4 files changed, 33 insertions, 7 deletions
diff --git a/src/model/bucket_alias_table.rs b/src/model/bucket_alias_table.rs
index 4d300d05..52484c5b 100644
--- a/src/model/bucket_alias_table.rs
+++ b/src/model/bucket_alias_table.rs
@@ -15,7 +15,6 @@ pub struct BucketAlias {
 #[derive(PartialEq, Eq, PartialOrd, Ord, Clone, Debug, Serialize, Deserialize)]
 pub struct AliasParams {
 	pub bucket_id: Uuid,
-	pub website_access: bool,
 }
 
 impl AutoCrdt for AliasParams {
@@ -23,13 +22,10 @@ impl AutoCrdt for AliasParams {
 }
 
 impl BucketAlias {
-	pub fn new(name: String, bucket_id: Uuid, website_access: bool) -> Self {
+	pub fn new(name: String, bucket_id: Uuid) -> Self {
 		BucketAlias {
 			name,
-			state: crdt::Lww::new(crdt::Deletable::present(AliasParams {
-				bucket_id,
-				website_access,
-			})),
+			state: crdt::Lww::new(crdt::Deletable::present(AliasParams { bucket_id })),
 		}
 	}
 	pub fn is_deleted(&self) -> bool {
diff --git a/src/model/bucket_table.rs b/src/model/bucket_table.rs
index ac40407e..6ae719ae 100644
--- a/src/model/bucket_table.rs
+++ b/src/model/bucket_table.rs
@@ -1,4 +1,5 @@
 use serde::{Deserialize, Serialize};
+use serde_bytes::ByteBuf;
 
 use garage_table::crdt::Crdt;
 use garage_table::*;
@@ -27,6 +28,11 @@ pub struct BucketParams {
 	pub creation_date: u64,
 	/// Map of key with access to the bucket, and what kind of access they give
 	pub authorized_keys: crdt::Map<String, BucketKeyPerm>,
+	/// Whether this bucket is allowed for website access
+	/// (under all of its global alias names)
+	pub website_access: crdt::Lww<bool>,
+	/// The website configuration XML document
+	pub website_config: crdt::Lww<Option<ByteBuf>>,
 	/// Map of aliases that are or have been given to this bucket
 	/// in the global namespace
 	/// (not authoritative: this is just used as an indication to
@@ -44,6 +50,8 @@ impl BucketParams {
 		BucketParams {
 			creation_date: now_msec(),
 			authorized_keys: crdt::Map::new(),
+			website_access: crdt::Lww::new(false),
+			website_config: crdt::Lww::new(None),
 			aliases: crdt::LwwMap::new(),
 			local_aliases: crdt::LwwMap::new(),
 		}
@@ -53,6 +61,8 @@ impl BucketParams {
 impl Crdt for BucketParams {
 	fn merge(&mut self, o: &Self) {
 		self.authorized_keys.merge(&o.authorized_keys);
+		self.website_access.merge(&o.website_access);
+		self.website_config.merge(&o.website_config);
 		self.aliases.merge(&o.aliases);
 		self.local_aliases.merge(&o.local_aliases);
 	}
diff --git a/src/model/key_table.rs b/src/model/key_table.rs
index e87f5949..469dbd49 100644
--- a/src/model/key_table.rs
+++ b/src/model/key_table.rs
@@ -27,6 +27,7 @@ pub struct Key {
 /// Configuration for a key
 #[derive(PartialEq, Clone, Debug, Serialize, Deserialize)]
 pub struct KeyParams {
+	pub allow_create_bucket: crdt::Lww<bool>,
 	pub authorized_buckets: crdt::Map<Uuid, BucketKeyPerm>,
 	pub local_aliases: crdt::LwwMap<String, crdt::Deletable<Uuid>>,
 }
@@ -34,6 +35,7 @@ pub struct KeyParams {
 impl KeyParams {
 	pub fn new() -> Self {
 		KeyParams {
+			allow_create_bucket: crdt::Lww::new(false),
 			authorized_buckets: crdt::Map::new(),
 			local_aliases: crdt::LwwMap::new(),
 		}
@@ -48,6 +50,7 @@ impl Default for KeyParams {
 
 impl Crdt for KeyParams {
 	fn merge(&mut self, o: &Self) {
+		self.allow_create_bucket.merge(&o.allow_create_bucket);
 		self.authorized_buckets.merge(&o.authorized_buckets);
 		self.local_aliases.merge(&o.local_aliases);
 	}
@@ -111,6 +114,19 @@ impl Key {
 			false
 		}
 	}
+
+	/// Check if `Key` is owner of bucket
+	pub fn allow_owner(&self, bucket: &Uuid) -> bool {
+		if let crdt::Deletable::Present(params) = &self.state {
+			params
+				.authorized_buckets
+				.get(bucket)
+				.map(|x| x.allow_owner)
+				.unwrap_or(false)
+		} else {
+			false
+		}
+	}
 }
 
 impl Entry<EmptyKey, String> for Key {
diff --git a/src/model/permission.rs b/src/model/permission.rs
index b61c92ce..04bb2bc5 100644
--- a/src/model/permission.rs
+++ b/src/model/permission.rs
@@ -12,8 +12,12 @@ pub struct BucketKeyPerm {
 
 	/// The key can be used to read the bucket
 	pub allow_read: bool,
-	/// The key can be used to write in the bucket
+	/// The key can be used to write objects to the bucket
 	pub allow_write: bool,
+	/// The key can be used to control other aspects of the bucket:
+	/// - enable / disable website access
+	/// - delete bucket
+	pub allow_owner: bool,
 }
 
 impl Crdt for BucketKeyPerm {