add iam crd

Signed-off-by: hongming <talonwan@yunify.com>
2020-04-05 03:52:12 +08:00
parent 3c73471f79
commit 0e814bb5e4
879 changed files with 5869 additions and 139213 deletions
--- a/pkg/api/iam/user.go
+++ b/pkg/api/iam/user.go
@@ -1,41 +0,0 @@
-package iam
-
-import (
-	"kubesphere.io/kubesphere/pkg/server/errors"
-	"time"
-)
-
-type User struct {
-	Name        string    `json:"username"`
-	UID         string    `json:"uid"`
-	Email       string    `json:"email"`
-	Lang        string    `json:"lang,omitempty"`
-	Description string    `json:"description"`
-	CreateTime  time.Time `json:"createTime"`
-	Groups      []string  `json:"groups,omitempty"`
-	Password    string    `json:"password,omitempty"`
-}
-
-func (u *User) GetName() string {
-	return u.Name
-}
-
-func (u *User) GetUID() string {
-	return u.UID
-}
-
-func (u *User) GetEmail() string {
-	return u.Email
-}
-
-func (u *User) Validate() error {
-	if u.Name == "" {
-		return errors.New("username can not be empty")
-	}
-
-	if u.Password == "" {
-		return errors.New("password can not be empty")
-	}
-
-	return nil
-}
--- a/pkg/api/types.go
+++ b/pkg/api/types.go
@@ -6,8 +6,8 @@ import (
 )

 type ListResult struct {
-	Items      []interface{} `json:"items,omitempty"`
-	TotalItems int           `json:"totalItems,omitempty"`
+	Items      []interface{} `json:"items"`
+	TotalItems int           `json:"totalItems"`
 }

 type ResourceQuota struct {
--- a/pkg/apis/iam/v1alpha2/register.go
+++ b/pkg/apis/iam/v1alpha2/register.go
@@ -25,8 +25,9 @@ limitations under the License.
 package v1alpha2

 import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	"sigs.k8s.io/controller-runtime/pkg/runtime/scheme"
 )

 var (
@@ -34,7 +35,7 @@ var (
 	SchemeGroupVersion = schema.GroupVersion{Group: "iam.kubesphere.io", Version: "v1alpha2"}

 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
-	SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)

 	// AddToScheme is required by pkg/client/...
 	AddToScheme = SchemeBuilder.AddToScheme
@@ -44,3 +45,18 @@ var (
 func Resource(resource string) schema.GroupResource {
 	return SchemeGroupVersion.WithResource(resource).GroupResource()
 }
+
+// Adds the list of known types to the given scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&User{},
+		&Role{},
+		&RoleList{},
+		&RoleBinding{},
+		&RoleBindingList{},
+		&PolicyRule{},
+		&PolicyRuleList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
--- a/pkg/apis/iam/v1alpha2/user_types.go
+++ b/pkg/apis/iam/v1alpha2/user_types.go
@@ -20,14 +20,12 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

-// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
-// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
-
-// User is the Schema for the users API
-// +k8s:openapi-gen=true
 // +genclient
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +genclient:nonNamespaced
+// +k8s:openapi-gen=true
+
+// User is the Schema for the users API
 // +kubebuilder:printcolumn:name="Email",type="string",JSONPath=".spec.email"
 // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state"
 // +kubebuilder:resource:categories="iam",scope="Cluster"
@@ -119,7 +117,6 @@ const (
 )

 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +genclient:nonNamespaced

 // UserList contains a list of User
 type UserList struct {
@@ -128,6 +125,112 @@ type UserList struct {
 	Items           []User `json:"items"`
 }

-func init() {
-	SchemeBuilder.Register(&User{}, &UserList{})
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// +kubebuilder:resource:categories="iam",scope="Cluster"
+type Role struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Scope Scope     `json:"scope"`
+	Rules []RuleRef `json:"rules"`
+}
+
+type Scope struct {
+	Level  Level    `json:"level"`
+	Scopes []string `json:"scopes"`
+}
+
+type Level string
+
+const (
+	LevelGlobal    Level = "Global"
+	LevelCluster   Level = "Cluster"
+	LevelWorkspace Level = "Workspace"
+	LevelNamespace Level = "Namespace"
+	ScopeALL             = "*"
+)
+
+// RuleRef contains information that points to the role being used
+type RuleRef struct {
+	// APIGroup is the group for the resource being referenced
+	APIGroup string `json:"apiGroup"`
+	// Kind is the type of resource being referenced
+	Kind string `json:"kind"`
+	// Name is the name of resource being referenced
+	Name string `json:"name"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RoleList contains a list of Role
+type RoleList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []Role `json:"items"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// +kubebuilder:resource:categories="iam",scope="Cluster"
+type PolicyRule struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Level Level  `json:"level"`
+	Rego  string `json:"rego"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PolicyRuleList contains a list of PolicyRule
+type PolicyRuleList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []PolicyRule `json:"items"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RoleBinding is the Schema for the rolebindings API
+// +kubebuilder:resource:categories="iam",scope="Cluster"
+type RoleBinding struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Level   Level   `json:"level"`
+	RoleRef RoleRef `json:"roleRef"`
+	// Subjects holds references to the users the role applies to.
+	// +optional
+	Subjects []Subject `json:"subjects,omitempty"`
+}
+
+// RoleRef contains information that points to the role being used
+type RoleRef struct {
+	// APIGroup is the group for the resource being referenced
+	APIGroup string `json:"apiGroup"`
+	// Kind is the type of resource being referenced
+	Kind string `json:"kind"`
+	// Name is the name of resource being referenced
+	Name string `json:"name"`
+}
+
+// or a value for non-objects such as user and group names.
+type Subject struct {
+	// Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+	// If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+	Kind string `json:"kind"`
+	// APIGroup holds the API group of the referenced subject.
+	APIGroup string `json:"apiGroup"`
+	// Name of the object being referenced.
+	Name string `json:"name"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RoleBindingList contains a list of RoleBinding
+type RoleBindingList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []RoleBinding `json:"items"`
 }
--- a/pkg/apis/iam/v1alpha2/user_types_test.go
+++ b/pkg/apis/iam/v1alpha2/user_types_test.go
--- a/pkg/apis/iam/v1alpha2/zz_generated.deepcopy.go
+++ b/pkg/apis/iam/v1alpha2/zz_generated.deepcopy.go
@@ -21,9 +21,257 @@ limitations under the License.
 package v1alpha2

 import (
-	runtime "k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime"
 )

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyRule) DeepCopyInto(out *PolicyRule) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRule.
+func (in *PolicyRule) DeepCopy() *PolicyRule {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PolicyRule) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyRuleList) DeepCopyInto(out *PolicyRuleList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]PolicyRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRuleList.
+func (in *PolicyRuleList) DeepCopy() *PolicyRuleList {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyRuleList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PolicyRuleList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Role) DeepCopyInto(out *Role) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Scope.DeepCopyInto(&out.Scope)
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]RuleRef, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Role.
+func (in *Role) DeepCopy() *Role {
+	if in == nil {
+		return nil
+	}
+	out := new(Role)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Role) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleBinding) DeepCopyInto(out *RoleBinding) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	out.RoleRef = in.RoleRef
+	if in.Subjects != nil {
+		in, out := &in.Subjects, &out.Subjects
+		*out = make([]Subject, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleBinding.
+func (in *RoleBinding) DeepCopy() *RoleBinding {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleBinding)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RoleBinding) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleBindingList) DeepCopyInto(out *RoleBindingList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]RoleBinding, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleBindingList.
+func (in *RoleBindingList) DeepCopy() *RoleBindingList {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleBindingList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RoleBindingList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleList) DeepCopyInto(out *RoleList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Role, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleList.
+func (in *RoleList) DeepCopy() *RoleList {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RoleList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RoleRef) DeepCopyInto(out *RoleRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleRef.
+func (in *RoleRef) DeepCopy() *RoleRef {
+	if in == nil {
+		return nil
+	}
+	out := new(RoleRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleRef) DeepCopyInto(out *RuleRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleRef.
+func (in *RuleRef) DeepCopy() *RuleRef {
+	if in == nil {
+		return nil
+	}
+	out := new(RuleRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Scope) DeepCopyInto(out *Scope) {
+	*out = *in
+	if in.Scopes != nil {
+		in, out := &in.Scopes, &out.Scopes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Scope.
+func (in *Scope) DeepCopy() *Scope {
+	if in == nil {
+		return nil
+	}
+	out := new(Scope)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Subject) DeepCopyInto(out *Subject) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Subject.
+func (in *Subject) DeepCopy() *Subject {
+	if in == nil {
+		return nil
+	}
+	out := new(Subject)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *User) DeepCopyInto(out *User) {
 	*out = *in
--- a/pkg/apiserver/apiserver.go
+++ b/pkg/apiserver/apiserver.go
@@ -193,7 +193,7 @@ func (s *APIServer) buildHandlerChain() {

 	// authenticators are unordered
 	authn := unionauth.New(anonymous.NewAuthenticator(),
-		basictoken.New(basic.NewBasicAuthenticator(im.NewFakeOperator())),
+		basictoken.New(basic.NewBasicAuthenticator(im.NewOperator(s.KubernetesClient.KubeSphere(), s.InformerFactory.KubeSphereSharedInformerFactory()))),
 		bearertoken.New(jwttoken.NewTokenAuthenticator(token.NewJwtTokenIssuer(token.DefaultIssuerName, s.Config.AuthenticationOptions, s.CacheClient))))
 	handler = filters.WithAuthentication(handler, authn)
 	handler = filters.WithRequestInfo(handler, requestInfoResolver)
@@ -273,6 +273,7 @@ func (s *APIServer) waitForResourceSync(stopCh <-chan struct{}) error {

 	ksGVRs := []schema.GroupVersionResource{
 		{Group: "tenant.kubesphere.io", Version: "v1alpha1", Resource: "workspaces"},
+		{Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "users"},
 		{Group: "tower.kubesphere.io", Version: "v1alpha1", Resource: "agents"},
 	}

--- a/pkg/apiserver/authentication/authenticators/basic/basic.go
+++ b/pkg/apiserver/authentication/authenticators/basic/basic.go
@@ -51,7 +51,7 @@ func (t *basicAuthenticator) AuthenticatePassword(ctx context.Context, username,
 	return &authenticator.Response{
 		User: &user.DefaultInfo{
 			Name:   providedUser.GetName(),
-			UID:    providedUser.GetUID(),
+			UID:    string(providedUser.GetUID()),
 			Groups: []string{user.AllAuthenticated},
 		},
 	}, true, nil
--- a/pkg/apiserver/authentication/token/jwt.go
+++ b/pkg/apiserver/authentication/token/jwt.go
@@ -21,7 +21,7 @@ package token
 import (
 	"fmt"
 	"github.com/dgrijalva/jwt-go"
-	"kubesphere.io/kubesphere/pkg/api/iam"
+	"k8s.io/apiserver/pkg/authentication/user"
 	authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options"
 	"kubesphere.io/kubesphere/pkg/server/errors"
 	"kubesphere.io/kubesphere/pkg/simple/client/cache"
@@ -69,7 +69,7 @@ func (s *jwtTokenIssuer) Verify(tokenString string) (User, error) {
 		return nil, err
 	}

-	return &iam.User{Name: clm.Username, UID: clm.UID}, nil
+	return &user.DefaultInfo{Name: clm.Username, UID: clm.UID}, nil
 }

 func (s *jwtTokenIssuer) IssueTo(user User, expiresIn time.Duration) (string, error) {
--- a/pkg/apiserver/authentication/token/jwt_test.go
+++ b/pkg/apiserver/authentication/token/jwt_test.go
@@ -20,7 +20,7 @@ package token

 import (
 	"github.com/google/go-cmp/cmp"
-	"kubesphere.io/kubesphere/pkg/api/iam"
+	"k8s.io/apiserver/pkg/authentication/user"
 	authoptions "kubesphere.io/kubesphere/pkg/apiserver/authentication/options"
 	"kubesphere.io/kubesphere/pkg/simple/client/cache"
 	"testing"
@@ -48,7 +48,7 @@ func TestJwtTokenIssuer(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-		user := &iam.User{
+		user := &user.DefaultInfo{
 			Name: testCase.name,
 			UID:  testCase.uid,
 		}
--- a/pkg/apiserver/query/field.go
+++ b/pkg/apiserver/query/field.go
@@ -1,16 +1,19 @@
 package query

 type Field string
+type Value string

 const (
 	FieldName                = "name"
+	FieldUID                 = "uid"
 	FieldCreationTimeStamp   = "creationTimestamp"
 	FieldLastUpdateTimestamp = "lastUpdateTimestamp"
 	FieldLabel               = "label"
+	FieldAnnotation          = "annotation"
+	FieldClusterName         = "clusterName"
 	FieldNamespace           = "namespace"
 	FieldStatus              = "status"
-	FieldApplication         = "application"
-	FieldOwner               = "owner"
+	FieldOwnerReference      = "ownerReference"
 	FieldOwnerKind           = "ownerKind"
 )

@@ -23,9 +26,12 @@ var SortableFields = []Field{
 // Field contains all the query field that can be compared
 var ComparableFields = []Field{
 	FieldName,
+	FieldUID,
+	FieldLabel,
+	FieldAnnotation,
+	FieldClusterName,
 	FieldNamespace,
 	FieldStatus,
-	FieldApplication,
-	FieldOwner,
+	FieldOwnerReference,
 	FieldOwnerKind,
 }
--- a/pkg/apiserver/query/types.go
+++ b/pkg/apiserver/query/types.go
@@ -3,7 +3,6 @@ package query
 import (
 	"github.com/emicklei/go-restful"
 	"strconv"
-	"strings"
 )

 const (
@@ -16,24 +15,6 @@ const (
 	ParameterAscending     = "ascending"
 )

-type Comparable interface {
-	Compare(Comparable) int
-
-	Contains(Comparable) bool
-}
-
-type ComparableString string
-
-func (c ComparableString) Compare(comparable Comparable) int {
-	other := comparable.(ComparableString)
-	return strings.Compare(string(c), string(other))
-}
-
-func (c ComparableString) Contains(comparable Comparable) bool {
-	other := comparable.(ComparableString)
-	return strings.Contains(string(c), string(other))
-}
-
 // Query represents api search terms
 type Query struct {
 	Pagination *Pagination
@@ -52,29 +33,30 @@ type Pagination struct {
 	// items per page
 	Limit int

-	// page number
-	Page int
+	// offset
+	Offset int
 }

-var NoPagination = newPagination(-1, -1)
+var NoPagination = newPagination(-1, 0)

-func newPagination(limit int, page int) *Pagination {
+// make sure that pagination is valid
+func newPagination(limit int, offset int) *Pagination {
 	return &Pagination{
-		Limit: limit,
-		Page:  page,
+		Limit:  limit,
+		Offset: offset,
 	}
 }

-func (p *Pagination) IsValidPagintaion() bool {
-	return p.Limit >= 0 && p.Page >= 0
-}
+func (p *Pagination) GetValidPagination(total int) (startIndex, endIndex int) {
+	if p.Limit == NoPagination.Limit {
+		return 0, total
+	}

-func (p *Pagination) IsPageAvailable(total, startIndex int) bool {
-	return total > startIndex && p.Limit > 0
-}
+	if p.Limit < 0 || p.Offset < 0 {
+		return 0, 0
+	}

-func (p *Pagination) GetPaginationSettings(total int) (startIndex, endIndex int) {
-	startIndex = p.Limit * p.Page
+	startIndex = p.Limit * p.Offset
 	endIndex = startIndex + p.Limit

 	if endIndex > total {
@@ -86,33 +68,33 @@ func (p *Pagination) GetPaginationSettings(total int) (startIndex, endIndex int)

 func New() *Query {
 	return &Query{
-		Pagination: &Pagination{
-			Limit: -1,
-			Page:  -1,
-		},
-		SortBy:    "",
-		Ascending: false,
-		Filters:   []Filter{},
+		Pagination: NoPagination,
+		SortBy:     "",
+		Ascending:  false,
+		Filters:    []Filter{},
 	}
 }

 type Filter struct {
 	Field Field
-	Value Comparable
+	Value Value
 }

 func ParseQueryParameter(request *restful.Request) *Query {
 	query := New()

-	limit, err := strconv.ParseInt(request.QueryParameter("limit"), 10, 0)
+	limit, err := strconv.Atoi(request.QueryParameter("limit"))
+	// equivalent to undefined, use the default value
 	if err != nil {
-		query.Pagination = NoPagination
+		limit = -1
+	}
+	page, err := strconv.Atoi(request.QueryParameter("page"))
+	// equivalent to undefined, use the default value
+	if err != nil {
+		page = 1
 	}

-	page, err := strconv.ParseInt(request.QueryParameter("page"), 10, 0)
-	if err == nil {
-		query.Pagination = newPagination(int(limit), int(page-1))
-	}
+	query.Pagination = newPagination(limit, page-1)

 	query.SortBy = Field(defaultString(request.QueryParameter("sortBy"), FieldCreationTimeStamp))

@@ -128,13 +110,12 @@ func ParseQueryParameter(request *restful.Request) *Query {
 		if len(f) != 0 {
 			query.Filters = append(query.Filters, Filter{
 				Field: field,
-				Value: ComparableString(f),
+				Value: Value(f),
 			})
 		}
 	}

 	return query
-
 }

 func defaultString(value, defaultValue string) string {
--- a/pkg/apiserver/query/types_test.go
+++ b/pkg/apiserver/query/types_test.go
@@ -16,7 +16,7 @@ func TestParseQueryParameter(t *testing.T) {
 	}{
 		{
 			"test normal case",
-			"name=foo&status=Running&application=book&page=1&limit=10&ascending=true",
+			"label=app.kubernetes.io/name:book&name=foo&status=Running&page=1&limit=10&ascending=true",
 			&Query{
 				Pagination: newPagination(10, 0),
 				SortBy:     FieldCreationTimeStamp,
@@ -24,15 +24,15 @@ func TestParseQueryParameter(t *testing.T) {
 				Filters: []Filter{
 					{
 						FieldName,
-						ComparableString("foo"),
+						Value("foo"),
+					},
+					{
+						FieldLabel,
+						Value("app.kubernetes.io/name:book"),
 					},
 					{
 						FieldStatus,
-						ComparableString("Running"),
-					},
-					{
-						FieldApplication,
-						ComparableString("book"),
+						Value("Running"),
 					},
 				},
 			},
@@ -41,13 +41,10 @@ func TestParseQueryParameter(t *testing.T) {
 			"test bad case",
 			"xxxx=xxxx&dsfsw=xxxx&page=abc&limit=add&ascending=ssss",
 			&Query{
-				Pagination: &Pagination{
-					Limit: -1,
-					Page:  -1,
-				},
-				SortBy:    FieldCreationTimeStamp,
-				Ascending: false,
-				Filters:   []Filter{},
+				Pagination: NoPagination,
+				SortBy:     FieldCreationTimeStamp,
+				Ascending:  false,
+				Filters:    []Filter{},
 			},
 		},
 	}
--- a/pkg/controller/clusterrolebinding/clusterrolebinding_controller.go
+++ b/pkg/controller/clusterrolebinding/clusterrolebinding_controller.go
@@ -169,7 +169,6 @@ func (r *ReconcileClusterRoleBinding) updateRoleBindings(clusterRoleBinding *rba
 	if clusterRoleBinding.Name == getWorkspaceViewerRoleBindingName(workspaceName) {

 		found := &rbac.RoleBinding{}
-
 		viewerBinding := &rbac.RoleBinding{}
 		viewerBinding.Name = "viewer"
 		viewerBinding.Namespace = namespace.Name
--- a/pkg/controller/user/user_webhook.go
+++ b/pkg/controller/user/user_webhook.go
@@ -0,0 +1,102 @@
+/*
+ *
+ * Copyright 2020 The KubeSphere Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * /
+ */
+
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"golang.org/x/crypto/bcrypt"
+	"kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
+	"net/http"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+	"strconv"
+)
+
+type EmailValidator struct {
+	Client  client.Client
+	decoder *admission.Decoder
+}
+
+type PasswordCipher struct {
+	Client  client.Client
+	decoder *admission.Decoder
+}
+
+func (a *EmailValidator) Handle(ctx context.Context, req admission.Request) admission.Response {
+	user := &v1alpha2.User{}
+	err := a.decoder.Decode(req, user)
+	if err != nil {
+		return admission.Errored(http.StatusBadRequest, err)
+	}
+
+	email := user.Spec.Email
+
+	allUsers := v1alpha2.UserList{}
+
+	a.Client.List(ctx, &v1alpha2.UserList{}, &client.ListOptions{})
+
+	found := emailAlreadyExist(allUsers, email)
+
+	if !found {
+		return admission.Denied(fmt.Sprintf("email %s must be unique", email))
+	}
+
+	return admission.Allowed("")
+}
+
+func emailAlreadyExist(users v1alpha2.UserList, email string) bool {
+	for _, user := range users.Items {
+		if user.Spec.Email == email {
+			return true
+		}
+	}
+	return false
+}
+
+func (a *PasswordCipher) Handle(ctx context.Context, req admission.Request) admission.Response {
+	user := &v1alpha2.User{}
+	err := a.decoder.Decode(req, user)
+	if err != nil {
+		return admission.Errored(http.StatusBadRequest, err)
+	}
+
+	encrypted, err := strconv.ParseBool(user.Annotations["iam.kubesphere.io/password-encrypted"])
+
+	if err != nil || !encrypted {
+		password, err := hashPassword(user.Spec.EncryptedPassword)
+		if err != nil {
+			return admission.Errored(http.StatusInternalServerError, err)
+		}
+		user.Spec.EncryptedPassword = password
+	}
+
+	marshaledUser, err := json.Marshal(user)
+	if err != nil {
+		return admission.Errored(http.StatusInternalServerError, err)
+	}
+
+	return admission.PatchResponseFromRaw(req.Object.Raw, marshaledUser)
+}
+
+func hashPassword(password string) (string, error) {
+	bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost)
+	return string(bytes), err
+}
--- a/pkg/kapis/iam/v1alpha2/register.go
+++ b/pkg/kapis/iam/v1alpha2/register.go
@@ -44,7 +44,7 @@ func AddToContainer(c *restful.Container, k8sClient k8s.Client, factory informer
 	handler := newIAMHandler(k8sClient, factory, ldapClient, cacheClient, options)

 	// implemented by create CRD object.
-	//ws.Route(ws.POST("/users"))
+	//ws.Route(ws.POST("/users").To(handler.CreateUser))
 	//ws.Route(ws.DELETE("/users/{user}"))
 	//ws.Route(ws.PUT("/users/{user}"))
 	//ws.Route(ws.GET("/users/{user}"))
--- a/pkg/kapis/resources/v1alpha2/register.go
+++ b/pkg/kapis/resources/v1alpha2/register.go
@@ -49,6 +49,7 @@ func AddToContainer(c *restful.Container, client kubernetes.Interface, factory i

 	webservice.Route(webservice.GET("/namespaces/{namespace}/{resources}").
 		To(handler.handleListNamespaceResources).
+		Deprecate().
 		Metadata(restfulspec.KeyOpenAPITags, []string{constants.NamespaceResourcesTag}).
 		Doc("Namespace level resource query").
 		Param(webservice.PathParameter("namespace", "the name of the project")).
@@ -66,6 +67,7 @@ func AddToContainer(c *restful.Container, client kubernetes.Interface, factory i

 	webservice.Route(webservice.GET("/{resources}").
 		To(handler.handleListNamespaceResources).
+		Deprecate().
 		Returns(http.StatusOK, api.StatusOK, models.PageableResponse{}).
 		Metadata(restfulspec.KeyOpenAPITags, []string{constants.ClusterResourcesTag}).
 		Doc("Cluster level resource query").
--- a/pkg/kapis/resources/v1alpha3/handler.go
+++ b/pkg/kapis/resources/v1alpha3/handler.go
@@ -11,7 +11,7 @@ import (
 )

 type Handler struct {
-	namespacedResourceGetter *resource.NamespacedResourceGetter
+	namespacedResourceGetter *resource.ResourceGetter
 	componentsGetter         components.ComponentsGetter
 }

@@ -22,22 +22,8 @@ func New(factory informers.InformerFactory) *Handler {
 	}
 }

-func (h Handler) handleGetNamespacedResource(request *restful.Request, response *restful.Response) {
-	resource := request.PathParameter("resources")
-	namespace := request.PathParameter("namespace")
-	name := request.PathParameter("name")
-
-	result, err := h.namespacedResourceGetter.Get(resource, namespace, name)
-	if err != nil {
-		api.HandleInternalError(response, nil, err)
-		return
-	}
-
-	response.WriteHeaderAndEntity(http.StatusOK, result)
-}
-
-// handleListNamedResource retrieves namespaced scope resources
-func (h Handler) handleListNamespacedResource(request *restful.Request, response *restful.Response) {
+// handleListResources retrieves resources
+func (h Handler) handleListResources(request *restful.Request, response *restful.Response) {
 	query := query.ParseQueryParameter(request)
 	resource := request.PathParameter("resources")
 	namespace := request.PathParameter("namespace")
@@ -48,7 +34,7 @@ func (h Handler) handleListNamespacedResource(request *restful.Request, response
 		return
 	}

-	response.WriteHeaderAndEntity(http.StatusOK, result)
+	response.WriteEntity(result)
 }

 func (h Handler) handleGetComponentStatus(request *restful.Request, response *restful.Response) {
--- a/pkg/kapis/resources/v1alpha3/register.go
+++ b/pkg/kapis/resources/v1alpha3/register.go
@@ -45,14 +45,26 @@ func AddToContainer(c *restful.Container, informerFactory informers.InformerFact
 	webservice := runtime.NewWebService(GroupVersion)
 	handler := New(informerFactory)

+	webservice.Route(webservice.GET("/{resources}").
+		To(handler.handleListResources).
+		Metadata(restfulspec.KeyOpenAPITags, []string{tagNamespacedResource}).
+		Doc("Cluster level resource query").
+		Param(webservice.PathParameter("resources", "namespace level resource type, e.g. pods,jobs,configmaps,services.")).
+		Param(webservice.QueryParameter(query.ParameterName, "name used to do filtering").Required(false)).
+		Param(webservice.QueryParameter(query.ParameterPage, "page").Required(false).DataFormat("page=%d").DefaultValue("page=1")).
+		Param(webservice.QueryParameter(query.ParameterLimit, "limit").Required(false)).
+		Param(webservice.QueryParameter(query.ParameterAscending, "sort parameters, e.g. reverse=true").Required(false).DefaultValue("ascending=false")).
+		Param(webservice.QueryParameter(query.ParameterOrderBy, "sort parameters, e.g. orderBy=createTime")).
+		Returns(http.StatusOK, ok, api.ListResult{}))
+
 	webservice.Route(webservice.GET("/namespaces/{namespace}/{resources}").
-		To(handler.handleGetNamespacedResource).
+		To(handler.handleListResources).
 		Metadata(restfulspec.KeyOpenAPITags, []string{tagNamespacedResource}).
 		Doc("Namespace level resource query").
 		Param(webservice.PathParameter("namespace", "the name of the project")).
 		Param(webservice.PathParameter("resources", "namespace level resource type, e.g. pods,jobs,configmaps,services.")).
 		Param(webservice.QueryParameter(query.ParameterName, "name used to do filtering").Required(false)).
-		Param(webservice.QueryParameter(query.ParameterPage, "page").Required(false).DataFormat("page=%d").DefaultValue("page=0")).
+		Param(webservice.QueryParameter(query.ParameterPage, "page").Required(false).DataFormat("page=%d").DefaultValue("page=1")).
 		Param(webservice.QueryParameter(query.ParameterLimit, "limit").Required(false)).
 		Param(webservice.QueryParameter(query.ParameterAscending, "sort parameters, e.g. reverse=true").Required(false).DefaultValue("ascending=false")).
 		Param(webservice.QueryParameter(query.ParameterOrderBy, "sort parameters, e.g. orderBy=createTime")).
--- a/pkg/models/iam/im/im.go
+++ b/pkg/models/iam/im/im.go
@@ -19,76 +19,20 @@ package im

 import (
 	"github.com/pkg/errors"
-	"kubesphere.io/kubesphere/pkg/api/iam"
-	"kubesphere.io/kubesphere/pkg/simple/client/ldap"
+	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
 )

 type IdentityManagementInterface interface {
-	CreateUser(user *iam.User) (*iam.User, error)
+	CreateUser(user *iamv1alpha2.User) (*iamv1alpha2.User, error)
 	DeleteUser(username string) error
-	ModifyUser(user *iam.User) (*iam.User, error)
-	DescribeUser(username string) (*iam.User, error)
-	Authenticate(username, password string) (*iam.User, error)
-}
-
-type imOperator struct {
-	ldapClient ldap.Interface
+	ModifyUser(user *iamv1alpha2.User) (*iamv1alpha2.User, error)
+	DescribeUser(username string) (*iamv1alpha2.User, error)
+	Authenticate(username, password string) (*iamv1alpha2.User, error)
 }

 var (
-	AuthRateLimitExceeded = errors.New("user auth rate limit exceeded")
-	UserAlreadyExists     = errors.New("user already exists")
-	UserNotExists         = errors.New("user not exists")
+	AuthRateLimitExceeded       = errors.New("user auth rate limit exceeded")
+	AuthFailedIncorrectPassword = errors.New("incorrect password")
+	UserAlreadyExists           = errors.New("user already exists")
+	UserNotExists               = errors.New("user not exists")
 )
-
-func NewLDAPOperator(ldapClient ldap.Interface) IdentityManagementInterface {
-	return &imOperator{
-		ldapClient: ldapClient,
-	}
-
-}
-
-func (im *imOperator) ModifyUser(user *iam.User) (*iam.User, error) {
-
-	err := im.ldapClient.Update(user)
-
-	if err != nil {
-		return nil, err
-	}
-
-	return im.ldapClient.Get(user.Name)
-}
-
-func (im *imOperator) Authenticate(username, password string) (*iam.User, error) {
-
-	user, err := im.ldapClient.Get(username)
-
-	if err != nil {
-		return nil, err
-	}
-
-	err = im.ldapClient.Authenticate(user.Name, password)
-	if err != nil {
-		return nil, err
-	}
-
-	return user, nil
-}
-
-func (im *imOperator) DescribeUser(username string) (*iam.User, error) {
-	return im.ldapClient.Get(username)
-}
-
-func (im *imOperator) DeleteUser(username string) error {
-	return im.ldapClient.Delete(username)
-}
-
-func (im *imOperator) CreateUser(user *iam.User) (*iam.User, error) {
-	err := im.ldapClient.Create(user)
-
-	if err != nil {
-		return nil, err
-	}
-
-	return user, nil
-}
--- a/pkg/models/iam/im/im_operator.go
+++ b/pkg/models/iam/im/im_operator.go
@@ -0,0 +1,85 @@
+/*
+ *
+ * Copyright 2020 The KubeSphere Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * /
+ */
+
+package im
+
+import (
+	"golang.org/x/crypto/bcrypt"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
+	kubesphereclient "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
+	informers "kubesphere.io/kubesphere/pkg/client/informers/externalversions"
+)
+
+func NewOperator(ksClient kubesphereclient.Interface, informer informers.SharedInformerFactory) IdentityManagementInterface {
+
+	return &defaultIMOperator{
+		ksClient: ksClient,
+		informer: informer,
+	}
+
+}
+
+type defaultIMOperator struct {
+	ksClient kubesphereclient.Interface
+	informer informers.SharedInformerFactory
+}
+
+func (im *defaultIMOperator) ModifyUser(user *iamv1alpha2.User) (*iamv1alpha2.User, error) {
+	return im.ksClient.IamV1alpha2().Users().Update(user)
+}
+
+func (im *defaultIMOperator) Authenticate(username, password string) (*iamv1alpha2.User, error) {
+
+	user, err := im.ksClient.IamV1alpha2().Users().Get(username, metav1.GetOptions{})
+
+	if err != nil {
+		return nil, err
+	}
+	if checkPasswordHash(password, user.Spec.EncryptedPassword) {
+		return user, nil
+	}
+	return nil, AuthFailedIncorrectPassword
+}
+
+func checkPasswordHash(password, hash string) bool {
+	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
+	return err == nil
+}
+
+func (im *defaultIMOperator) DescribeUser(username string) (*iamv1alpha2.User, error) {
+	user, err := im.ksClient.IamV1alpha2().Users().Get(username, metav1.GetOptions{})
+
+	if err != nil {
+		return nil, err
+	}
+	return user, nil
+}
+
+func (im *defaultIMOperator) DeleteUser(username string) error {
+	return im.ksClient.IamV1alpha2().Users().Delete(username, metav1.NewDeleteOptions(0))
+}
+
+func (im *defaultIMOperator) CreateUser(user *iamv1alpha2.User) (*iamv1alpha2.User, error) {
+	user, err := im.ksClient.IamV1alpha2().Users().Create(user)
+	if err != nil {
+		return nil, err
+	}
+
+	return user, nil
+}
--- a/pkg/models/iam/im/im_test.go
+++ b/pkg/models/iam/im/im_test.go
@@ -17,3 +17,25 @@
 */

 package im
+
+import (
+	"golang.org/x/crypto/bcrypt"
+	"testing"
+)
+
+func TestEncryptPassword(t *testing.T) {
+	password := "P@88w0rd"
+	encryptedPassword, err := hashPassword(password)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !checkPasswordHash(password, encryptedPassword) {
+		t.Fatal(err)
+	}
+	t.Log(encryptedPassword)
+}
+
+func hashPassword(password string) (string, error) {
+	bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.MinCost)
+	return string(bytes), err
+}
--- a/pkg/models/iam/im/ldap_operator.go
+++ b/pkg/models/iam/im/ldap_operator.go
@@ -0,0 +1,80 @@
+/*
+ *
+ * Copyright 2020 The KubeSphere Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * /
+ */
+
+package im
+
+import (
+	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
+	"kubesphere.io/kubesphere/pkg/simple/client/ldap"
+)
+
+type ldapOperator struct {
+	ldapClient ldap.Interface
+}
+
+func NewLDAPOperator(ldapClient ldap.Interface) IdentityManagementInterface {
+	return &ldapOperator{
+		ldapClient: ldapClient,
+	}
+
+}
+
+func (im *ldapOperator) ModifyUser(user *iamv1alpha2.User) (*iamv1alpha2.User, error) {
+
+	err := im.ldapClient.Update(user)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return im.ldapClient.Get(user.Name)
+}
+
+func (im *ldapOperator) Authenticate(username, password string) (*iamv1alpha2.User, error) {
+
+	user, err := im.ldapClient.Get(username)
+
+	if err != nil {
+		return nil, err
+	}
+
+	err = im.ldapClient.Authenticate(user.Name, password)
+	if err != nil {
+		return nil, err
+	}
+
+	return user, nil
+}
+
+func (im *ldapOperator) DescribeUser(username string) (*iamv1alpha2.User, error) {
+	return im.ldapClient.Get(username)
+}
+
+func (im *ldapOperator) DeleteUser(username string) error {
+	return im.ldapClient.Delete(username)
+}
+
+func (im *ldapOperator) CreateUser(user *iamv1alpha2.User) (*iamv1alpha2.User, error) {
+	err := im.ldapClient.Create(user)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return user, nil
+}
--- a/pkg/models/resources/v1alpha3/deployment/deployments.go
+++ b/pkg/models/resources/v1alpha3/deployment/deployments.go
@@ -32,9 +32,6 @@ import (
 )

 const (
-	applicationLabel = "app.kubernetes.io/name"
-	ReleaseLabel     = "relase"
-
 	statusStopped  = "stopped"
 	statusRunning  = "running"
 	statusUpdating = "updating"
@@ -80,14 +77,10 @@ func (d *deploymentsGetter) compare(left runtime.Object, right runtime.Object, f
 	}

 	switch field {
-	case query.FieldCreationTimeStamp:
-		return leftDeployment.CreationTimestamp.After(rightDeployment.CreationTimestamp.Time)
 	case query.FieldLastUpdateTimestamp:
 		return lastUpdateTime(leftDeployment).After(lastUpdateTime(rightDeployment))
 	default:
-		fallthrough
-	case query.FieldName:
-		return strings.Compare(leftDeployment.Name, rightDeployment.Name) > 0
+		return v1alpha3.DefaultObjectMetaCompare(leftDeployment.ObjectMeta, rightDeployment.ObjectMeta, field)
 	}
 }

@@ -98,18 +91,12 @@ func (d *deploymentsGetter) filter(object runtime.Object, filter query.Filter) b
 	}

 	switch filter.Field {
-	case query.FieldName:
-		return query.ComparableString(deployment.Name).Contains(filter.Value)
-	case query.FieldApplication:
-		if app, ok := deployment.Labels[applicationLabel]; ok {
-			return query.ComparableString(app).Contains(filter.Value)
-		}
+
 	case query.FieldStatus:
-		return filter.Value.Compare(query.ComparableString(deploymentStatus(deployment.Status))) == 0
+		return strings.Compare(deploymentStatus(deployment.Status), string(filter.Value)) == 0
 	default:
-		return false
+		return v1alpha3.DefaultObjectMetaFilter(deployment.ObjectMeta, filter)
 	}
-	return false
 }

 func deploymentStatus(status v1.DeploymentStatus) string {
--- a/pkg/models/resources/v1alpha3/deployment/deployments_test.go
+++ b/pkg/models/resources/v1alpha3/deployment/deployments_test.go
@@ -94,15 +94,15 @@ func TestListDeployments(t *testing.T) {
 			},
 			&query.Query{
 				Pagination: &query.Pagination{
-					Limit: 1,
-					Page:  1,
+					Limit:  1,
+					Offset: 1,
 				},
 				SortBy:    query.FieldName,
 				Ascending: false,
 				Filters: []query.Filter{
 					{
 						Field: query.FieldName,
-						Value: query.ComparableString("foo"),
+						Value: query.Value("foo"),
 					},
 				},
 			},
--- a/pkg/models/resources/v1alpha3/interface.go
+++ b/pkg/models/resources/v1alpha3/interface.go
@@ -1,10 +1,12 @@
 package v1alpha3

 import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"kubesphere.io/kubesphere/pkg/api"
 	"kubesphere.io/kubesphere/pkg/apiserver/query"
 	"sort"
+	"strings"
 )

 type Interface interface {
@@ -36,14 +38,6 @@ func DefaultList(objects []runtime.Object, query *query.Query, compareFunc Compa
 		}
 	}

-	start, end := query.Pagination.GetPaginationSettings(len(filtered))
-	if !query.Pagination.IsPageAvailable(len(filtered), start) {
-		return &api.ListResult{
-			Items:      nil,
-			TotalItems: 0,
-		}
-	}
-
 	// sort by sortBy field
 	sort.Slice(filtered, func(i, j int) bool {
 		if !query.Ascending {
@@ -52,14 +46,88 @@ func DefaultList(objects []runtime.Object, query *query.Query, compareFunc Compa
 		return compareFunc(filtered[i], filtered[j], query.SortBy)
 	})

+	start, end := query.Pagination.GetValidPagination(len(filtered))
+
 	return &api.ListResult{
 		Items:      objectsToInterfaces(filtered[start:end]),
 		TotalItems: len(filtered),
 	}
 }

+func DefaultObjectMetaCompare(left, right metav1.ObjectMeta, sortBy query.Field) bool {
+	switch sortBy {
+	// ?sortBy=name
+	case query.FieldName:
+		return strings.Compare(left.Name, right.Name) > 0
+	//	?sortBy=creationTimestamp
+	case query.FieldCreationTimeStamp:
+		return left.CreationTimestamp.After(right.CreationTimestamp.Time)
+	default:
+		return false
+	}
+}
+
+//  Default metadata filter
+func DefaultObjectMetaFilter(item metav1.ObjectMeta, filter query.Filter) bool {
+	switch filter.Field {
+	// /namespaces?page=1&limit=10&name=default
+	case query.FieldName:
+		return strings.Contains(item.Name, string(filter.Value))
+		// /namespaces?page=1&limit=10&uid=a8a8d6cf-f6a5-4fea-9c1b-e57610115706
+	case query.FieldUID:
+		return strings.Compare(string(item.UID), string(filter.Value)) == 0
+		// /deployments?page=1&limit=10&namespace=kubesphere-system
+	case query.FieldNamespace:
+		return strings.Compare(item.Namespace, string(filter.Value)) == 0
+		// /namespaces?page=1&limit=10&ownerReference=a8a8d6cf-f6a5-4fea-9c1b-e57610115706
+	case query.FieldOwnerReference:
+		for _, ownerReference := range item.OwnerReferences {
+			if strings.Compare(string(ownerReference.UID), string(filter.Value)) == 0 {
+				return true
+			}
+		}
+		return false
+		// /namespaces?page=1&limit=10&ownerKind=Workspace
+	case query.FieldOwnerKind:
+		for _, ownerReference := range item.OwnerReferences {
+			if strings.Compare(ownerReference.Kind, string(filter.Value)) == 0 {
+				return true
+			}
+		}
+		return false
+		// /namespaces?page=1&limit=10&annotation=openpitrix_runtime
+	case query.FieldAnnotation:
+		return containsAnyValue(item.Annotations, string(filter.Value))
+		// /namespaces?page=1&limit=10&label=kubesphere.io/workspace:system-workspace
+	case query.FieldLabel:
+		return containsAnyValue(item.Labels, string(filter.Value))
+	case query.FieldClusterName:
+		return strings.Compare(item.ClusterName, string(filter.Value)) == 0
+	default:
+		return false
+	}
+}
+
+// Filter format <key:><value>,if the key is defined, the key must match exactly, value match according to strings.Contains.
+func containsAnyValue(keyValues map[string]string, filter string) bool {
+	fields := strings.SplitN(filter, ":", 2)
+	var keyFilter, valueFilter string
+	if len(fields) == 2 {
+		keyFilter = fields[0]
+		valueFilter = fields[1]
+	} else {
+		valueFilter = fields[0]
+	}
+	for key, value := range keyValues {
+		if (key == keyFilter || keyFilter == "") && strings.Contains(value, valueFilter) {
+			return true
+		}
+	}
+	return false
+}
+
 func objectsToInterfaces(objs []runtime.Object) []interface{} {
-	var res []interface{}
+	res := make([]interface{}, 0)
 	for _, obj := range objs {
 		res = append(res, obj)
 	}
--- a/pkg/models/resources/v1alpha3/namespace/namespaces.go
+++ b/pkg/models/resources/v1alpha3/namespace/namespaces.go
@@ -15,7 +15,7 @@ type namespaceGetter struct {
 	informers informers.SharedInformerFactory
 }

-func NewNamespaceGetter(informers informers.SharedInformerFactory) v1alpha3.Interface {
+func New(informers informers.SharedInformerFactory) v1alpha3.Interface {
 	return &namespaceGetter{informers: informers}
 }

@@ -42,14 +42,11 @@ func (n namespaceGetter) filter(item runtime.Object, filter query.Filter) bool {
 	if !ok {
 		return false
 	}
-
 	switch filter.Field {
-	case query.FieldName:
-		return query.ComparableString(namespace.Name).Contains(filter.Value)
 	case query.FieldStatus:
-		return query.ComparableString(namespace.Status.Phase).Compare(filter.Value) == 0
+		return strings.Compare(string(namespace.Status.Phase), string(filter.Value)) == 0
 	default:
-		return false
+		return v1alpha3.DefaultObjectMetaFilter(namespace.ObjectMeta, filter)
 	}
 }

@@ -63,13 +60,5 @@ func (n namespaceGetter) compare(left runtime.Object, right runtime.Object, fiel
 	if !ok {
 		return true
 	}
-
-	switch field {
-	case query.FieldName:
-		return strings.Compare(leftNs.Name, rightNs.Name) > 0
-	case query.FieldCreationTimeStamp:
-		return leftNs.CreationTimestamp.After(rightNs.CreationTimestamp.Time)
-	default:
-		return false
-	}
+	return v1alpha3.DefaultObjectMetaCompare(leftNs.ObjectMeta, rightNs.ObjectMeta, field)
 }
--- a/pkg/models/resources/v1alpha3/resource/resource.go
+++ b/pkg/models/resources/v1alpha3/resource/resource.go
@@ -8,27 +8,29 @@ import (
 	"kubesphere.io/kubesphere/pkg/informers"
 	"kubesphere.io/kubesphere/pkg/models/resources/v1alpha3"
 	"kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/deployment"
+	"kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/namespace"
 )

 var ErrResourceNotSupported = errors.New("resource is not supported")

-type NamespacedResourceGetter struct {
+type ResourceGetter struct {
 	getters map[schema.GroupVersionResource]v1alpha3.Interface
 }

-func New(factory informers.InformerFactory) *NamespacedResourceGetter {
+func New(factory informers.InformerFactory) *ResourceGetter {
 	getters := make(map[schema.GroupVersionResource]v1alpha3.Interface)

 	getters[schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"}] = deployment.New(factory.KubernetesSharedInformerFactory())
+	getters[schema.GroupVersionResource{Group: "", Version: "v1", Resource: "namespaces"}] = namespace.New(factory.KubernetesSharedInformerFactory())

-	return &NamespacedResourceGetter{
+	return &ResourceGetter{
 		getters: getters,
 	}
 }

 // tryResource will retrieve a getter with resource name, it doesn't guarantee find resource with correct group version
 // need to refactor this use schema.GroupVersionResource
-func (r *NamespacedResourceGetter) tryResource(resource string) v1alpha3.Interface {
+func (r *ResourceGetter) tryResource(resource string) v1alpha3.Interface {
 	for k, v := range r.getters {
 		if k.Resource == resource {
 			return v
@@ -38,21 +40,18 @@ func (r *NamespacedResourceGetter) tryResource(resource string) v1alpha3.Interfa
 	return nil
 }

-func (r *NamespacedResourceGetter) Get(resource, namespace, name string) (interface{}, error) {
+func (r *ResourceGetter) Get(resource, namespace, name string) (interface{}, error) {
 	getter := r.tryResource(resource)
 	if getter == nil {
 		return nil, ErrResourceNotSupported
 	}
-
 	return getter.Get(namespace, name)
 }

-func (r *NamespacedResourceGetter) List(resource, namespace string, query *query.Query) (*api.ListResult, error) {
+func (r *ResourceGetter) List(resource, namespace string, query *query.Query) (*api.ListResult, error) {
 	getter := r.tryResource(resource)
 	if getter == nil {
 		return nil, ErrResourceNotSupported
 	}
-
 	return getter.List(namespace, query)
-
 }
--- a/pkg/models/resources/v1alpha3/resource/resource_test.go
+++ b/pkg/models/resources/v1alpha3/resource/resource_test.go
@@ -0,0 +1,111 @@
+/*
+ *
+ * Copyright 2020 The KubeSphere Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * /
+ */
+
+package resource
+
+import (
+	"github.com/google/go-cmp/cmp"
+	fakeapp "github.com/kubernetes-sigs/application/pkg/client/clientset/versioned/fake"
+	fakeistio "istio.io/client-go/pkg/clientset/versioned/fake"
+	v1 "k8s.io/api/core/v1"
+	corev1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	fakek8s "k8s.io/client-go/kubernetes/fake"
+	"kubesphere.io/kubesphere/pkg/api"
+	"kubesphere.io/kubesphere/pkg/apiserver/query"
+	fakeks "kubesphere.io/kubesphere/pkg/client/clientset/versioned/fake"
+	"kubesphere.io/kubesphere/pkg/informers"
+	"testing"
+)
+
+func TestResourceGetter(t *testing.T) {
+
+	namespaces := make([]interface{}, 0)
+	defaultNamespace := &v1.Namespace{
+		ObjectMeta: corev1.ObjectMeta{
+			Name:   "default",
+			Labels: map[string]string{"kubesphere.io/workspace": "system-workspace"},
+		},
+	}
+	kubesphereNamespace := &v1.Namespace{
+		ObjectMeta: corev1.ObjectMeta{
+			Name:   "kubesphere-system",
+			Labels: map[string]string{"kubesphere.io/workspace": "system-workspace"},
+		},
+	}
+
+	namespaces = append(namespaces, defaultNamespace, kubesphereNamespace)
+
+	ksClient := fakeks.NewSimpleClientset()
+	k8sClient := fakek8s.NewSimpleClientset(defaultNamespace, kubesphereNamespace)
+	istioClient := fakeistio.NewSimpleClientset()
+	appClient := fakeapp.NewSimpleClientset()
+	fakeInformerFactory := informers.NewInformerFactories(k8sClient, ksClient, istioClient, appClient)
+
+	k8sInformerFactory := fakeInformerFactory.KubernetesSharedInformerFactory()
+	for _, namespace := range namespaces {
+		err := k8sInformerFactory.Core().V1().Namespaces().Informer().GetIndexer().Add(namespace)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	resource := New(fakeInformerFactory)
+
+	tests := []struct {
+		Name           string
+		Resource       string
+		Namespace      string
+		Query          *query.Query
+		ExpectError    error
+		ExpectResponse *api.ListResult
+	}{
+		{
+			Name:      "normal case",
+			Resource:  "namespaces",
+			Namespace: "",
+			Query: &query.Query{
+				Pagination: &query.Pagination{
+					Limit:  10,
+					Offset: 0,
+				},
+				SortBy:    query.FieldName,
+				Ascending: false,
+				Filters:   []query.Filter{},
+			},
+			ExpectError: nil,
+			ExpectResponse: &api.ListResult{
+				Items:      namespaces,
+				TotalItems: 2,
+			},
+		},
+	}
+
+	for _, test := range tests {
+
+		result, err := resource.List(test.Resource, test.Namespace, test.Query)
+
+		t.Logf("%+v", result)
+		if err != test.ExpectError {
+			t.Errorf("expected error: %s, got: %s", test.ExpectError, err)
+		}
+		if diff := cmp.Diff(test.ExpectResponse, result); diff != "" {
+			t.Errorf(diff)
+		}
+	}
+
+}
--- a/pkg/models/tenant/workspaces.go
+++ b/pkg/models/tenant/workspaces.go
@@ -22,6 +22,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
+	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
 	"kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha1"
 	"kubesphere.io/kubesphere/pkg/client/informers/externalversions"
 	"kubesphere.io/kubesphere/pkg/constants"
@@ -37,12 +38,10 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
-
-	iamapi "kubesphere.io/kubesphere/pkg/api/iam"
 )

 type InWorkspaceUser struct {
-	*iamapi.User
+	*iamv1alpha2.User
 	WorkspaceRole string `json:"workspaceRole"`
 }

--- a/pkg/simple/client/ldap/interface.go
+++ b/pkg/simple/client/ldap/interface.go
@@ -1,20 +1,22 @@
 package ldap

-import "kubesphere.io/kubesphere/pkg/api/iam"
+import (
+	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
+)

 // Interface defines CRUD behaviors of manipulating users
 type Interface interface {
 	// Create create a new user in ldap
-	Create(user *iam.User) error
+	Create(user *iamv1alpha2.User) error

 	// Update updates a user information, return error if user not exists
-	Update(user *iam.User) error
+	Update(user *iamv1alpha2.User) error

 	// Delete deletes a user from ldap, return nil if user not exists
 	Delete(name string) error

 	// Get gets a user by its username from ldap, return ErrUserNotExists if user not exists
-	Get(name string) (*iam.User, error)
+	Get(name string) (*iamv1alpha2.User, error)

 	// Authenticate checks if (name, password) is valid, return ErrInvalidCredentials if not
 	Authenticate(name string, password string) error
--- a/pkg/simple/client/ldap/ldap.go
+++ b/pkg/simple/client/ldap/ldap.go
@@ -21,7 +21,8 @@ import (
 	"fmt"
 	"github.com/go-ldap/ldap"
 	"github.com/google/uuid"
-	"kubesphere.io/kubesphere/pkg/api/iam"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
 	"kubesphere.io/kubesphere/pkg/server/errors"
 	"sync"
 	"time"
@@ -181,7 +182,7 @@ func (l *ldapInterfaceImpl) filterForUsername(username string) string {
 	return fmt.Sprintf("(&(objectClass=inetOrgPerson)(|(uid=%s)(mail=%s)))", username, username)
 }

-func (l *ldapInterfaceImpl) Get(name string) (*iam.User, error) {
+func (l *ldapInterfaceImpl) Get(name string) (*iamv1alpha2.User, error) {
 	conn, err := l.newConn()
 	if err != nil {
 		return nil, err
@@ -215,20 +216,24 @@ func (l *ldapInterfaceImpl) Get(name string) (*iam.User, error) {

 	userEntry := searchResults.Entries[0]

-	user := &iam.User{
-		Name:        userEntry.GetAttributeValue(ldapAttributeUserID),
-		Email:       userEntry.GetAttributeValue(ldapAttributeMail),
-		Lang:        userEntry.GetAttributeValue(ldapAttributePreferredLanguage),
-		Description: userEntry.GetAttributeValue(ldapAttributeDescription),
+	user := &iamv1alpha2.User{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: userEntry.GetAttributeValue(ldapAttributeUserID),
+		},
+		Spec: iamv1alpha2.UserSpec{
+			Email:       userEntry.GetAttributeValue(ldapAttributeMail),
+			Lang:        userEntry.GetAttributeValue(ldapAttributePreferredLanguage),
+			Description: userEntry.GetAttributeValue(ldapAttributeDescription),
+		},
 	}

 	createTimestamp, _ := time.Parse(ldapAttributeCreateTimestampLayout, userEntry.GetAttributeValue(ldapAttributeCreateTimestamp))
-	user.CreateTime = createTimestamp
+	user.ObjectMeta.CreationTimestamp.Time = createTimestamp

 	return user, nil
 }

-func (l *ldapInterfaceImpl) Create(user *iam.User) error {
+func (l *ldapInterfaceImpl) Create(user *iamv1alpha2.User) error {
 	if _, err := l.Get(user.Name); err != nil {
 		return ErrUserAlreadyExisted
 	}
@@ -266,19 +271,19 @@ func (l *ldapInterfaceImpl) Create(user *iam.User) error {
 			},
 			{
 				Type: ldapAttributeMail,
-				Vals: []string{user.Email},
+				Vals: []string{user.Spec.Email},
 			},
 			{
 				Type: ldapAttributeUserPassword,
-				Vals: []string{user.Password},
+				Vals: []string{user.Spec.EncryptedPassword},
 			},
 			{
 				Type: ldapAttributePreferredLanguage,
-				Vals: []string{user.Lang},
+				Vals: []string{user.Spec.Lang},
 			},
 			{
 				Type: ldapAttributeDescription,
-				Vals: []string{user.Description},
+				Vals: []string{user.Spec.Description},
 			},
 		},
 	}
@@ -314,7 +319,7 @@ func (l *ldapInterfaceImpl) Delete(name string) error {
 	return conn.Del(deleteRequest)
 }

-func (l *ldapInterfaceImpl) Update(newUser *iam.User) error {
+func (l *ldapInterfaceImpl) Update(newUser *iamv1alpha2.User) error {
 	conn, err := l.newConn()
 	if err != nil {
 		return err
@@ -331,16 +336,16 @@ func (l *ldapInterfaceImpl) Update(newUser *iam.User) error {
 		DN: l.dnForUsername(newUser.Name),
 	}

-	if newUser.Description != "" {
-		modifyRequest.Replace(ldapAttributeDescription, []string{newUser.Description})
+	if newUser.Spec.Description != "" {
+		modifyRequest.Replace(ldapAttributeDescription, []string{newUser.Spec.Description})
 	}

-	if newUser.Lang != "" {
-		modifyRequest.Replace(ldapAttributePreferredLanguage, []string{newUser.Lang})
+	if newUser.Spec.Lang != "" {
+		modifyRequest.Replace(ldapAttributePreferredLanguage, []string{newUser.Spec.Lang})
 	}

-	if newUser.Password != "" {
-		modifyRequest.Replace(ldapAttributeUserPassword, []string{newUser.Password})
+	if newUser.Spec.EncryptedPassword != "" {
+		modifyRequest.Replace(ldapAttributeUserPassword, []string{newUser.Spec.EncryptedPassword})
 	}

 	return conn.Modify(modifyRequest)
--- a/pkg/simple/client/ldap/simple_ldap.go
+++ b/pkg/simple/client/ldap/simple_ldap.go
@@ -1,40 +1,43 @@
 package ldap

 import (
-	"kubesphere.io/kubesphere/pkg/api/iam"
-	"time"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
 )

 // simpleLdap is a implementation of ldap.Interface, you should never use this in production env!
 type simpleLdap struct {
-	store map[string]*iam.User
+	store map[string]*iamv1alpha2.User
 }

 func NewSimpleLdap() Interface {
 	sl := &simpleLdap{
-		store: map[string]*iam.User{},
+		store: map[string]*iamv1alpha2.User{},
 	}

 	// initialize with a admin user
-	admin := &iam.User{
-		Name:        "admin",
-		Email:       "admin@kubesphere.io",
-		Lang:        "eng",
-		Description: "administrator",
-		CreateTime:  time.Now(),
-		Groups:      nil,
-		Password:    "P@88w0rd",
+	admin := &iamv1alpha2.User{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "admin",
+		},
+		Spec: iamv1alpha2.UserSpec{
+			Email:             "admin@kubesphere.io",
+			Lang:              "eng",
+			Description:       "administrator",
+			Groups:            nil,
+			EncryptedPassword: "P@88w0rd",
+		},
 	}
 	sl.store[admin.Name] = admin
 	return sl
 }

-func (s simpleLdap) Create(user *iam.User) error {
+func (s simpleLdap) Create(user *iamv1alpha2.User) error {
 	s.store[user.Name] = user
 	return nil
 }

-func (s simpleLdap) Update(user *iam.User) error {
+func (s simpleLdap) Update(user *iamv1alpha2.User) error {
 	_, err := s.Get(user.Name)
 	if err != nil {
 		return err
@@ -52,7 +55,7 @@ func (s simpleLdap) Delete(name string) error {
 	return nil
 }

-func (s simpleLdap) Get(name string) (*iam.User, error) {
+func (s simpleLdap) Get(name string) (*iamv1alpha2.User, error) {
 	if user, ok := s.store[name]; !ok {
 		return nil, ErrUserNotExists
 	} else {
@@ -64,7 +67,7 @@ func (s simpleLdap) Authenticate(name string, password string) error {
 	if user, err := s.Get(name); err != nil {
 		return err
 	} else {
-		if user.Password != password {
+		if user.Spec.EncryptedPassword != password {
 			return ErrInvalidCredentials
 		}
 	}
--- a/pkg/simple/client/ldap/simple_ldap_test.go
+++ b/pkg/simple/client/ldap/simple_ldap_test.go
@@ -2,22 +2,26 @@ package ldap

 import (
 	"github.com/google/go-cmp/cmp"
-	"kubesphere.io/kubesphere/pkg/api/iam"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
 	"testing"
-	"time"
 )

 func TestSimpleLdap(t *testing.T) {
 	ldapClient := NewSimpleLdap()

-	foo := &iam.User{
-		Name:        "jerry",
-		Email:       "jerry@kubesphere.io",
-		Lang:        "en",
-		Description: "Jerry is kind and gentle.",
-		CreateTime:  time.Now(),
-		Groups:      []string{},
-		Password:    "P@88w0rd",
+	foo := &iamv1alpha2.User{
+		TypeMeta: metav1.TypeMeta{APIVersion: iamv1alpha2.SchemeGroupVersion.String()},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "jerry",
+		},
+		Spec: iamv1alpha2.UserSpec{
+			Email:             "jerry@kubesphere.io",
+			Lang:              "en",
+			Description:       "Jerry is kind and gentle.",
+			Groups:            []string{},
+			EncryptedPassword: "P@88w0rd",
+		},
 	}

 	t.Run("should create user", func(t *testing.T) {
@@ -44,7 +48,7 @@ func TestSimpleLdap(t *testing.T) {
 			t.Fatal(err)
 		}

-		foo.Description = "Jerry needs some drinks."
+		foo.Spec.Description = "Jerry needs some drinks."
 		err = ldapClient.Update(foo)
 		if err != nil {
 			t.Fatal(err)
@@ -85,7 +89,7 @@ func TestSimpleLdap(t *testing.T) {
 			t.Fatal(err)
 		}

-		err = ldapClient.Authenticate(foo.Name, foo.Password)
+		err = ldapClient.Authenticate(foo.Name, foo.Spec.EncryptedPassword)
 		if err != nil {
 			t.Fatalf("should pass but got an error %v", err)
 		}