🇪🇺 "This service was created in the context of OpenAgri project (https://horizon-openagri.eu/). OpenAgri has received funding from the EU’s Horizon Europe research and innovation programme under Grant Agreement no. 101134083."
GateKeeper (GK) is the central authentication, authorization, and service-proxy component for shared OpenAgri deployments.
It is responsible for:
- authenticating users and issuing JWT tokens
- returning the caller's tenant and service entitlements
- enforcing tenant- and scope-aware access for downstream services
- mirroring FarmCalendar farms and parcels into GK cache for RBAC assignment
- providing a Django admin for platform admins and tenant admins
GK is used in front of:
- Farm Calendar (
FC) - Irrigation Management (
IRM) - Weather Data (
WD) - Pest and Disease Management (
PDM) - Reporting (
RP)
GK now uses a tenant-scoped RBAC model.
Core objects:
TenantUser MasterServicePermissionService RoleRole GrantFarmCalendar Resource Cache
Access is modeled as:
- permissions belong to service roles
- service roles are tenant-scoped
- role grants assign a role to a user on a farm or parcel scope
Admin types:
platform_admin- Django
is_superuser=True - unrestricted across all tenants
- Django
tenant_adminis_tenant_admin=True- tenant-scoped admin access inside GK
- normal tenant user
- tenant-bound, non-admin user
GK exposes:
POST /api/login/POST /api/logout/POST /api/token/refresh/POST /api/validate_token/GET /api/me/GET /api/farmcalendar-scopes/GET /api/farmcalendar-catalog/POST /api/register_service/GET /api/service_directory/POST /api/delete_service/GET|POST|PATCH|DELETE /api/proxy/<path>
See:
python manage.py create_tenant_admin sip06 sip06_admin sip06_admin@example.com 'replace-me'python manage.py bootstrap_tenant_admins --csv /path/to/tenant_admins.csvDry run:
python manage.py bootstrap_tenant_admins --csv /path/to/tenant_admins.csv --dry-runpython manage.py sync_farmcalendar_catalogWatch mode:
python manage.py sync_farmcalendar_catalog --watch --interval 30Database and runtime:
DATABASE_URLAPP_HOSTAPP_PORTDJANGO_SECRET_KEYDJANGO_DEBUGDJANGO_STATIC_ROOT
Superuser bootstrap:
SUPERUSER_USERNAMESUPERUSER_EMAILSUPERUSER_PASSWORD
JWT:
JWT_SIGNING_KEYJWT_ALGJWT_ACCESS_TOKEN_MINUTESJWT_REFRESH_TOKEN_DAYS
FarmCalendar / proxy integration:
FARM_CALENDAR_APIFARM_CALENDAR_POST_AUTHINTERNAL_GK_URL
FC catalog sync credentials:
FC_SYNC_USERNAMEFC_SYNC_PASSWORD
Fallback sync credentials if dedicated sync credentials are not set:
GATEKEEPER_SUPERUSER_USERNAMEGATEKEEPER_SUPERUSER_PASSWORDSUPERUSER_USERNAMESUPERUSER_PASSWORD
Create your env file and configure the required values first.
Then run:
docker compose up -dAccess:
- site login:
http://localhost:8001/login/ - Django admin:
http://localhost:8001/admin/
GK is configured to serve static files with WhiteNoise when DEBUG=False.
Required deployment behavior:
- set
DJANGO_DEBUG=False - set
DJANGO_STATIC_ROOTconsistently - run
collectstatic - proxy traffic through Traefik or another reverse proxy
If you use a persisted static volume, make sure stale collected assets do not prevent fresh collectstatic runs after image updates.
Tenant admins use the same GK admin panel but only see tenant-local data.
Tenant admins can:
- create users inside their own tenant
- create tenant-local service roles
- create role grants for tenant users
Tenant admins cannot:
- create superusers
- see global platform configuration
- see or modify another tenant's data
This project is distributed with the EUPL 1.2v. See the LICENSE file for details.