feat: exempt service accounts from PREVENT_CONCURRENT_LOGINS single-login enforcement#38825
Conversation
|
Thanks for the pull request, @blarghmatey! This repository is currently maintained by Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review. 🔘 Get product approvalIf you haven't already, check this list to see if your contribution needs to go through the product review process.
🔘 Provide contextTo help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:
🔘 Get a green buildIf one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green. DetailsWhere can I find more information?If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources: When can I expect my changes to be merged?Our goal is to get community contributions seen and reviewed as efficiently as possible. However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:
💡 As a result it may take up to several weeks or months to complete a review and merge your PR. |
Description
Adds an opt-in way to exempt specific accounts from
PREVENT_CONCURRENT_LOGINSsingle-login enforcement.enforce_single_login(common/djangoapps/student/models/user.py) deletes a user's previously registered session on every login (one session slot per user, viaUserProfile.set_login_session). For human accounts that is the intended behavior. For shared service/automation accounts — most notably thexqueue-watchergrader account, where many concurrent workers all authenticate as one user — each login evicts the other workers' sessions, causing a self-sustaining login storm and persistent401/403s that stall external grading.This change lets operators exempt such accounts via two new settings, both defaulting to empty so existing behavior is unchanged unless configured:
SINGLE_LOGIN_EXEMPT_USERNAMES— iterable of exact usernamesSINGLE_LOGIN_EXEMPT_GROUPS— iterable of group names (membership in any exempts the user)When a logging-in user matches,
enforce_single_loginreturns early;PREVENT_CONCURRENT_LOGINSremains fully enforced for everyone else.Fixes #38824
How was this tested?
Added
test_single_session_exempt_userinopenedx/core/djangoapps/user_authn/views/tests/test_login.py, asserting that withPREVENT_CONCURRENT_LOGINSenabled and the user inSINGLE_LOGIN_EXEMPT_USERNAMES, a second concurrent login does not record the single-session slot (and therefore does not evict the first session). The existingtest_single_sessioncontinues to assert the default (non-exempt) eviction behavior.Settings are backward compatible
Both settings read via
getattr(..., None) or (), so deployments that don't define them behave exactly as before.🤖 Generated with Claude Code