DataStore.Endpoint().Endpoint(endpointID)
+	endpoint, err := handler.EndpointService.Endpoint(endpointID)
 	if err != nil {
 		return err
 	}

-	endpointGroup, err := handler.DataStore.EndpointGroup().EndpointGroup(endpoint.GroupID)
+	endpointGroup, err := handler.EndpointGroupService.EndpointGroup(endpoint.GroupID)
 	if err != nil {
 		return err
 	}

-	edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
+	edgeGroups, err := handler.EdgeGroupService.EdgeGroups()
 	if err != nil {
 		return err
 	}

-	edgeStacks, err := handler.DataStore.EdgeStack().EdgeStacks()
+	edgeStacks, err := handler.EdgeStackService.EdgeStacks()
 	if err != nil {
 		return err
 	}

 	edgeStackSet := map[portainer.EdgeStackID]bool{}

-	endpointEdgeStacks := edge.EndpointRelatedEdgeStacks(endpoint, endpointGroup, edgeGroups, edgeStacks)
+	endpointEdgeStacks := portainer.EndpointRelatedEdgeStacks(endpoint, endpointGroup, edgeGroups, edgeStacks)
 	for _, edgeStackID := range endpointEdgeStacks {
 		edgeStackSet[edgeStackID] = true
 	}

 	relation.EdgeStacks = edgeStackSet

-	return handler.DataStore.EndpointRelation().UpdateEndpointRelation(endpoint.ID, relation)
+	return handler.EndpointRelationService.UpdateEndpointRelation(endpoint.ID, relation)
 }
--- a/api/http/handler/edgegroups/handler.go
+++ b/api/http/handler/edgegroups/handler.go
@@ -12,7 +12,12 @@ import (
 // Handler is the HTTP handler used to handle endpoint group operations.
 type Handler struct {
 	*mux.Router
-	DataStore portainer.DataStore
+	EdgeGroupService        portainer.EdgeGroupService
+	EdgeStackService        portainer.EdgeStackService
+	EndpointService         portainer.EndpointService
+	EndpointGroupService    portainer.EndpointGroupService
+	EndpointRelationService portainer.EndpointRelationService
+	TagService              portainer.TagService
 }

 // NewHandler creates a handler to manage endpoint group operations.
@@ -21,14 +26,14 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 		Router: mux.NewRouter(),
 	}
 	h.Handle("/edge_groups",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeGroupCreate)))).Methods(http.MethodPost)
+		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeGroupCreate))).Methods(http.MethodPost)
 	h.Handle("/edge_groups",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeGroupList)))).Methods(http.MethodGet)
+		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeGroupList))).Methods(http.MethodGet)
 	h.Handle("/edge_groups/{id}",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeGroupInspect)))).Methods(http.MethodGet)
+		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeGroupInspect))).Methods(http.MethodGet)
 	h.Handle("/edge_groups/{id}",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeGroupUpdate)))).Methods(http.MethodPut)
+		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeGroupUpdate))).Methods(http.MethodPut)
 	h.Handle("/edge_groups/{id}",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeGroupDelete)))).Methods(http.MethodDelete)
+		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeGroupDelete))).Methods(http.MethodDelete)
 	return h
 }
--- a/api/http/handler/edgejobs/edgejob_create.go
+++ b/api/http/handler/edgejobs/edgejob_create.go
@@ -1,220 +0,0 @@
-package edgejobs
-
-import (
-	"errors"
-	"net/http"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/asaskevich/govalidator"
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-)
-
-// POST /api/edge_jobs?method=file|string
-func (handler *Handler) edgeJobCreate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	method, err := request.RetrieveQueryParameter(r, "method", false)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid query parameter: method. Valid values are: file or string", err}
-	}
-
-	switch method {
-	case "string":
-		return handler.createEdgeJobFromFileContent(w, r)
-	case "file":
-		return handler.createEdgeJobFromFile(w, r)
-	default:
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid query parameter: method. Valid values are: file or string", errors.New(request.ErrInvalidQueryParameter)}
-	}
-}
-
-type edgeJobCreateFromFileContentPayload struct {
-	Name           string
-	CronExpression string
-	Recurring      bool
-	Endpoints      []portainer.EndpointID
-	FileContent    string
-}
-
-func (payload *edgeJobCreateFromFileContentPayload) Validate(r *http.Request) error {
-	if govalidator.IsNull(payload.Name) {
-		return errors.New("Invalid Edge job name")
-	}
-
-	if !govalidator.Matches(payload.Name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]*$`) {
-		return errors.New("Invalid Edge job name format. Allowed characters are: [a-zA-Z0-9_.-]")
-	}
-
-	if govalidator.IsNull(payload.CronExpression) {
-		return errors.New("Invalid cron expression")
-	}
-
-	if payload.Endpoints == nil || len(payload.Endpoints) == 0 {
-		return errors.New("Invalid endpoints payload")
-	}
-
-	if govalidator.IsNull(payload.FileContent) {
-		return errors.New("Invalid script file content")
-	}
-
-	return nil
-}
-
-func (handler *Handler) createEdgeJobFromFileContent(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	var payload edgeJobCreateFromFileContentPayload
-	err := request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
-	}
-
-	edgeJob := handler.createEdgeJobObjectFromFileContentPayload(&payload)
-
-	err = handler.addAndPersistEdgeJob(edgeJob, []byte(payload.FileContent))
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to schedule Edge job", err}
-	}
-
-	return response.JSON(w, edgeJob)
-}
-
-type edgeJobCreateFromFilePayload struct {
-	Name           string
-	CronExpression string
-	Recurring      bool
-	Endpoints      []portainer.EndpointID
-	File           []byte
-}
-
-func (payload *edgeJobCreateFromFilePayload) Validate(r *http.Request) error {
-	name, err := request.RetrieveMultiPartFormValue(r, "Name", false)
-	if err != nil {
-		return errors.New("Invalid Edge job name")
-	}
-
-	if !govalidator.Matches(name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]+$`) {
-		return errors.New("Invalid Edge job name format. Allowed characters are: [a-zA-Z0-9_.-]")
-	}
-	payload.Name = name
-
-	cronExpression, err := request.RetrieveMultiPartFormValue(r, "CronExpression", false)
-	if err != nil {
-		return errors.New("Invalid cron expression")
-	}
-	payload.CronExpression = cronExpression
-
-	var endpoints []portainer.EndpointID
-	err = request.RetrieveMultiPartFormJSONValue(r, "Endpoints", &endpoints, false)
-	if err != nil {
-		return errors.New("Invalid endpoints")
-	}
-	payload.Endpoints = endpoints
-
-	file, _, err := request.RetrieveMultiPartFormFile(r, "file")
-	if err != nil {
-		return errors.New("Invalid script file. Ensure that the file is uploaded correctly")
-	}
-	payload.File = file
-
-	return nil
-}
-
-func (handler *Handler) createEdgeJobFromFile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	payload := &edgeJobCreateFromFilePayload{}
-	err := payload.Validate(r)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
-	}
-
-	edgeJob := handler.createEdgeJobObjectFromFilePayload(payload)
-
-	err = handler.addAndPersistEdgeJob(edgeJob, payload.File)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to schedule Edge job", err}
-	}
-
-	return response.JSON(w, edgeJob)
-}
-
-func (handler *Handler) createEdgeJobObjectFromFilePayload(payload *edgeJobCreateFromFilePayload) *portainer.EdgeJob {
-	edgeJobIdentifier := portainer.EdgeJobID(handler.DataStore.EdgeJob().GetNextIdentifier())
-
-	endpoints := convertEndpointsToMetaObject(payload.Endpoints)
-
-	edgeJob := &portainer.EdgeJob{
-		ID:             edgeJobIdentifier,
-		Name:           payload.Name,
-		CronExpression: payload.CronExpression,
-		Recurring:      payload.Recurring,
-		Created:        time.Now().Unix(),
-		Endpoints:      endpoints,
-		Version:        1,
-	}
-
-	return edgeJob
-}
-
-func (handler *Handler) createEdgeJobObjectFromFileContentPayload(payload *edgeJobCreateFromFileContentPayload) *portainer.EdgeJob {
-	edgeJobIdentifier := portainer.EdgeJobID(handler.DataStore.EdgeJob().GetNextIdentifier())
-
-	endpoints := convertEndpointsToMetaObject(payload.Endpoints)
-
-	edgeJob := &portainer.EdgeJob{
-		ID:             edgeJobIdentifier,
-		Name:           payload.Name,
-		CronExpression: payload.CronExpression,
-		Recurring:      payload.Recurring,
-		Created:        time.Now().Unix(),
-		Endpoints:      endpoints,
-		Version:        1,
-	}
-
-	return edgeJob
-}
-
-func (handler *Handler) addAndPersistEdgeJob(edgeJob *portainer.EdgeJob, file []byte) error {
-	edgeCronExpression := strings.Split(edgeJob.CronExpression, " ")
-	if len(edgeCronExpression) == 6 {
-		edgeCronExpression = edgeCronExpression[1:]
-	}
-	edgeJob.CronExpression = strings.Join(edgeCronExpression, " ")
-
-	for ID := range edgeJob.Endpoints {
-		endpoint, err := handler.DataStore.Endpoint().Endpoint(ID)
-		if err != nil {
-			return err
-		}
-
-		if endpoint.Type != portainer.EdgeAgentOnDockerEnvironment && endpoint.Type != portainer.EdgeAgentOnKubernetesEnvironment {
-			delete(edgeJob.Endpoints, ID)
-		}
-	}
-
-	if len(edgeJob.Endpoints) == 0 {
-		return errors.New("Endpoints are mandatory for an Edge job")
-	}
-
-	scriptPath, err := handler.FileService.StoreEdgeJobFileFromBytes(strconv.Itoa(int(edgeJob.ID)), file)
-	if err != nil {
-		return err
-	}
-	edgeJob.ScriptPath = scriptPath
-
-	for endpointID := range edgeJob.Endpoints {
-		handler.ReverseTunnelService.AddEdgeJob(endpointID, edgeJob)
-	}
-
-	return handler.DataStore.EdgeJob().CreateEdgeJob(edgeJob)
-}
-
-func convertEndpointsToMetaObject(endpoints []portainer.EndpointID) map[portainer.EndpointID]portainer.EdgeJobEndpointMeta {
-	endpointsMap := map[portainer.EndpointID]portainer.EdgeJobEndpointMeta{}
-
-	for _, endpointID := range endpoints {
-		endpointsMap[endpointID] = portainer.EdgeJobEndpointMeta{}
-	}
-
-	return endpointsMap
-}
--- a/api/http/handler/edgejobs/edgejob_delete.go
+++ b/api/http/handler/edgejobs/edgejob_delete.go
@@ -1,41 +0,0 @@
-package edgejobs
-
-import (
-	"net/http"
-	"strconv"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-)
-
-func (handler *Handler) edgeJobDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeJobID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Edge job identifier route variable", err}
-	}
-
-	edgeJob, err := handler.DataStore.EdgeJob().EdgeJob(portainer.EdgeJobID(edgeJobID))
-	if err == bolterrors.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an Edge job with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an Edge job with the specified identifier inside the database", err}
-	}
-
-	edgeJobFolder := handler.FileService.GetEdgeJobFolder(strconv.Itoa(edgeJobID))
-	err = handler.FileService.RemoveDirectory(edgeJobFolder)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove the files associated to the Edge job on the filesystem", err}
-	}
-
-	handler.ReverseTunnelService.RemoveEdgeJob(edgeJob.ID)
-
-	err = handler.DataStore.EdgeJob().DeleteEdgeJob(edgeJob.ID)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove the Edge job from the database", err}
-	}
-
-	return response.Empty(w)
-}
--- a/api/http/handler/edgejobs/edgejob_file.go
+++ b/api/http/handler/edgejobs/edgejob_file.go
@@ -1,37 +0,0 @@
-package edgejobs
-
-import (
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-)
-
-type edgeJobFileResponse struct {
-	FileContent string `json:"FileContent"`
-}
-
-// GET request on /api/edge_jobs/:id/file
-func (handler *Handler) edgeJobFile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeJobID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Edge job identifier route variable", err}
-	}
-
-	edgeJob, err := handler.DataStore.EdgeJob().EdgeJob(portainer.EdgeJobID(edgeJobID))
-	if err == bolterrors.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an Edge job with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an Edge job with the specified identifier inside the database", err}
-	}
-
-	edgeJobFileContent, err := handler.FileService.GetFileContent(edgeJob.ScriptPath)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Edge job script file from disk", err}
-	}
-
-	return response.JSON(w, &edgeJobFileResponse{FileContent: string(edgeJobFileContent)})
-}
--- a/api/http/handler/edgejobs/edgejob_inspect.go
+++ b/api/http/handler/edgejobs/edgejob_inspect.go
@@ -1,43 +0,0 @@
-package edgejobs
-
-import (
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-)
-
-type edgeJobInspectResponse struct {
-	*portainer.EdgeJob
-	Endpoints []portainer.EndpointID
-}
-
-func (handler *Handler) edgeJobInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeJobID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Edge job identifier route variable", err}
-	}
-
-	edgeJob, err := handler.DataStore.EdgeJob().EdgeJob(portainer.EdgeJobID(edgeJobID))
-	if err == bolterrors.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an Edge job with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an Edge job with the specified identifier inside the database", err}
-	}
-
-	endpointIDs := []portainer.EndpointID{}
-
-	for endpointID := range edgeJob.Endpoints {
-		endpointIDs = append(endpointIDs, endpointID)
-	}
-
-	responseObj := edgeJobInspectResponse{
-		EdgeJob:   edgeJob,
-		Endpoints: endpointIDs,
-	}
-
-	return response.JSON(w, responseObj)
-}
--- a/api/http/handler/edgejobs/edgejob_list.go
+++ b/api/http/handler/edgejobs/edgejob_list.go
@@ -1,18 +0,0 @@
-package edgejobs
-
-import (
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/response"
-)
-
-// GET request on /api/edge_jobs
-func (handler *Handler) edgeJobList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeJobs, err := handler.DataStore.EdgeJob().EdgeJobs()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Edge jobs from the database", err}
-	}
-
-	return response.JSON(w, edgeJobs)
-}
--- a/api/http/handler/edgejobs/edgejob_tasklogs_clear.go
+++ b/api/http/handler/edgejobs/edgejob_tasklogs_clear.go
@@ -1,53 +0,0 @@
-package edgejobs
-
-import (
-	"net/http"
-	"strconv"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-)
-
-// DELETE request on /api/edge_jobs/:id/tasks/:taskID/logs
-func (handler *Handler) edgeJobTasksClear(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeJobID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Edge job identifier route variable", err}
-	}
-
-	taskID, err := request.RetrieveNumericRouteVariableValue(r, "taskID")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Task identifier route variable", err}
-	}
-
-	edgeJob, err := handler.DataStore.EdgeJob().EdgeJob(portainer.EdgeJobID(edgeJobID))
-	if err == bolterrors.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an Edge job with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an Edge job with the specified identifier inside the database", err}
-	}
-
-	endpointID := portainer.EndpointID(taskID)
-
-	meta := edgeJob.Endpoints[endpointID]
-	meta.CollectLogs = false
-	meta.LogsStatus = portainer.EdgeJobLogsStatusIdle
-	edgeJob.Endpoints[endpointID] = meta
-
-	err = handler.FileService.ClearEdgeJobTaskLogs(strconv.Itoa(edgeJobID), strconv.Itoa(taskID))
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to clear log file from disk", err}
-	}
-
-	handler.ReverseTunnelService.AddEdgeJob(endpointID, edgeJob)
-
-	err = handler.DataStore.EdgeJob().UpdateEdgeJob(edgeJob.ID, edgeJob)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist Edge job changes in the database", err}
-	}
-
-	return response.Empty(w)
-}
--- a/api/http/handler/edgejobs/edgejob_tasklogs_collect.go
+++ b/api/http/handler/edgejobs/edgejob_tasklogs_collect.go
@@ -1,47 +0,0 @@
-package edgejobs
-
-import (
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-)
-
-// POST request on /api/edge_jobs/:id/tasks/:taskID/logs
-func (handler *Handler) edgeJobTasksCollect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeJobID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Edge job identifier route variable", err}
-	}
-
-	taskID, err := request.RetrieveNumericRouteVariableValue(r, "taskID")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Task identifier route variable", err}
-	}
-
-	edgeJob, err := handler.DataStore.EdgeJob().EdgeJob(portainer.EdgeJobID(edgeJobID))
-	if err == bolterrors.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an Edge job with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an Edge job with the specified identifier inside the database", err}
-	}
-
-	endpointID := portainer.EndpointID(taskID)
-
-	meta := edgeJob.Endpoints[endpointID]
-	meta.CollectLogs = true
-	meta.LogsStatus = portainer.EdgeJobLogsStatusPending
-	edgeJob.Endpoints[endpointID] = meta
-
-	handler.ReverseTunnelService.AddEdgeJob(endpointID, edgeJob)
-
-	err = handler.DataStore.EdgeJob().UpdateEdgeJob(edgeJob.ID, edgeJob)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist Edge job changes in the database", err}
-	}
-
-	return response.Empty(w)
-}
--- a/api/http/handler/edgejobs/edgejob_tasklogs_inspect.go
+++ b/api/http/handler/edgejobs/edgejob_tasklogs_inspect.go
@@ -1,36 +0,0 @@
-package edgejobs
-
-import (
-	"net/http"
-	"strconv"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-)
-
-type fileResponse struct {
-	FileContent string `json:"FileContent"`
-}
-
-// GET request on /api/edge_jobs/:id/tasks/:taskID/logs
-func (handler *Handler) edgeJobTaskLogsInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeJobID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Edge job identifier route variable", err}
-	}
-
-	taskID, err := request.RetrieveNumericRouteVariableValue(r, "taskID")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Task identifier route variable", err}
-	}
-
-	logFileContent, err := handler.FileService.GetEdgeJobTaskLogFileContent(strconv.Itoa(edgeJobID), strconv.Itoa(taskID))
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve log file from disk", err}
-	}
-
-	return response.JSON(w, &fileResponse{FileContent: string(logFileContent)})
-}
-
-// fmt.Sprintf("/tmp/edge_jobs/%s/logs_%s", edgeJobID, taskID)
--- a/api/http/handler/edgejobs/edgejob_tasks_list.go
+++ b/api/http/handler/edgejobs/edgejob_tasks_list.go
@@ -1,48 +0,0 @@
-package edgejobs
-
-import (
-	"fmt"
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-)
-
-type taskContainer struct {
-	ID         string                      `json:"Id"`
-	EndpointID portainer.EndpointID        `json:"EndpointId"`
-	LogsStatus portainer.EdgeJobLogsStatus `json:"LogsStatus"`
-}
-
-// GET request on /api/edge_jobs/:id/tasks
-func (handler *Handler) edgeJobTasksList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeJobID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Edge job identifier route variable", err}
-	}
-
-	edgeJob, err := handler.DataStore.EdgeJob().EdgeJob(portainer.EdgeJobID(edgeJobID))
-	if err == bolterrors.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an Edge job with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an Edge job with the specified identifier inside the database", err}
-	}
-
-	tasks := make([]taskContainer, 0)
-
-	for endpointID, meta := range edgeJob.Endpoints {
-
-		cronTask := taskContainer{
-			ID:         fmt.Sprintf("edgejob_task_%d_%d", edgeJob.ID, endpointID),
-			EndpointID: endpointID,
-			LogsStatus: meta.LogsStatus,
-		}
-
-		tasks = append(tasks, cronTask)
-	}
-
-	return response.JSON(w, tasks)
-}
--- a/api/http/handler/edgejobs/edgejob_update.go
+++ b/api/http/handler/edgejobs/edgejob_update.go
@@ -1,120 +0,0 @@
-package edgejobs
-
-import (
-	"errors"
-	"net/http"
-	"strconv"
-
-	"github.com/asaskevich/govalidator"
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/libhttp/request"
-	"github.com/portainer/libhttp/response"
-	"github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-)
-
-type edgeJobUpdatePayload struct {
-	Name           *string
-	CronExpression *string
-	Recurring      *bool
-	Endpoints      []portainer.EndpointID
-	FileContent    *string
-}
-
-func (payload *edgeJobUpdatePayload) Validate(r *http.Request) error {
-	if payload.Name != nil && !govalidator.Matches(*payload.Name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]+$`) {
-		return errors.New("Invalid Edge job name format. Allowed characters are: [a-zA-Z0-9_.-]")
-	}
-	return nil
-}
-
-func (handler *Handler) edgeJobUpdate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeJobID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid Edge job identifier route variable", err}
-	}
-
-	var payload edgeJobUpdatePayload
-	err = request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
-	}
-
-	edgeJob, err := handler.DataStore.EdgeJob().EdgeJob(portainer.EdgeJobID(edgeJobID))
-	if err == bolterrors.ErrObjectNotFound {
-		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an Edge job with the specified identifier inside the database", err}
-	} else if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an Edge job with the specified identifier inside the database", err}
-	}
-
-	err = handler.updateEdgeSchedule(edgeJob, &payload)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update Edge job", err}
-	}
-
-	err = handler.DataStore.EdgeJob().UpdateEdgeJob(edgeJob.ID, edgeJob)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist Edge job changes inside the database", err}
-	}
-
-	return response.JSON(w, edgeJob)
-}
-
-func (handler *Handler) updateEdgeSchedule(edgeJob *portainer.EdgeJob, payload *edgeJobUpdatePayload) error {
-	if payload.Name != nil {
-		edgeJob.Name = *payload.Name
-	}
-
-	if payload.Endpoints != nil {
-		endpointsMap := map[portainer.EndpointID]portainer.EdgeJobEndpointMeta{}
-
-		for _, endpointID := range payload.Endpoints {
-			endpoint, err := handler.DataStore.Endpoint().Endpoint(endpointID)
-			if err != nil {
-				return err
-			}
-
-			if endpoint.Type != portainer.EdgeAgentOnDockerEnvironment && endpoint.Type != portainer.EdgeAgentOnKubernetesEnvironment {
-				continue
-			}
-
-			if meta, ok := edgeJob.Endpoints[endpointID]; ok {
-				endpointsMap[endpointID] = meta
-			} else {
-				endpointsMap[endpointID] = portainer.EdgeJobEndpointMeta{}
-			}
-		}
-
-		edgeJob.Endpoints = endpointsMap
-	}
-
-	updateVersion := false
-	if payload.CronExpression != nil {
-		edgeJob.CronExpression = *payload.CronExpression
-		updateVersion = true
-	}
-
-	if payload.FileContent != nil {
-		_, err := handler.FileService.StoreEdgeJobFileFromBytes(strconv.Itoa(int(edgeJob.ID)), []byte(*payload.FileContent))
-		if err != nil {
-			return err
-		}
-
-		updateVersion = true
-	}
-
-	if payload.Recurring != nil {
-		edgeJob.Recurring = *payload.Recurring
-		updateVersion = true
-	}
-
-	if updateVersion {
-		edgeJob.Version++
-	}
-
-	for endpointID := range edgeJob.Endpoints {
-		handler.ReverseTunnelService.AddEdgeJob(endpointID, edgeJob)
-	}
-
-	return nil
-}
--- a/api/http/handler/edgejobs/handler.go
+++ b/api/http/handler/edgejobs/handler.go
@@ -1,47 +0,0 @@
-package edgejobs
-
-import (
-	"net/http"
-
-	"github.com/gorilla/mux"
-	httperror "github.com/portainer/libhttp/error"
-	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/security"
-)
-
-// Handler is the HTTP handler used to handle Edge job operations.
-type Handler struct {
-	*mux.Router
-	DataStore            portainer.DataStore
-	FileService          portainer.FileService
-	ReverseTunnelService portainer.ReverseTunnelService
-}
-
-// NewHandler creates a handler to manage Edge job operations.
-func NewHandler(bouncer *security.RequestBouncer) *Handler {
-	h := &Handler{
-		Router: mux.NewRouter(),
-	}
-
-	h.Handle("/edge_jobs",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobList)))).Methods(http.MethodGet)
-	h.Handle("/edge_jobs",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobCreate)))).Methods(http.MethodPost)
-	h.Handle("/edge_jobs/{id}",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobInspect)))).Methods(http.MethodGet)
-	h.Handle("/edge_jobs/{id}",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobUpdate)))).Methods(http.MethodPut)
-	h.Handle("/edge_jobs/{id}",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobDelete)))).Methods(http.MethodDelete)
-	h.Handle("/edge_jobs/{id}/file",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobFile)))).Methods(http.MethodGet)
-	h.Handle("/edge_jobs/{id}/tasks",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobTasksList)))).Methods(http.MethodGet)
-	h.Handle("/edge_jobs/{id}/tasks/{taskID}/logs",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobTaskLogsInspect)))).Methods(http.MethodGet)
-	h.Handle("/edge_jobs/{id}/tasks/{taskID}/logs",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobTasksCollect)))).Methods(http.MethodPost)
-	h.Handle("/edge_jobs/{id}/tasks/{taskID}/logs",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobTasksClear)))).Methods(http.MethodDelete)
-	return h
-}
--- a/api/http/handler/edgestacks/edgestack_create.go
+++ b/api/http/handler/edgestacks/edgestack_create.go
@@ -13,7 +13,6 @@ import (
 	"github.com/portainer/libhttp/response"
 	"github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/filesystem"
-	"github.com/portainer/portainer/api/internal/edge"
 )

 // POST request on /api/endpoint_groups
@@ -28,32 +27,32 @@ func (handler *Handler) edgeStackCreate(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to create Edge stack", err}
 	}

-	endpoints, err := handler.DataStore.Endpoint().Endpoints()
+	endpoints, err := handler.EndpointService.Endpoints()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from database", err}
 	}

-	endpointGroups, err := handler.DataStore.EndpointGroup().EndpointGroups()
+	endpointGroups, err := handler.EndpointGroupService.EndpointGroups()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoint groups from database", err}
 	}

-	edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
+	edgeGroups, err := handler.EdgeGroupService.EdgeGroups()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge groups from database", err}
 	}

-	relatedEndpoints, err := edge.EdgeStackRelatedEndpoints(edgeStack.EdgeGroups, endpoints, endpointGroups, edgeGroups)
+	relatedEndpoints, err := portainer.EdgeStackRelatedEndpoints(edgeStack.EdgeGroups, endpoints, endpointGroups, edgeGroups)

 	for _, endpointID := range relatedEndpoints {
-		relation, err := handler.DataStore.EndpointRelation().EndpointRelation(endpointID)
+		relation, err := handler.EndpointRelationService.EndpointRelation(endpointID)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find endpoint relation in database", err}
 		}

 		relation.EdgeStacks[edgeStack.ID] = true

-		err = handler.DataStore.EndpointRelation().UpdateEndpointRelation(endpointID, relation)
+		err = handler.EndpointRelationService.UpdateEndpointRelation(endpointID, relation)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint relation in database", err}
 		}
@@ -82,13 +81,13 @@ type swarmStackFromFileContentPayload struct {

 func (payload *swarmStackFromFileContentPayload) Validate(r *http.Request) error {
 	if govalidator.IsNull(payload.Name) {
-		return errors.New("Invalid stack name")
+		return portainer.Error("Invalid stack name")
 	}
 	if govalidator.IsNull(payload.StackFileContent) {
-		return errors.New("Invalid stack file content")
+		return portainer.Error("Invalid stack file content")
 	}
 	if payload.EdgeGroups == nil || len(payload.EdgeGroups) == 0 {
-		return errors.New("Edge Groups are mandatory for an Edge stack")
+		return portainer.Error("Edge Groups are mandatory for an Edge stack")
 	}
 	return nil
 }
@@ -105,7 +104,7 @@ func (handler *Handler) createSwarmStackFromFileContent(r *http.Request) (*porta
 		return nil, err
 	}

-	stackID := handler.DataStore.EdgeStack().GetNextIdentifier()
+	stackID := handler.EdgeStackService.GetNextIdentifier()
 	stack := &portainer.EdgeStack{
 		ID:           portainer.EdgeStackID(stackID),
 		Name:         payload.Name,
@@ -123,7 +122,7 @@ func (handler *Handler) createSwarmStackFromFileContent(r *http.Request) (*porta
 	}
 	stack.ProjectPath = projectPath

-	err = handler.DataStore.EdgeStack().CreateEdgeStack(stack)
+	err = handler.EdgeStackService.CreateEdgeStack(stack)
 	if err != nil {
 		return nil, err
 	}
@@ -144,19 +143,19 @@ type swarmStackFromGitRepositoryPayload struct {

 func (payload *swarmStackFromGitRepositoryPayload) Validate(r *http.Request) error {
 	if govalidator.IsNull(payload.Name) {
-		return errors.New("Invalid stack name")
+		return portainer.Error("Invalid stack name")
 	}
 	if govalidator.IsNull(payload.RepositoryURL) || !govalidator.IsURL(payload.RepositoryURL) {
-		return errors.New("Invalid repository URL. Must correspond to a valid URL format")
+		return portainer.Error("Invalid repository URL. Must correspond to a valid URL format")
 	}
 	if payload.RepositoryAuthentication && (govalidator.IsNull(payload.RepositoryUsername) || govalidator.IsNull(payload.RepositoryPassword)) {
-		return errors.New("Invalid repository credentials. Username and password must be specified when authentication is enabled")
+		return portainer.Error("Invalid repository credentials. Username and password must be specified when authentication is enabled")
 	}
 	if govalidator.IsNull(payload.ComposeFilePathInRepository) {
 		payload.ComposeFilePathInRepository = filesystem.ComposeFileDefaultName
 	}
 	if payload.EdgeGroups == nil || len(payload.EdgeGroups) == 0 {
-		return errors.New("Edge Groups are mandatory for an Edge stack")
+		return portainer.Error("Edge Groups are mandatory for an Edge stack")
 	}
 	return nil
 }
@@ -173,7 +172,7 @@ func (handler *Handler) createSwarmStackFromGitRepository(r *http.Request) (*por
 		return nil, err
 	}

-	stackID := handler.DataStore.EdgeStack().GetNextIdentifier()
+	stackID := handler.EdgeStackService.GetNextIdentifier()
 	stack := &portainer.EdgeStack{
 		ID:           portainer.EdgeStackID(stackID),
 		Name:         payload.Name,
@@ -201,7 +200,7 @@ func (handler *Handler) createSwarmStackFromGitRepository(r *http.Request) (*por
 		return nil, err
 	}

-	err = handler.DataStore.EdgeStack().CreateEdgeStack(stack)
+	err = handler.EdgeStackService.CreateEdgeStack(stack)
 	if err != nil {
 		return nil, err
 	}
@@ -218,20 +217,20 @@ type swarmStackFromFileUploadPayload struct {
 func (payload *swarmStackFromFileUploadPayload) Validate(r *http.Request) error {
 	name, err := request.RetrieveMultiPartFormValue(r, "Name", false)
 	if err != nil {
-		return errors.New("Invalid stack name")
+		return portainer.Error("Invalid stack name")
 	}
 	payload.Name = name

 	composeFileContent, _, err := request.RetrieveMultiPartFormFile(r, "file")
 	if err != nil {
-		return errors.New("Invalid Compose file. Ensure that the Compose file is uploaded correctly")
+		return portainer.Error("Invalid Compose file. Ensure that the Compose file is uploaded correctly")
 	}
 	payload.StackFileContent = composeFileContent

 	var edgeGroups []portainer.EdgeGroupID
 	err = request.RetrieveMultiPartFormJSONValue(r, "EdgeGroups", &edgeGroups, false)
 	if err != nil || len(edgeGroups) == 0 {
-		return errors.New("Edge Groups are mandatory for an Edge stack")
+		return portainer.Error("Edge Groups are mandatory for an Edge stack")
 	}
 	payload.EdgeGroups = edgeGroups
 	return nil
@@ -249,7 +248,7 @@ func (handler *Handler) createSwarmStackFromFileUpload(r *http.Request) (*portai
 		return nil, err
 	}

-	stackID := handler.DataStore.EdgeStack().GetNextIdentifier()
+	stackID := handler.EdgeStackService.GetNextIdentifier()
 	stack := &portainer.EdgeStack{
 		ID:           portainer.EdgeStackID(stackID),
 		Name:         payload.Name,
@@ -267,7 +266,7 @@ func (handler *Handler) createSwarmStackFromFileUpload(r *http.Request) (*portai
 	}
 	stack.ProjectPath = projectPath

-	err = handler.DataStore.EdgeStack().CreateEdgeStack(stack)
+	err = handler.EdgeStackService.CreateEdgeStack(stack)
 	if err != nil {
 		return nil, err
 	}
@@ -276,14 +275,14 @@ func (handler *Handler) createSwarmStackFromFileUpload(r *http.Request) (*portai
 }

 func (handler *Handler) validateUniqueName(name string) error {
-	edgeStacks, err := handler.DataStore.EdgeStack().EdgeStacks()
+	edgeStacks, err := handler.EdgeStackService.EdgeStacks()
 	if err != nil {
 		return err
 	}

 	for _, stack := range edgeStacks {
 		if strings.EqualFold(stack.Name, name) {
-			return errors.New("Edge stack name must be unique")
+			return portainer.Error("Edge stack name must be unique")
 		}
 	}
 	return nil
--- a/api/http/handler/edgestacks/edgestack_delete.go
+++ b/api/http/handler/edgestacks/edgestack_delete.go
@@ -7,8 +7,6 @@ import (
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
 	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/errors"
-	"github.com/portainer/portainer/api/internal/edge"
 )

 func (handler *Handler) edgeStackDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
@@ -17,44 +15,44 @@ func (handler *Handler) edgeStackDelete(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid edge stack identifier route variable", err}
 	}

-	edgeStack, err := handler.DataStore.EdgeStack().EdgeStack(portainer.EdgeStackID(edgeStackID))
-	if err == errors.ErrObjectNotFound {
+	edgeStack, err := handler.EdgeStackService.EdgeStack(portainer.EdgeStackID(edgeStackID))
+	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an edge stack with the specified identifier inside the database", err}
 	} else if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an edge stack with the specified identifier inside the database", err}
 	}

-	err = handler.DataStore.EdgeStack().DeleteEdgeStack(portainer.EdgeStackID(edgeStackID))
+	err = handler.EdgeStackService.DeleteEdgeStack(portainer.EdgeStackID(edgeStackID))
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to remove the edge stack from the database", err}
 	}

-	endpoints, err := handler.DataStore.Endpoint().Endpoints()
+	endpoints, err := handler.EndpointService.Endpoints()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from database", err}
 	}

-	endpointGroups, err := handler.DataStore.EndpointGroup().EndpointGroups()
+	endpointGroups, err := handler.EndpointGroupService.EndpointGroups()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoint groups from database", err}
 	}

-	edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
+	edgeGroups, err := handler.EdgeGroupService.EdgeGroups()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge groups from database", err}
 	}

-	relatedEndpoints, err := edge.EdgeStackRelatedEndpoints(edgeStack.EdgeGroups, endpoints, endpointGroups, edgeGroups)
+	relatedEndpoints, err := portainer.EdgeStackRelatedEndpoints(edgeStack.EdgeGroups, endpoints, endpointGroups, edgeGroups)

 	for _, endpointID := range relatedEndpoints {
-		relation, err := handler.DataStore.EndpointRelation().EndpointRelation(endpointID)
+		relation, err := handler.EndpointRelationService.EndpointRelation(endpointID)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find endpoint relation in database", err}
 		}

 		delete(relation.EdgeStacks, edgeStack.ID)

-		err = handler.DataStore.EndpointRelation().UpdateEndpointRelation(endpointID, relation)
+		err = handler.EndpointRelationService.UpdateEndpointRelation(endpointID, relation)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint relation in database", err}
 		}
--- a/api/http/handler/edgestacks/edgestack_file.go
+++ b/api/http/handler/edgestacks/edgestack_file.go
@@ -8,7 +8,6 @@ import (
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
 	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/errors"
 )

 type stackFileResponse struct {
@@ -22,8 +21,8 @@ func (handler *Handler) edgeStackFile(w http.ResponseWriter, r *http.Request) *h
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid edge stack identifier route variable", err}
 	}

-	stack, err := handler.DataStore.EdgeStack().EdgeStack(portainer.EdgeStackID(stackID))
-	if err == errors.ErrObjectNotFound {
+	stack, err := handler.EdgeStackService.EdgeStack(portainer.EdgeStackID(stackID))
+	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an edge stack with the specified identifier inside the database", err}
 	} else if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an edge stack with the specified identifier inside the database", err}
--- a/api/http/handler/edgestacks/edgestack_inspect.go
+++ b/api/http/handler/edgestacks/edgestack_inspect.go
@@ -7,7 +7,6 @@ import (
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
 	"github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/bolt/errors"
 )

 func (handler *Handler) edgeStackInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
@@ -16,8 +15,8 @@ func (handler *Handler) edgeStackInspect(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid edge stack identifier route variable", err}
 	}

-	edgeStack, err := handler.DataStore.EdgeStack().EdgeStack(portainer.EdgeStackID(edgeStackID))
-	if err == errors.ErrObjectNotFound {
+	edgeStack, err := handler.EdgeStackService.EdgeStack(portainer.EdgeStackID(edgeStackID))
+	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an edge stack with the specified identifier inside the database", err}
 	} else if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an edge stack with the specified identifier inside the database", err}
--- a/api/http/handler/edgestacks/edgestack_list.go
+++ b/api/http/handler/edgestacks/edgestack_list.go
@@ -8,7 +8,7 @@ import (
 )

 func (handler *Handler) edgeStackList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	edgeStacks, err := handler.DataStore.EdgeStack().EdgeStacks()
+	edgeStacks, err := handler.EdgeStackService.EdgeStacks()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge stacks from the database", err}
 	}
--- a/api/http/handler/edgestacks/edgestack_status_update.go
+++ b/api/http/handler/edgestacks/edgestack_status_update.go
@@ -1,7 +1,6 @@
 package edgestacks

 import (
-	"errors"
 	"net/http"

 	"github.com/asaskevich/govalidator"
@@ -9,7 +8,6 @@ import (
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
 	"github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
 )

 type updateStatusPayload struct {
@@ -20,13 +18,13 @@ type updateStatusPayload struct {

 func (payload *updateStatusPayload) Validate(r *http.Request) error {
 	if payload.Status == nil {
-		return errors.New("Invalid status")
+		return portainer.Error("Invalid status")
 	}
 	if payload.EndpointID == nil {
-		return errors.New("Invalid EndpointID")
+		return portainer.Error("Invalid EndpointID")
 	}
 	if *payload.Status == portainer.StatusError && govalidator.IsNull(payload.Error) {
-		return errors.New("Error message is mandatory when status is error")
+		return portainer.Error("Error message is mandatory when status is error")
 	}
 	return nil
 }
@@ -37,8 +35,8 @@ func (handler *Handler) edgeStackStatusUpdate(w http.ResponseWriter, r *http.Req
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid stack identifier route variable", err}
 	}

-	stack, err := handler.DataStore.EdgeStack().EdgeStack(portainer.EdgeStackID(stackID))
-	if err == bolterrors.ErrObjectNotFound {
+	stack, err := handler.EdgeStackService.EdgeStack(portainer.EdgeStackID(stackID))
+	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a stack with the specified identifier inside the database", err}
 	} else if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a stack with the specified identifier inside the database", err}
@@ -50,8 +48,8 @@ func (handler *Handler) edgeStackStatusUpdate(w http.ResponseWriter, r *http.Req
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
 	}

-	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(*payload.EndpointID))
-	if err == bolterrors.ErrObjectNotFound {
+	endpoint, err := handler.EndpointService.Endpoint(portainer.EndpointID(*payload.EndpointID))
+	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find an endpoint with the specified identifier inside the database", err}
 	} else if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find an endpoint with the specified identifier inside the database", err}
@@ -68,7 +66,7 @@ func (handler *Handler) edgeStackStatusUpdate(w http.ResponseWriter, r *http.Req
 		EndpointID: *payload.EndpointID,
 	}

-	err = handler.DataStore.EdgeStack().UpdateEdgeStack(stack.ID, stack)
+	err = handler.EdgeStackService.UpdateEdgeStack(stack.ID, stack)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the stack changes inside the database", err}
 	}
--- a/api/http/handler/edgestacks/edgestack_update.go
+++ b/api/http/handler/edgestacks/edgestack_update.go
@@ -1,7 +1,6 @@
 package edgestacks

 import (
-	"errors"
 	"net/http"
 	"strconv"

@@ -10,8 +9,6 @@ import (
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
 	"github.com/portainer/portainer/api"
-	bolterrors "github.com/portainer/portainer/api/bolt/errors"
-	"github.com/portainer/portainer/api/internal/edge"
 )

 type updateEdgeStackPayload struct {
@@ -23,10 +20,10 @@ type updateEdgeStackPayload struct {

 func (payload *updateEdgeStackPayload) Validate(r *http.Request) error {
 	if govalidator.IsNull(payload.StackFileContent) {
-		return errors.New("Invalid stack file content")
+		return portainer.Error("Invalid stack file content")
 	}
 	if payload.EdgeGroups != nil && len(payload.EdgeGroups) == 0 {
-		return errors.New("Edge Groups are mandatory for an Edge stack")
+		return portainer.Error("Edge Groups are mandatory for an Edge stack")
 	}
 	return nil
 }
@@ -37,8 +34,8 @@ func (handler *Handler) edgeStackUpdate(w http.ResponseWriter, r *http.Request)
 		return &httperror.HandlerError{http.StatusBadRequest, "Invalid stack identifier route variable", err}
 	}

-	stack, err := handler.DataStore.EdgeStack().EdgeStack(portainer.EdgeStackID(stackID))
-	if err == bolterrors.ErrObjectNotFound {
+	stack, err := handler.EdgeStackService.EdgeStack(portainer.EdgeStackID(stackID))
+	if err == portainer.ErrObjectNotFound {
 		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a stack with the specified identifier inside the database", err}
 	} else if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a stack with the specified identifier inside the database", err}
@@ -51,27 +48,27 @@ func (handler *Handler) edgeStackUpdate(w http.ResponseWriter, r *http.Request)
 	}

 	if payload.EdgeGroups != nil {
-		endpoints, err := handler.DataStore.Endpoint().Endpoints()
+		endpoints, err := handler.EndpointService.Endpoints()
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoints from database", err}
 		}

-		endpointGroups, err := handler.DataStore.EndpointGroup().EndpointGroups()
+		endpointGroups, err := handler.EndpointGroupService.EndpointGroups()
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve endpoint groups from database", err}
 		}

-		edgeGroups, err := handler.DataStore.EdgeGroup().EdgeGroups()
+		edgeGroups, err := handler.EdgeGroupService.EdgeGroups()
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge groups from database", err}
 		}

-		oldRelated, err := edge.EdgeStackRelatedEndpoints(stack.EdgeGroups, endpoints, endpointGroups, edgeGroups)
+		oldRelated, err := portainer.EdgeStackRelatedEndpoints(stack.EdgeGroups, endpoints, endpointGroups, edgeGroups)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge stack related endpoints from database", err}
 		}

-		newRelated, err := edge.EdgeStackRelatedEndpoints(payload.EdgeGroups, endpoints, endpointGroups, edgeGroups)
+		newRelated, err := portainer.EdgeStackRelatedEndpoints(payload.EdgeGroups, endpoints, endpointGroups, edgeGroups)
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve edge stack related endpoints from database", err}
 		}
@@ -87,14 +84,14 @@ func (handler *Handler) edgeStackUpdate(w http.ResponseWriter, r *http.Request)
 		}

 		for endpointID := range endpointsToRemove {
-			relation, err := handler.DataStore.EndpointRelation().EndpointRelation(endpointID)
+			relation, err := handler.EndpointRelationService.EndpointRelation(endpointID)
 			if err != nil {
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find endpoint relation in database", err}
 			}

 			delete(relation.EdgeStacks, stack.ID)

-			err = handler.DataStore.EndpointRelation().UpdateEndpointRelation(endpointID, relation)
+			err = handler.EndpointRelationService.UpdateEndpointRelation(endpointID, relation)
 			if err != nil {
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint relation in database", err}
 			}
@@ -108,14 +105,14 @@ func (handler *Handler) edgeStackUpdate(w http.ResponseWriter, r *http.Request)
 		}

 		for endpointID := range endpointsToAdd {
-			relation, err := handler.DataStore.EndpointRelation().EndpointRelation(endpointID)
+			relation, err := handler.EndpointRelationService.EndpointRelation(endpointID)
 			if err != nil {
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find endpoint relation in database", err}
 			}

 			relation.EdgeStacks[stack.ID] = true

-			err = handler.DataStore.EndpointRelation().UpdateEndpointRelation(endpointID, relation)
+			err = handler.EndpointRelationService.UpdateEndpointRelation(endpointID, relation)
 			if err != nil {
 				return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist endpoint relation in database", err}
 			}
@@ -140,7 +137,7 @@ func (handler *Handler) edgeStackUpdate(w http.ResponseWriter, r *http.Request)
 		stack.Status = map[portainer.EndpointID]portainer.EdgeStackStatus{}
 	}

-	err = handler.DataStore.EdgeStack().UpdateEdgeStack(stack.ID, stack)
+	err = handler.EdgeStackService.UpdateEdgeStack(stack.ID, stack)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the stack changes inside the database", err}
 	}
--- a/api/http/handler/edgestacks/handler.go
+++ b/api/http/handler/edgestacks/handler.go
@@ -12,10 +12,14 @@ import (
 // Handler is the HTTP handler used to handle endpoint group operations.
 type Handler struct {
 	*mux.Router
-	requestBouncer *security.RequestBouncer
-	DataStore      portainer.DataStore
-	FileService    portainer.FileService
-	GitService     portainer.GitService
+	requestBouncer          *security.RequestBouncer
+	EdgeGroupService        portainer.EdgeGroupService
+	EdgeStackService        portainer.EdgeStackService
+	EndpointService         portainer.EndpointService
+	EndpointGroupService    portainer.EndpointGroupService
+	EndpointRelationService portainer.EndpointRelationService
+	FileService             portainer.FileService
+	GitService              portainer.GitService
 }

 // NewHandler creates a handler to manage endpoint group operations.
@@ -25,17 +29,17 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 		requestBouncer: bouncer,
 	}
 	h.Handle("/edge_stacks",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeStackCreate)))).Methods(http.MethodPost)
+		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeStackCreate))).Methods(http.MethodPost)
 	h.Handle("/edge_stacks",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeStackList)))).Methods(http.MethodGet)
+		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeStackList))).Methods(http.MethodGet)
 	h.Handle("/edge_stacks/{id}",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeStackInspect)))).Methods(http.MethodGet)
+		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeStackInspect))).Methods(http.MethodGet)
 	h.Handle("/edge_stacks/{id}",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeStackUpdate)))).Methods(http.MethodPut)
+		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeStackUpdate))).Methods(http.MethodPut)
 	h.Handle("/edge_stacks/{id}",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeStackDelete)))).Methods(http.MethodDelete)
+		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeStackDelete))).Methods(http.MethodDelete)
 	h.Handle("/edge_stacks/{id}/file",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeStackFile)))).Methods(http.MethodGet)
+		bouncer.AdminAccess(httperror.LoggerHandler(h.edgeStackFile))).Methods(http.MethodGet)
 	h.Handle("/edge_stacks/{id}/status",
 		bouncer.PublicAccess(httperror.LoggerHandler(h.edgeStackStatusUpdate))).Methods(http.MethodPut)
 	return h
--- a/api/http/handler/edgetemplates/edgetemplate_list.go
+++ b/api/http/handler/edgetemplates/edgetemplate_list.go
@@ -2,6 +2,7 @@ package edgetemplates

 import (
 	"encoding/json"
+	"log"
 	"net/http"

 	httperror "github.com/portainer/libhttp/error"
@@ -10,39 +11,35 @@ import (
 	"github.com/portainer/portainer/api/http/client"
 )

-type templateFileFormat struct {
-	Version   string               `json:"version"`
-	Templates []portainer.Template `json:"templates"`
-}
-
 // GET request on /api/edgetemplates
 func (handler *Handler) edgeTemplateList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	settings, err := handler.DataStore.Settings().Settings()
+	settings, err := handler.SettingsService.Settings()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
 	}

-	url := portainer.DefaultTemplatesURL
+	url := portainer.EdgeTemplatesURL
 	if settings.TemplatesURL != "" {
 		url = settings.TemplatesURL
 	}

 	var templateData []byte
-	templateData, err = client.Get(url, 10)
+	templateData, err = client.Get(url, 0)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve external templates", err}
 	}

-	var templateFile templateFileFormat
+	var templates []portainer.Template

-	err = json.Unmarshal(templateData, &templateFile)
+	err = json.Unmarshal(templateData, &templates)
 	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to parse template file", err}
+		log.Printf("[DEBUG] [http,edge,templates] [failed parsing edge templates] [body: %s]", templateData)
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to parse external templates", err}
 	}

-	filteredTemplates := make([]portainer.Template, 0)
+	filteredTemplates := []portainer.Template{}

-	for _, template := range templateFile.Templates {
+	for _, template := range templates {
 		if template.Type == portainer.EdgeStackTemplate {
 			filteredTemplates = append(filteredTemplates, template)
 		}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Anthony Lapenna	df3886fd25	Merge tag '1.24.1' into demo Release 1.24.1	2020-07-23 11:43:41 +12:00
Anthony Lapenna	f347d97daf	chore(version): bump version number	2020-07-23 10:28:34 +12:00
Anthony Lapenna	d5cee5b8b1	feat(core/extensions): add the ability to update a license (#4081 ) * feat(core/extensions): add the ability to update a license * feat(core/extensions): trigger data upgrade if extension is not enabled yet * feat(core/extensions): trigger data upgrade if extension is not enabled yet * feat(core/extensions): trigger data upgrade if extension is not enabled yet * feat(core/extensions): trigger data upgrade if extension is not enabled yet	2020-07-22 21:13:51 +12:00
Anthony Lapenna	4da6824bc7	feat(database): review database migration (#4054 )	2020-07-17 17:04:32 +12:00
Chaim Lev-Ari	80b6b6e300	fix(registries): filter gitlab repos without tags (#4048 )	2020-07-16 20:57:52 +12:00
Anthony Lapenna	484dab5932	feat(database): trigger missing database migration for AllowHostNamespaceForRegularUsers setting (#4035 )	2020-07-13 22:27:22 +12:00
Chaim Lev-Ari	f8bd075ce4	feat(containers): disable edit container on security setting restricting regular users (#4033 ) * feat(settings): add info about container edit disable * feat(settings): set security settings * feat(containers): hide recreate button when setting is enabled * feat(settings): rephrase security notice * fix(settings): save allowHostNamespaceForRegularUsers to state	2020-07-13 22:26:23 +12:00
Chaim Lev-Ari	cd58c16b4e	feat(settings): hide stacks for non admin when settings is set (#4025 ) * refactor(settings): replace disableDeviceMapping with allow * feat(dashboard): hide stacks if settings disabled and non admin * refactor(sidebar): check if user is endpoint admin * feat(settings): set the default value for stack management * feat(settings): rename field label * fix(sidebar): refresh show stacks state	2020-07-13 18:36:47 +12:00
Chaim Lev-Ari	5ebb03cb4e	feat(settings): add setting to disable device mapping for regular users (#4017 ) * feat(settings): introduce device mapping service * feat(containers): hide devices field when setting is on * feat(containers): prevent passing of devices when not allowed * feat(stacks): prevent non admin from device mapping * feat(stacks): disallow swarm stack creation for user * refactor(settings): replace disableDeviceMapping with allow * fix(stacks): remove check for disable device mappings from swarm * feat(settings): rename field to disable * feat(settings): supply default value for disableDeviceMapping * feat(container): check for endpoint admin	2020-07-13 16:32:56 +12:00
Chaim Lev-Ari	dffcd3fdfd	feat(settings): replace cookies with local storage (#3979 ) * feat(cookies): use secured cookies in frontend * fix(datatables): persist state changes * fix(datatables): persist order * feat(sidebar): use local storage to store toggle state * feat(config): use local storage instead of cookies	2020-07-10 11:51:31 +12:00
Chaim Lev-Ari	3f7687e78a	feat(server): support minimum tls v1.2 (#4019 ) * feat(crypto): use tls 1.2 * feat(crypto): use secure cipher suites * feat(server): accept tls1.2 connections * refactor(crypto): create base tls config * refactor(server): use basic tls config * fix(server): remove unused import * refactor(crypto): rename tls conf factory	2020-07-10 11:48:01 +12:00
Maxime Bajeux	0f58ece899	feat(containers): prevent non-admin users from running containers using the host namespace pid (#3970 ) * feat(containers): Prevent non-admin users from running containers using the host namespace pid * feat(containers): add rbac check for swarm stack too * feat(containers): remove forgotten conflict * feat(containers): init EnableHostNamespaceUse to true and return 403 on forbidden action * feat(containers): change enableHostNamespaceUse to restrictHostNamespaceUse in html * feat(settings): rename EnableHostNamespaceUse to AllowHostNamespaceForRegularUsers	2020-07-08 09:48:34 +12:00
Chaim Lev-Ari	b0ad212858	fix(registries): hide zero tags repositories (#3985 )	2020-07-07 10:59:33 +12:00
Chaim Lev-Ari	7eb2fd3424	feat(stacks): add a setting to disable the creation of stacks for non-admin users (#3932 ) * feat(settings): introduce a setting to prevent non-admin from stack creation * feat(settings): update stack creation setting * feat(settings): fail stack creation if user is non admin * fix(settings): save preventStackCreation setting to state * feat(stacks): disable add button when settings is enabled * format(stacks): remove line * feat(stacks): setting to hide stacks from users * feat(settings): rename disable stacks setting * refactor(settings): rename setting to disableStackManagementForRegularUsers	2020-07-01 09:34:43 +12:00
Maxime Bajeux	4c0d8ce732	feat(containers): Ensure users cannot create privileged containers via the API (#3969 ) * feat(containers): Ensure users cannot create privileged containers via the API * feat(containers): add rbac check in stack creation	2020-06-30 17:13:37 +12:00
Anthony Lapenna	e1cc4bc9a1	chore(version): bump version number	2020-06-16 17:22:51 +12:00
Anthony Lapenna	f2682d82b6	merge branch master into demo	2020-06-05 11:55:22 +12:00
Anthony Lapenna	d3576fe8e6	merge branch master into demo	2020-06-05 11:55:14 +12:00
Anthony Lapenna	f34d27df0f	Merge branch 'master' into demo	2020-03-20 11:43:39 +13:00
Anthony Lapenna	f228b28639	Merge branch 'master' into demo	2020-02-18 13:49:34 +13:00
Anthony Lapenna	d7b4e4aba1	Merge branch 'master' into demo	2019-12-04 17:30:43 +13:00
Anthony Lapenna	7234c443e8	Merge branch 'develop' into demo	2019-10-11 12:17:32 +13:00
Anthony Lapenna	5b844fd40a	fix(http): allow endpoint update operation on demo environment	2019-07-26 15:25:13 +12:00
Anthony Lapenna	7f2ef8fb06	Merge branch 'develop' into demo # Conflicts: # api/cmd/portainer/main.go	2019-07-26 14:43:10 +12:00
Anthony Lapenna	9f817749c1	Merge branch 'develop' into demo	2019-06-04 16:12:31 +12:00
Anthony Lapenna	36198b57a5	Merge branch 'develop' into demo	2019-03-05 18:48:33 +13:00
Anthony Lapenna	70f9e37eab	fix(api): fix missing endpoint identifier	2019-02-14 11:37:54 +13:00
Anthony Lapenna	24f69f0185	Merge branch 'develop' into demo	2019-01-31 15:23:48 +13:00
Anthony Lapenna	4a2e9a892d	fix(demo): fix invalid demo data and trigger snapshot at startup	2018-12-12 20:17:53 +13:00
Anthony Lapenna	1e4bedde4b	Merge branch 'develop' into demo	2018-12-12 17:59:46 +13:00
Anthony Lapenna	9db07e7f4e	Merge branch 'develop' into demo	2018-12-12 14:52:50 +13:00
Anthony Lapenna	d4b8d9947d	Merge branch 'master' into demo	2018-09-15 19:30:58 +08:00
Anthony Lapenna	9194ddcd03	Merge branch 'develop' into demo	2018-07-28 20:35:14 +02:00
Anthony Lapenna	e1edf37770	Merge branch 'develop' into demo Conflicts: app/portainer/views/settings/settings.html	2018-07-27 18:03:52 +02:00
Anthony Lapenna	82b73c06b4	Merge branch 'develop' into demo	2018-06-25 16:44:43 +03:00
Anthony Lapenna	ae286998ab	Merge branch 'develop' into demo Conflicts: api/cmd/portainer/main.go api/http/handler/endpoint.go api/http/handler/user.go	2018-06-21 16:47:13 +03:00
Anthony Lapenna	ffc3ed67e2	Merge branch 'develop' into demo Conflicts: api/cmd/portainer/main.go	2018-05-21 13:45:45 +02:00
Anthony Lapenna	6252be4a08	Merge branch 'develop' into demo Conflicts: api/cmd/portainer/main.go app/portainer/views/settings/settings.html	2018-05-10 18:14:48 +02:00
Anthony Lapenna	75481d928e	Merge branch 'develop' into demo	2018-04-02 08:57:02 +10:00
Anthony Lapenna	d65d65803f	Merge branch 'develop' into demo	2018-03-11 20:30:52 +10:00
Anthony Lapenna	6a8fc253bd	fix(demo): fix demo init data	2018-03-03 10:31:09 +10:00
Anthony Lapenna	1fa8921c11	Merge branch 'develop' into demo	2018-03-03 10:16:10 +10:00
Anthony Lapenna	ba3892aebf	Merge branch 'develop' into demo	2018-02-08 10:22:47 +01:00
Anthony Lapenna	27fc700d6f	Merge branch 'develop' into demo	2018-01-21 18:29:26 +01:00
Anthony Lapenna	3187cb0ada	feat(api): add demo.portainer.io as the Public URL of the endpoint	2018-01-16 15:53:49 +01:00
Anthony Lapenna	b462a15921	Merge branch 'develop' into demo	2017-12-11 17:29:33 +01:00
Anthony Lapenna	11a646a076	Merge branch 'develop' into demo Conflicts: app/components/endpoints/endpoints.html app/components/users/users.html	2017-12-10 11:32:26 +01:00
Anthony Lapenna	4c1edaf251	Merge branch 'develop' into demo	2017-11-26 11:18:14 +01:00
Anthony Lapenna	b45c4f8bea	Merge branch 'develop' into demo Conflicts: app/components/settings/settings.html	2017-11-13 12:07:24 +01:00
Anthony Lapenna	968f070b0b	Merge branch 'develop' into demo	2017-11-08 09:33:45 +01:00
Anthony Lapenna	e679483ffd	Merge branch 'develop' into demo	2017-10-15 20:50:36 +02:00
Anthony Lapenna	494ef6c392	Merge branch 'develop' into 'demo'	2017-10-15 20:27:59 +02:00
Anthony Lapenna	7951c1d150	Merge branch 'develop' into demo	2017-09-28 19:03:22 +02:00
Anthony Lapenna	0083bdb6a2	Merge branch 'master' into demo	2017-09-21 17:49:21 +02:00
Anthony Lapenna	e65881223d	Merge branch 'develop' into 'demo'	2017-09-20 16:15:23 +02:00
Anthony Lapenna	f0c9058568	Merge branch 'develop' into 'demo'	2017-08-13 21:03:39 +02:00
Anthony Lapenna	afd654e4a8	Merge branch 'develop' into demo	2017-07-17 16:01:00 +02:00
Anthony Lapenna	0ef116d6b5	Merge branch 'develop' into demo	2017-07-13 18:19:14 +02:00
Anthony Lapenna	ee64a53782	Merge branch 'develop' into demo	2017-06-29 16:41:40 +02:00
Anthony Lapenna	4a0c899df5	Merge branch 'develop' into 'demo'	2017-06-20 13:24:29 +02:00
Anthony Lapenna	840603bb8c	feat(settings): prevent the display of the URL field for custom templates	2017-06-05 09:56:04 +02:00
Anthony Lapenna	5fe79621a6	feat(settings): set a default value for custom templates	2017-06-05 09:51:01 +02:00
Anthony Lapenna	d3b9822105	Merge branch 'develop' into 'demo'	2017-06-05 09:45:06 +02:00
Anthony Lapenna	9163bcae25	Merge branch 'develop' into demo	2017-05-25 12:40:11 +02:00
Anthony Lapenna	17dad6e36f	fix(api): prevent the deletion of the admin user	2017-05-23 21:51:30 +02:00
Anthony Lapenna	75b836453a	merge branch 'develop' into demo	2017-05-23 21:06:50 +02:00
Anthony Lapenna	b8866d487f	Merge branch 'develop' into demo	2017-04-06 11:02:27 +02:00
Anthony Lapenna	dfb3b3aaa1	Merge branch 'develop' into demo	2017-03-28 15:38:24 +02:00
Anthony Lapenna	09fdc9781c	feat(demo): add demo restrictions	2017-03-14 08:47:57 +01:00