feat(server): add created_by to provider entity (#1265)

Signed-off-by: Radek Ježek <radek.jezek@ibm.com>

Author: jezekra1

apps/beeai-sdk/src/beeai_sdk/platform/provider.py

@@ -5,6 +5,7 @@
 import typing
 from contextlib import asynccontextmanager
 from datetime import timedelta
+from uuid import UUID
 
 import pydantic
 from a2a.client import ClientConfig, ClientFactory
@@ -35,6 +36,7 @@ class Provider(pydantic.BaseModel):
     agent_card: AgentCard
     state: typing.Literal["missing", "starting", "ready", "running", "error"] = "missing"
     last_error: ProviderErrorMessage | None = None
+    created_by: UUID
     missing_configuration: list[EnvVar] = pydantic.Field(default_factory=list)
 
     @staticmethod

apps/beeai-server/src/beeai_server/api/auth/auth.py

@@ -54,12 +54,36 @@
     ),
 }
 ROLE_PERMISSIONS[UserRole.DEVELOPER] = ROLE_PERMISSIONS[UserRole.USER] | Permissions(
-    providers={"read", "write"},  # TODO provider ownership
+    providers={"read", "write"},
     provider_builds={"read", "write"},
     provider_variables={"read", "write"},
     mcp_providers={"read", "write"},
 )
 
+"""
+global entities:
+    - model_providers
+    - system_configuration
+    - mcp_providers
+    - mcp_tools
+private entities (scoped to user):
+    - files
+    - vector_stores
+    - variables
+    - contexts
+    - context_data
+    - feedback
+semi-private entities:
+    - providers
+        - any user list and show detail about any provider
+        - developers can create/delete and manage only their own providers
+        - admins can create/delete and manage any provider
+    - provider_builds
+        - any user list and show detail about any build
+        - developers can create/delete and manage only their own builds
+        - admins can create/delete and manage any build
+"""
+
 
 class ParsedToken(BaseModel):
     global_permissions: Permissions

apps/beeai-server/src/beeai_server/api/routes/provider_builds.py

@@ -5,14 +5,14 @@
 from uuid import UUID
 
 import fastapi
-from fastapi import Depends
+from fastapi import Depends, Query
 from starlette.responses import StreamingResponse
 
 from beeai_server.api.dependencies import (
     ProviderBuildServiceDependency,
     RequiresPermissions,
 )
-from beeai_server.api.schema.provider_build import CreateProviderBuildRequest
+from beeai_server.api.schema.provider_build import CreateProviderBuildRequest, ProviderBuildListQuery
 from beeai_server.configuration import get_configuration
 from beeai_server.domain.models.common import PaginatedResult
 from beeai_server.domain.models.permissions import AuthorizedUser
@@ -40,25 +40,32 @@ async def get_provider_build(
         return await provider_build_service.get_build(provider_build_id=id)
 
     @router.get("")
-    async def list_provider_build(
-        _: Annotated[AuthorizedUser, Depends(RequiresPermissions(provider_builds={"read"}))],
+    async def list_provider_builds(
+        user: Annotated[AuthorizedUser, Depends(RequiresPermissions(provider_builds={"read"}))],
         provider_build_service: ProviderBuildServiceDependency,
+        query: Annotated[ProviderBuildListQuery, Query()],
     ) -> PaginatedResult[ProviderBuild]:
-        return await provider_build_service.list_builds()
+        return await provider_build_service.list_builds(
+            pagination=query,
+            status=query.status,
+            user=user.user if query.user_owned else None,
+        )
 
     @router.get("/{id}/logs")
     async def stream_logs(
-        _: Annotated[AuthorizedUser, Depends(RequiresPermissions(provider_builds={"write"}))],
+        user: Annotated[AuthorizedUser, Depends(RequiresPermissions(provider_builds={"write"}))],
         id: UUID,
         provider_build_service: ProviderBuildServiceDependency,
     ) -> StreamingResponse:
-        logs_iterator = await provider_build_service.stream_logs(provider_build_id=id)
+        # admin can see logs from all builds, other users only logs of their build
+        logs_iterator = await provider_build_service.stream_logs(provider_build_id=id, user=user.user)
         return streaming_response(logs_iterator())
 
     @router.delete("/{id}", status_code=fastapi.status.HTTP_204_NO_CONTENT)
     async def delete(
-        _: Annotated[AuthorizedUser, Depends(RequiresPermissions(provider_builds={"write"}))],
+        user: Annotated[AuthorizedUser, Depends(RequiresPermissions(provider_builds={"write"}))],
         id: UUID,
         provider_build_service: ProviderBuildServiceDependency,
     ) -> None:
-        await provider_build_service.delete_build(provider_build_id=id)
+        # admin can delete all builds, other users only their build
+        await provider_build_service.delete_build(provider_build_id=id, user=user.user)

apps/beeai-server/src/beeai_server/api/routes/providers.py

@@ -27,7 +27,7 @@
 
 @router.post("")
 async def create_provider(
-    _: Annotated[AuthorizedUser, Depends(RequiresPermissions(providers={"write"}))],
+    user: Annotated[AuthorizedUser, Depends(RequiresPermissions(providers={"write"}))],
     request: CreateProviderRequest,
     provider_service: ProviderServiceDependency,
     configuration: ConfigurationDependency,
@@ -36,6 +36,7 @@ async def create_provider(
     if auto_remove and not configuration.provider.auto_remove_enabled:
         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Auto remove functionality is disabled")
     return await provider_service.create_provider(
+        user=user.user,
         location=request.location,
         agent_card=request.agent_card,
         auto_remove=auto_remove,
@@ -47,7 +48,7 @@ async def create_provider(
 async def preview_provider(
     request: CreateProviderRequest,
     provider_service: ProviderServiceDependency,
-    _: Annotated[AuthorizedUser, Depends(RequiresPermissions())],
+    _: Annotated[AuthorizedUser, Depends(RequiresPermissions(providers={"write"}))],
 ) -> ProviderWithState:
     return await provider_service.preview_provider(location=request.location, agent_card=request.agent_card)
 
@@ -56,10 +57,11 @@ async def preview_provider(
 async def list_providers(
     provider_service: ProviderServiceDependency,
     request: Request,
-    _: Annotated[AuthorizedUser, Depends(RequiresPermissions(providers={"read"}), use_cache=False)],
+    user: Annotated[AuthorizedUser, Depends(RequiresPermissions(providers={"read"}), use_cache=False)],
+    user_owned: Annotated[bool, Query()] = False,
 ) -> PaginatedResult[ProviderWithState]:
     providers = []
-    for provider in await provider_service.list_providers():
+    for provider in await provider_service.list_providers(user=user.user if user_owned else None):
         new_provider = provider.model_copy(
             update={
                 "agent_card": create_proxy_agent_card(provider.agent_card, provider_id=provider.id, request=request)
@@ -87,18 +89,20 @@ async def get_provider(
 async def delete_provider(
     id: UUID,
     provider_service: ProviderServiceDependency,
-    _: Annotated[AuthorizedUser, Depends(RequiresPermissions(providers={"write"}))],
+    user: Annotated[AuthorizedUser, Depends(RequiresPermissions(providers={"write"}))],
 ) -> None:
-    await provider_service.delete_provider(provider_id=id)
+    # admin can delete any provider, other users only their providers
+    await provider_service.delete_provider(provider_id=id, user=user.user)
 
 
 @router.get("/{id}/logs")
 async def stream_logs(
-    _: Annotated[AuthorizedUser, Depends(RequiresPermissions(providers={"write"}))],
+    user: Annotated[AuthorizedUser, Depends(RequiresPermissions(providers={"write"}))],
     id: UUID,
     provider_service: ProviderServiceDependency,
 ) -> StreamingResponse:
-    logs_iterator = await provider_service.stream_logs(provider_id=id)
+    # admin can see logs from all providers, other users only logs of their provider
+    logs_iterator = await provider_service.stream_logs(provider_id=id, user=user.user)
     return streaming_response(logs_iterator())
 
 
@@ -107,15 +111,17 @@ async def update_provider_variables(
     id: UUID,
     request: UpdateVariablesRequest,
     provider_service: ProviderServiceDependency,
-    _: Annotated[AuthorizedUser, Depends(RequiresPermissions(provider_variables={"write"}))],
+    user: Annotated[AuthorizedUser, Depends(RequiresPermissions(provider_variables={"write"}))],
 ) -> None:
-    await provider_service.update_provider_env(provider_id=id, env=request.variables)
+    # admin can update all variables, other users only variables of their provider
+    await provider_service.update_provider_env(provider_id=id, env=request.variables, user=user.user)
 
 
 @router.get("/{id}/variables")
 async def list_provider_variables(
     id: UUID,
     provider_service: ProviderServiceDependency,
-    _: Annotated[AuthorizedUser, Depends(RequiresPermissions(provider_variables={"read"}))],
+    user: Annotated[AuthorizedUser, Depends(RequiresPermissions(provider_variables={"read"}))],
 ) -> ListVariablesSchema:
-    return ListVariablesSchema(variables=await provider_service.list_provider_env(provider_id=id))
+    # admin can see all variables, other users only variables of their provider
+    return ListVariablesSchema(variables=await provider_service.list_provider_env(provider_id=id, user=user.user))

apps/beeai-server/src/beeai_server/api/schema/provider_build.py

@@ -3,8 +3,15 @@
 
 from pydantic import BaseModel
 
+from beeai_server.api.schema.common import PaginationQuery
+from beeai_server.domain.models.provider_build import BuildState
 from beeai_server.utils.github import GithubUrl
 
 
 class CreateProviderBuildRequest(BaseModel):
     location: GithubUrl
+
+
+class ProviderBuildListQuery(PaginationQuery):
+    status: BuildState | None = None
+    user_owned: bool = False

apps/beeai-server/src/beeai_server/domain/models/provider.py

@@ -113,6 +113,7 @@ class Provider(BaseModel):
     registry: RegistryLocation | None = None
     auto_remove: bool = False
     created_at: AwareDatetime = Field(default_factory=utc_now)
+    created_by: UUID
     last_active_at: AwareDatetime = Field(default_factory=utc_now)
     agent_card: AgentCard
 

apps/beeai-server/src/beeai_server/domain/repositories/provider.py

@@ -10,12 +10,14 @@
 
 @runtime_checkable
 class IProviderRepository(Protocol):
-    async def list(self, *, auto_remove_filter: bool | None = None) -> AsyncIterator[Provider]:
+    async def list(
+        self, *, auto_remove_filter: bool | None = None, user_id: UUID | None = None
+    ) -> AsyncIterator[Provider]:
         yield ...  # type: ignore
 
     async def create(self, *, provider: Provider) -> None: ...
     async def update(self, *, provider: Provider) -> None: ...
 
-    async def get(self, *, provider_id: UUID) -> Provider: ...
-    async def delete(self, *, provider_id: UUID) -> int: ...
+    async def get(self, *, provider_id: UUID, user_id: UUID | None = None) -> Provider: ...
+    async def delete(self, *, provider_id: UUID, user_id: UUID | None = None) -> int: ...
     async def update_last_accessed(self, *, provider_id: UUID) -> None: ...

apps/beeai-server/src/beeai_server/domain/repositories/provider_build.py

@@ -11,7 +11,9 @@
 
 @runtime_checkable
 class IProviderBuildRepository(Protocol):
-    async def list(self, *, status: BuildState | None = None) -> AsyncIterator[ProviderBuild]:
+    async def list(
+        self, *, status: BuildState | None = None, user_id: UUID | None = None
+    ) -> AsyncIterator[ProviderBuild]:
         yield ...  # type: ignore
 
     async def list_paginated(
@@ -22,9 +24,10 @@ async def list_paginated(
         order: str = "desc",
         order_by: str = "created_at",
         status: BuildState | None = None,
+        user_id: UUID | None = None,
     ) -> PaginatedResult[ProviderBuild]: ...
 
     async def create(self, *, provider_build: ProviderBuild) -> None: ...
     async def update(self, *, provider_build: ProviderBuild) -> None: ...
-    async def get(self, *, provider_build_id: UUID) -> ProviderBuild: ...
-    async def delete(self, *, provider_build_id: UUID) -> int: ...
+    async def get(self, *, provider_build_id: UUID, user_id: UUID | None = None) -> ProviderBuild: ...
+    async def delete(self, *, provider_build_id: UUID, user_id: UUID | None = None) -> int: ...

apps/beeai-server/src/beeai_server/infrastructure/persistence/migrations/alembic/versions/73e2d8596ada_.py

@@ -0,0 +1,40 @@
+# Copyright 2025 © BeeAI a Series of LF Projects, LLC
+# SPDX-License-Identifier: Apache-2.0
+
+"""add user ownership to providers
+
+Revision ID: 73e2d8596ada
+Revises: 613a5534625e
+Create Date: 2025-10-01 13:12:33.873906
+
+"""
+
+from collections.abc import Sequence
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = "73e2d8596ada"
+down_revision: str | None = "613a5534625e"
+branch_labels: str | Sequence[str] | None = None
+depends_on: str | Sequence[str] | None = None
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column("providers", sa.Column("created_by", sa.UUID(), nullable=True))
+    # Assign existing providers to the admin user
+    op.execute("UPDATE providers SET created_by = (SELECT id FROM users WHERE email = 'admin@beeai.dev')")
+    op.alter_column("providers", "created_by", nullable=False)
+    op.create_foreign_key(None, "providers", "users", ["created_by"], ["id"], ondelete="CASCADE")
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_constraint("providers_created_by_fkey", "providers", type_="foreignkey")
+    op.drop_column("providers", "created_by")
+    # ### end Alembic commands ###

apps/beeai-server/src/beeai_server/infrastructure/persistence/repositories/provider.py

@@ -6,7 +6,7 @@
 from typing import Any
 from uuid import UUID
 
-from sqlalchemy import JSON, Boolean, Column, DateTime, Integer, Row, String, Table
+from sqlalchemy import JSON, Boolean, Column, DateTime, ForeignKey, Integer, Row, String, Table
 from sqlalchemy import UUID as SQL_UUID
 from sqlalchemy.exc import IntegrityError
 from sqlalchemy.ext.asyncio import AsyncConnection
@@ -27,6 +27,7 @@
     Column("auto_stop_timeout_sec", Integer, nullable=True),
     Column("auto_remove", Boolean, default=False, nullable=False),
     Column("created_at", DateTime(timezone=True), nullable=False),
+    Column("created_by", ForeignKey("users.id", ondelete="CASCADE"), nullable=False),
     Column("last_active_at", DateTime(timezone=True), nullable=False),
     Column("agent_card", JSON, nullable=False),
 )
@@ -60,6 +61,7 @@ def _to_row(self, provider: Provider) -> dict[str, Any]:
             "auto_remove": provider.auto_remove,
             "agent_card": provider.agent_card.model_dump(mode="json"),
             "created_at": provider.created_at,
+            "created_by": provider.created_by,
             "last_active_at": provider.last_active_at,
         }
 
@@ -75,12 +77,15 @@ def _to_provider(self, row: Row) -> Provider:
                 "auto_remove": row.auto_remove,
                 "last_active_at": row.last_active_at,
                 "created_at": row.created_at,
+                "created_by": row.created_by,
                 "agent_card": row.agent_card,
             }
         )
 
-    async def get(self, *, provider_id: UUID) -> Provider:
+    async def get(self, *, provider_id: UUID, user_id: UUID | None = None) -> Provider:
         query = select(providers_table).where(providers_table.c.id == provider_id)
+        if user_id is not None:
+            query = query.where(providers_table.c.created_by == user_id)
         result = await self.connection.execute(query)
         if not (row := result.fetchone()):
             raise EntityNotFoundError(entity="provider", id=provider_id)
@@ -91,15 +96,21 @@ async def update_last_accessed(self, *, provider_id: UUID) -> None:
         query = providers_table.update().where(providers_table.c.id == provider_id).values(last_active_at=utc_now())
         await self.connection.execute(query)
 
-    async def delete(self, *, provider_id: UUID) -> int:
+    async def delete(self, *, provider_id: UUID, user_id: UUID | None = None) -> int:
         query = delete(providers_table).where(providers_table.c.id == provider_id)
+        if user_id is not None:
+            query = query.where(providers_table.c.created_by == user_id)
         result = await self.connection.execute(query)
         if not result.rowcount:
             raise EntityNotFoundError(entity="provider", id=provider_id)
         return result.rowcount
 
-    async def list(self, *, auto_remove_filter: bool | None = None) -> AsyncIterator[Provider]:
+    async def list(
+        self, *, auto_remove_filter: bool | None = None, user_id: UUID | None = None
+    ) -> AsyncIterator[Provider]:
         query = providers_table.select()
+        if user_id is not None:
+            query = query.where(providers_table.c.created_by == user_id)
         if auto_remove_filter is not None:
             query = query.where(providers_table.c.auto_remove == auto_remove_filter)
         async for row in await self.connection.stream(query):