Skip to main content
Version: FCP 25.11

External User Authentication System

With external authentication, login control is implemented via account lock. When you choose to integrate with an external authentication system during deployment, you can set the default status for synced users to Locked or Normal (default: Normal/Allowed).

  • If set to Normal, all synced users are Normal by default and can log in to the Fastone platform immediately.
  • If set to Locked, all synced users are Locked by default and cannot log in. An administrator must change the user status to Normal before the user can log in.

Login Verification Flow

When an external-auth user logs in to the platform:

  • First, the platform checks (case-insensitive) whether the user exists in the external authentication system. If not, login fails with the message: "Login failed. Please check whether the username and password are correct."
  • If the user exists, the platform validates the external-auth password. If incorrect, login fails with the same message.
  • If the password is correct, the platform checks whether the user exists in User Management on the Fastone platform.
    • If the user exists, the platform checks whether the user is locked on the Fastone platform. If locked, login fails with the same message. If not locked, the platform determines the user's role:
      1. Regular user: login succeeds and the regular user UI is shown.
      2. Administrator: login succeeds and the administrator UI is shown.
    • If the user does not exist, the platform syncs the user and applies the default status configured for synced users:
      1. If default is Locked, login fails with the same message.
      2. If default is Normal, login succeeds and the regular user UI is shown (synced users are regular users by default).

User Management

User Management periodically syncs newly created users and their group memberships from the external authentication system. If a user is deleted in the external auth system, the user record remains on the Fastone platform but the deleted user can no longer log in. If the user has associated resources in the platform, those resources can be released only by an administrator or a user with equivalent permissions, such as clusters, jobs, files, or subscription instances.

  • User types
    The platform has three user types: deploy environment configuration admin, admin super admin, and other users.

    • deploy users are environment configuration admins. They can configure all platform parameters. See Environment Configuration Overview.
    • admin users are super admins. They have all platform permissions and cannot be deleted.
    • Other users are synced periodically and permissions are assigned by admin. Synced users are added to the defaultGroup group by default. defaultGroup functions the same as in built-in LDAP and is used as the default permission control group for regular users.

  • Field descriptions

    • UID: User UID in the external authentication system.
    • Name: Defaults to the username. Can be modified by administrators and by the user themselves.
    • Username: Username in the external authentication system. Cannot be modified.
    • Mobile: Defaults to empty. Can be modified by administrators.
    • Login Shell: Default -. Cannot be modified.
    • Home Directory: Default -. Cannot be modified.
    • Status: If the deployment default is Locked, the status is Locked by default. If the deployment default is Normal/Allowed, the status is Normal by default. Administrators can modify the status. The status also shows the reason for Normal/Locked.
    • Email: Defaults to empty. Can be modified by administrators and by the user themselves.
    • Roles: Defaults to empty. Can be modified.
    • User Groups: User groups from the external auth system plus the defaultGroup group. Cannot be modified.
    • Primary Group: Primary group from the external auth system.
    • Specified UID: UID from the external auth system.

  • Status notes

    • If a user is found to be deleted in the external authentication system during sync, the user is automatically set to Locked, and deleted users cannot be edited.
    • For Locked users, the lock reason is shown, such as "deleted in external auth system", "default locked", or "manually locked by admin".
    • For Normal users, the normal reason is shown, such as "default normal" or "manually set to normal by admin".

  • Actions

    • Edit: Administrators can edit Name, Mobile, and Email. Regular users can edit their own Email.
    • Delete: Deleting users is not supported.
    • Add: Adding users is not supported in this mode (users are synced from external auth).

User Groups

Group information is synced periodically, including GID, group name, and group members. If a new group is created in the external auth system, it is synced to the Fastone platform. If a group is deleted in the external auth system, it is also removed from the Fastone platform.

  • Field descriptions

    • GID: Group GID in the external auth system.
    • Group Name: Group name in the external auth system.
    • Description: Defaults to empty.
    • Members: Group members in the external auth system.
    • WeCom: Defaults to empty.
    • Feishu: Defaults to empty.

  • Actions

    • Add: Not supported.
    • Delete: Not supported.
    • Edit: You can edit Description, add WeCom, and add Feishu. You cannot edit GID, Group Name, or Members.

Role Management

Role management assigns roles and permissions to users and groups to enable controlled access to system resources.

  • Field descriptions

    • Name: Role name.
    • Permissions: Permissions granted by the role. For details, see Permissions.
    • Description: Role description shown when assigning the role to users or groups.

  • Actions:

    • Edit: All fields above can be edited.
    • Delete: Deleting a role also removes the permissions associated with that role from all related users and groups.