Alauda Container Platform

Introduction

The platform supports user authentication and login verification for all users.

TOC

User Sources

Local Users

  • Administrator account created during platform deployment
  • Accounts created through the platform interface
  • Users added through local dex configuration file

Third-Party Users

LDAP Users

  • Enterprise users synchronized from LDAP servers
  • Accounts are imported through IDP (Identity Provider) integration
  • Source is displayed as the IDP configuration name
  • Integration is configured through IDP settings

OIDC Users

  • Third-party platform users authenticated via OIDC protocol
  • Source is displayed as the IDP configuration name
  • Integration is configured through IDP settings
WARNING

For OIDC users added to a project before their first login:

  • Source is displayed as "-" until successful platform login
  • After successful login, source changes to the IDP configuration name

Other Third-Party Users

  • Users authenticated through supported dex connectors (e.g., GitHub, Microsoft)
  • For more information, refer to the dex official documentation

User Management Rules

WARNING

Please note the following important rules:

  • Local usernames must be unique across all user types
  • Third-party users (OIDC/LDAP) with matching usernames are automatically associated
  • Associated users inherit permissions from existing accounts
  • Users can log in through their respective sources
  • Only one user record is displayed per username in the platform
  • User source is determined by the most recent login method

Role Assignment Views

Every user detail page now contains two dedicated tabs for role visibility and maintenance:

  • Platform Roles (read-only): Lists system-provided platform/project/namespace roles that are bound to the user. These roles cannot be edited or duplicated in the UI but can be unbound if necessary.
  • Kubernetes Roles: Displays all RoleBinding/ClusterRoleBinding objects that reference the user (across clusters). Administrators can create or remove bindings here to grant native Kubernetes permissions.

Use the Platform Roles tab for default access templates, and use the Kubernetes Roles tab when you need fine-grained control through native roles.

User Lifecycle

The following table describes different user statuses on the platform:

StatusDescription
NormalUser account is active and can log in to the platform
DisabledUser account is inactive and cannot log in. Contact platform administrator for activation.

Possible reasons:
- No login for 90+ consecutive days
- Account expiration
- Manual disable by administrator
LockedAccount is temporarily locked due to 5 failed login attempts within 24 hours.

Details:
- Lock duration: 20 minutes
- Can be manually unlocked by administrator
- Account becomes available after lock period
InvalidLDAP-synchronized account that has been deleted from the LDAP server.

Note: Invalid accounts cannot log in to the platform