Update login failed faq docs

Signed-off-by: hongming <talonwan@yunify.com>

content/en/docs/faq/access-control/cannot-login.md

@@ -6,7 +6,7 @@ linkTitle: "Account Login Failure"
 Weight: 16440
 ---
 
-KubeSphere automatically creates a default account (`admin/P@88w0rd`) when it is installed. After `ks-controller-manager` synchronizes statuses of accounts to OpenLDAP and Jenkins, accounts and passwords will be encrypted. An account cannot be used for login until the status reaches `Active`.
+KubeSphere automatically creates a default account (`admin/P@88w0rd`) when it is installed. An account cannot be used for login until the status reaches `Active`.
 
 Here are some of the frequently asked questions about account login failure.
 
@@ -86,9 +86,7 @@ kubectl -n kubesphere-system get deploy ks-controller-manager -o jsonpath='{.spe
 
 ## Wrong Username or Password
 
-![account-not-active](/images/docs/faq/access-control-and-account-management/cannot-login/wrong-password.png)
-
-`ks-console` and `ks-apiserver` use Redis to share data across multiple copies. When Redis fails, the copies of `ks-console` will not be able to share the salt required for password encryption and transmission.
+![incorrect-password](/images/docs/faq/access-control-and-account-management/cannot-login/wrong-password.png)
 
 Run the following command to verify that the account and the password are correct.
 
@@ -98,7 +96,7 @@ curl -u <USERNAME>:<PASSWORD> "http://`kubectl -n kubesphere-system get svc ks-a
 
 ### Redis failure
 
-Use the following commands to verify that Redis is running normally.
+`ks-console` and `ks-apiserver` use Redis to share data across multiple copies. Use the following commands to verify that Redis is running normally.
 
 ```
 kubectl -n kubesphere-system logs -l app=ks-console
@@ -141,3 +139,24 @@ You need to restore Redis and make sure it is running normally with good network
 ```
 kubectl -n kubesphere-system rollout restart deploy ks-console
 ```
+
+
+## Unable to login through a third party account after upgrading
+
+![forbidden](/images/docs/faq/access-control-and-account-management/cannot-login/forbidden.jpg)
+
+```js
+{
+  code: 403,
+  kind: 'Status',
+  apiVersion: 'v1',
+  metadata: {},
+  status: 'Failure',
+  message: 'users.iam.kubesphere.io is forbidden: User "system:pre-registration" cannot create resource "users" in API group "iam.kubesphere.io" at the cluster scope',
+  reason: 'Forbidden',
+  details: { group: 'iam.kubesphere.io', kind: 'users' },
+  statusText: 'Forbidden'
+}
+```
+
+This is a bug in the process of upgrading from V3.0.0 to v3.1.0，related issues and solutions: https://github.com/kubesphere/kubesphere/issues/3850

content/en/docs/faq/access-control/session-timeout.md

@@ -8,11 +8,11 @@ Weight: 16420
 
 A session starts as a user logs in to the console of KubeSphere. You may see a message of "**Session timeout or this account is logged in elsewhere, please login again**" when the session expires.
 
-## Inactivity Session Timeout
+## Session Timeout
 
-You can control when an inactive user session expires. The default session timeout is two hours of inactivity. It means once the session timeout is reached, the user will be automatically logged out of the console. You can [configure accessTokenMaxAge and accessTokenInactivityTimeout](../../../access-control-and-account-management/external-authentication/set-up-external-authentication/) for the session timeout.
+You can control when session expires. The default session timeout is two hours of inactivity. It means once the session timeout is reached, the user will be automatically logged out of the console. You can [configure accessTokenMaxAge and accessTokenInactivityTimeout](../../../access-control-and-account-management/external-authentication/set-up-external-authentication/) for the session timeout.
 
-## JWT Signature Verification Failed
+## Signature Verification Failed
 
 In a [multi-cluster environment](../../../multicluster-management/enable-multicluster/direct-connection/#prepare-a-member-cluster), `clusterRole` and `jwtSecret` must be set correctly.
 

content/zh/docs/faq/access-control/cannot-login.md

@@ -6,12 +6,11 @@ linkTitle: "帐户无法登录"
 Weight: 16440
 ---
 
-KubeSphere 安装时会自动创建 admin/P@88w0rd 默认帐户，ks-controller-manager 将用户状态同步到 openldap、Jekins 之后会加密帐户密码，在此之后帐户状态会被转换为 Active 帐户才可以正常登录。
-
+KubeSphere 安装时会自动创建 `admin/P@88w0rd` 默认帐户，密码错误或者帐户状态不是 active 会导致无法登录。
 
 下面是帐户无法登录时，一些常见的问题：
 
-## account not active
+## Account Not Active
 
 ![account-not-active](/images/docs/faq/access-control-and-account-management/cannot-login/account-not-active.png)
 
@@ -59,7 +58,7 @@ kubectl -n kubesphere-system logs -l app=openldap
 
 **解决方式**
 
-您需要先恢复 openldap、Jenkins 这两个服务并保证网络的连通性，重启 ks-controller-manager 后会立即触发 reconcile（当无法连接到 openldap 或 Jenkins 时重试间隔会递增）。
+您需要先恢复 openldap、Jenkins 这两个服务并保证网络的连通性，重启 ks-controller-manager。
 
 ```
 kubectl -n kubesphere-system rollout restart deploy ks-controller-manager
@@ -79,9 +78,7 @@ kubectl -n kubesphere-system get deploy ks-controller-manager -o jsonpath='{.spe
 
 ## 帐户或密码错误
 
-![account-not-active](/images/docs/faq/access-control-and-account-management/cannot-login/wrong-password.png)
-
-ks-console 和 ks-apiser 需要借助 Redis 在多个副本之间共享数据，当 Redis 服务异常时会导致 ks-console 多个副本之间无法共享密码加密传输时使用的 salt。
+![incorrect-password](/images/docs/faq/access-control-and-account-management/cannot-login/wrong-password.png)
 
 通过以下命令检查帐户密码是否正确：
 
@@ -91,7 +88,7 @@ curl -u <USERNAME>:<PASSWORD> "http://`kubectl -n kubesphere-system get svc ks-a
 
 ### Redis 异常
 
-您可以通过以下命令检查 Redis 服务是否正常：
+ks-console 和 ks-apiserver 需要借助 Redis 在多个副本之间共享数据。您可以通过以下命令检查 Redis 服务是否正常：
 
 ```
 kubectl -n kubesphere-system logs -l app=ks-console
@@ -107,25 +104,50 @@ kubectl -n kubesphere-system logs -l app=redis
 
 相关错误日志：
 
-> 1344:C 17 Sep 2020 17:13:18.099 # Failed opening the RDB file dump.rdb (in server root dir /data) for saving: Stale file handle
+```bash
+1344:C 17 Sep 2020 17:13:18.099 # Failed opening the RDB file dump.rdb (in server root dir /data) for saving: Stale file handle
 1:M 17 Sep 2020 17:13:18.198 # Background saving error
 1:M 17 Sep 2020 17:13:24.014 * 1 changes in 3600 seconds. Saving...
 1:M 17 Sep 2020 17:13:24.015 * Background saving started by pid 1345
 1345:C 17 Sep 2020 17:13:24.016 # Failed opening the RDB file dump.rdb (in server root dir /data) for saving: Stale file handle
 1:M 17 Sep 2020 17:13:24.115 # Background saving error
+```
 
-> E0909 07:05:22.770468 1 redis.go:51] unable to reach redis host EOF
+```bash
+E0909 07:05:22.770468 1 redis.go:51] unable to reach redis host EOF
+```
 
-> [WARNING] 252/094143 (6) : Server check_if_redis_is_master_0/R0 is DOWN, reason: Layer7 timeout, info: " at step 5 of tcp-check (expect string '10.223.2.232')", check duration: 1000ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
+```bash
+[WARNING] 252/094143 (6) : Server check_if_redis_is_master_0/R0 is DOWN, reason: Layer7 timeout, info: " at step 5 of tcp-check (expect string '10.223.2.232')", check duration: 1000ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
 [WARNING] 252/094143 (6) : Server check_if_redis_is_master_0/R1 is DOWN, reason: Layer7 timeout, info: " at step 5 of tcp-check (expect string '10.223.2.232')", check duration: 1000ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
 [WARNING] 252/094143 (6) : Server check_if_redis_is_master_0/R2 is DOWN, reason: Layer7 timeout, info: " at step 5 of tcp-check (expect string '10.223.2.232')", check duration: 1000ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
 [ALERT] 252/094143 (6) : backend 'check_if_redis_is_master_0' has no server available!
-
+```
 
 **解决方式**
 
-您需要先恢复 Redis 服务，保证其正常运行并且pod之间网络可以正常联通，稍后您可以重启 ks-console 以立即同步副本之间的数据。
+您需要先恢复 Redis 服务，保证其正常运行并且 pod 之间网络可以正常联通，稍后重启 ks-console。
 
 ```
 kubectl -n kubesphere-system rollout restart deploy ks-console
 ```
+
+## 升级到 v3.1.0 后无法通过第三方帐号登录
+
+![forbidden](/images/docs/faq/access-control-and-account-management/cannot-login/forbidden.jpg)
+
+```js
+{
+  code: 403,
+  kind: 'Status',
+  apiVersion: 'v1',
+  metadata: {},
+  status: 'Failure',
+  message: 'users.iam.kubesphere.io is forbidden: User "system:pre-registration" cannot create resource "users" in API group "iam.kubesphere.io" at the cluster scope',
+  reason: 'Forbidden',
+  details: { group: 'iam.kubesphere.io', kind: 'users' },
+  statusText: 'Forbidden'
+}
+```
+
+这是一个从 v3.0.0 升级到 v3.1.0 过程中存在的 bug，相关的 issue 和解决方式：[https://github.com/kubesphere/kubesphere/issues/3850](https://github.com/kubesphere/kubesphere/issues/3850)

content/zh/docs/faq/access-control/session-timeout.md

@@ -8,11 +8,11 @@ Weight: 16420
 
 当用户登录 KubeSphere 的控制台时会话开始。当会话过期时，您会看到信息“**会话超时或此帐户在其他地方登录，请重新登录**”。
 
-## 不活跃会话超时
+## 会话超时
 
-您可以控制不活跃用户的会话超时时间，默认超时时间为两小时，即达到会话超时时间后，用户会从控制台自动登出。您可以为会话超时配置 [accessTokenMaxAge 和 accessTokenInactivityTimeout](../../../access-control-and-account-management/configuring-authentication/#authentication-configuration)。
+您可以控制会话超时时间，默认超时时间为两小时，即达到会话超时时间后，用户会从控制台自动登出。您可以为会话超时配置 [accessTokenMaxAge 和 accessTokenInactivityTimeout](../../../access-control-and-account-management/configuring-authentication/#authentication-configuration)。
 
-## JWT 签名认证失败
+## 签名校验失败
 
 在[多集群环境](../../../multicluster-management/enable-multicluster/direct-connection/#prepare-a-member-cluster)下，您必须正确设置 `clusterRole` 和 `jwtSecret`。