Skip to content

feat: exempt service accounts from PREVENT_CONCURRENT_LOGINS single-login enforcement#38825

Open
blarghmatey wants to merge 2 commits into
openedx:masterfrom
blarghmatey:prevent-concurrent-logins-service-account-exemption
Open

feat: exempt service accounts from PREVENT_CONCURRENT_LOGINS single-login enforcement#38825
blarghmatey wants to merge 2 commits into
openedx:masterfrom
blarghmatey:prevent-concurrent-logins-service-account-exemption

Conversation

@blarghmatey

Copy link
Copy Markdown
Contributor

Description

Adds an opt-in way to exempt specific accounts from PREVENT_CONCURRENT_LOGINS single-login enforcement.

enforce_single_login (common/djangoapps/student/models/user.py) deletes a user's previously registered session on every login (one session slot per user, via UserProfile.set_login_session). For human accounts that is the intended behavior. For shared service/automation accounts — most notably the xqueue-watcher grader account, where many concurrent workers all authenticate as one user — each login evicts the other workers' sessions, causing a self-sustaining login storm and persistent 401/403s that stall external grading.

This change lets operators exempt such accounts via two new settings, both defaulting to empty so existing behavior is unchanged unless configured:

  • SINGLE_LOGIN_EXEMPT_USERNAMES — iterable of exact usernames
  • SINGLE_LOGIN_EXEMPT_GROUPS — iterable of group names (membership in any exempts the user)

When a logging-in user matches, enforce_single_login returns early; PREVENT_CONCURRENT_LOGINS remains fully enforced for everyone else.

Fixes #38824

How was this tested?

Added test_single_session_exempt_user in openedx/core/djangoapps/user_authn/views/tests/test_login.py, asserting that with PREVENT_CONCURRENT_LOGINS enabled and the user in SINGLE_LOGIN_EXEMPT_USERNAMES, a second concurrent login does not record the single-session slot (and therefore does not evict the first session). The existing test_single_session continues to assert the default (non-exempt) eviction behavior.

Settings are backward compatible

Both settings read via getattr(..., None) or (), so deployments that don't define them behave exactly as before.

🤖 Generated with Claude Code

@blarghmatey blarghmatey requested a review from a team as a code owner June 29, 2026 21:18
@openedx-webhooks

Copy link
Copy Markdown

Thanks for the pull request, @blarghmatey!

This repository is currently maintained by @openedx/wg-maintenance-openedx-platform.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

  • If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
    • This process (including the steps you'll need to take) is documented here.
  • If it doesn't, simply proceed with the next step.
🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

  • Dependencies

    This PR must be merged before / after / at the same time as ...

  • Blockers

    This PR is waiting for OEP-1234 to be accepted.

  • Timeline information

    This PR must be merged by XX date because ...

  • Partner information

    This is for a course on edx.org.

  • Supporting documentation
  • Relevant Open edX discussion forum threads
🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details
Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

  • The size and impact of the changes that it introduces
  • The need for product review
  • Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

@openedx-webhooks openedx-webhooks added the open-source-contribution PR author is not from Axim or 2U label Jun 29, 2026
@github-project-automation github-project-automation Bot moved this to Needs Triage in Contributions Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

open-source-contribution PR author is not from Axim or 2U

Projects

Status: Needs Triage

Development

Successfully merging this pull request may close these issues.

PREVENT_CONCURRENT_LOGINS evicts shared service-account sessions (xqueue-watcher login storm); no exemption mechanism

2 participants