storj
diff --git a/‎grant/internal/pb/encryption.pico.go
+1-1 b/‎grant/internal/pb/encryption.pico.go
+1-1
diff --git a/‎grant/internal/pb/encryption_access.pico.go
+1-1 b/‎grant/internal/pb/encryption_access.pico.go
+1-1
diff --git a/‎grant/internal/pb/scope.pico.go
+1-1 b/‎grant/internal/pb/scope.pico.go
+1-1
diff --git a/‎grant/restrict.go
+21-13 b/‎grant/restrict.go
+21-13
diff --git a/‎grant/restrict_test.go
+11-9 b/‎grant/restrict_test.go
+11-9
diff --git a/‎macaroon/apikey.go
+17-1 b/‎macaroon/apikey.go
+17-1
diff --git a/‎macaroon/apikey_test.go
+2 b/‎macaroon/apikey_test.go
+2
diff --git a/‎macaroon/types.pico.go
+23-17 b/‎macaroon/types.pico.go
+23-17
diff --git a/‎macaroon/types.proto
+2 b/‎macaroon/types.proto
+2
diff --git a/‎proto.lock
+10 b/‎proto.lock
+10
@@ -64,6 +64,12 @@ type Permission struct {
 	// AllowBypassGovernanceRetention gives permission for governance retention
 	// to be bypassed on objects.
 	AllowBypassGovernanceRetention bool
+	// AllowPutBucketObjectLockConfiguration gives permission for object lock configuration to be
+	// placed on buckets.
+	AllowPutBucketObjectLockConfiguration bool
+	// AllowGetBucketObjectLockConfiguration gives permission for object lock configuration to be
+	// retrieved from buckets.
+	AllowGetBucketObjectLockConfiguration bool
 	// NotBefore restricts when the resulting access grant is valid for.
 	// If set, the resulting access grant will not work if the Satellite
 	// believes the time is before NotBefore.
@@ -112,19 +118,21 @@ func (access *Access) Restrict(permission Permission, prefixes ...SharePrefix) (
 	}
 
 	caveat := macaroon.WithNonce(macaroon.Caveat{
-		DisallowReads:                     !permission.AllowDownload,
-		DisallowWrites:                    !permission.AllowUpload,
-		DisallowLists:                     !permission.AllowList,
-		DisallowDeletes:                   !permission.AllowDelete,
-		DisallowLocks:                     !permission.AllowLock,
-		DisallowPutRetention:              !permission.AllowPutObjectRetention,
-		DisallowGetRetention:              !permission.AllowGetObjectRetention,
-		DisallowPutLegalHold:              !permission.AllowPutObjectLegalHold,
-		DisallowGetLegalHold:              !permission.AllowGetObjectLegalHold,
-		DisallowBypassGovernanceRetention: !permission.AllowBypassGovernanceRetention,
-		NotBefore:                         notBefore,
-		NotAfter:                          notAfter,
-		MaxObjectTtl:                      permission.MaxObjectTTL,
+		DisallowReads:                            !permission.AllowDownload,
+		DisallowWrites:                           !permission.AllowUpload,
+		DisallowLists:                            !permission.AllowList,
+		DisallowDeletes:                          !permission.AllowDelete,
+		DisallowLocks:                            !permission.AllowLock,
+		DisallowPutRetention:                     !permission.AllowPutObjectRetention,
+		DisallowGetRetention:                     !permission.AllowGetObjectRetention,
+		DisallowPutLegalHold:                     !permission.AllowPutObjectLegalHold,
+		DisallowGetLegalHold:                     !permission.AllowGetObjectLegalHold,
+		DisallowBypassGovernanceRetention:        !permission.AllowBypassGovernanceRetention,
+		DisallowPutBucketObjectLockConfiguration: !permission.AllowPutBucketObjectLockConfiguration,
+		DisallowGetBucketObjectLockConfiguration: !permission.AllowGetBucketObjectLockConfiguration,
+		NotBefore:                                notBefore,
+		NotAfter:                                 notAfter,
+		MaxObjectTtl:                             permission.MaxObjectTTL,
 	})
 
 	for _, prefix := range prefixes {
 
@@ -37,15 +37,17 @@ func TestRestrict(t *testing.T) {
 	}
 
 	fullPermission := Permission{
-		AllowDownload:                  true,
-		AllowUpload:                    true,
-		AllowList:                      true,
-		AllowDelete:                    true,
-		AllowPutObjectRetention:        true,
-		AllowGetObjectRetention:        true,
-		AllowPutObjectLegalHold:        true,
-		AllowGetObjectLegalHold:        true,
-		AllowBypassGovernanceRetention: true,
+		AllowDownload:                         true,
+		AllowUpload:                           true,
+		AllowList:                             true,
+		AllowDelete:                           true,
+		AllowPutObjectRetention:               true,
+		AllowGetObjectRetention:               true,
+		AllowPutObjectLegalHold:               true,
+		AllowGetObjectLegalHold:               true,
+		AllowBypassGovernanceRetention:        true,
+		AllowPutBucketObjectLockConfiguration: true,
+		AllowGetBucketObjectLockConfiguration: true,
 	}
 
 	action1 := macaroon.Action{
 
@@ -71,12 +71,18 @@ const (
 	// ActionPutObjectLegalHold specifies an action related to updating
 	// Object Legal Hold configuration.
 	ActionPutObjectLegalHold ActionType = 9
-	// ActionGetObjectLegalHold specifies an action related to updating
+	// ActionGetObjectLegalHold specifies an action related to retrieving
 	// Object Legal Hold configuration.
 	ActionGetObjectLegalHold ActionType = 10
 	// ActionBypassGovernanceRetention specifies an action related to bypassing
 	// Object Governance Retention.
 	ActionBypassGovernanceRetention ActionType = 11
+	// ActionPutBucketObjectLockConfiguration specifies an action related to updating
+	// Bucket Object Lock configuration.
+	ActionPutBucketObjectLockConfiguration ActionType = 12
+	// ActionGetBucketObjectLockConfiguration specifies an action related to retrieving
+	// Bucket Object Lock configuration.
+	ActionGetBucketObjectLockConfiguration ActionType = 13
 )
 
 // APIKeyVersion specifies the version of an API key.
@@ -182,6 +188,8 @@ func (a *APIKey) Check(ctx context.Context, secret []byte, version APIKeyVersion
 			ActionPutObjectLegalHold,
 			ActionGetObjectLegalHold,
 			ActionBypassGovernanceRetention,
+			ActionPutBucketObjectLockConfiguration,
+			ActionGetBucketObjectLockConfiguration,
 			ActionLock:
 			return ErrUnauthorized.New("action disallowed")
 		}
@@ -394,6 +402,14 @@ func (c *Caveat) Allows(action Action) bool {
 		if c.DisallowBypassGovernanceRetention {
 			return false
 		}
+	case ActionPutBucketObjectLockConfiguration:
+		if c.DisallowPutBucketObjectLockConfiguration {
+			return false
+		}
+	case ActionGetBucketObjectLockConfiguration:
+		if c.DisallowGetBucketObjectLockConfiguration {
+			return false
+		}
 	default:
 		return false
 	}
 
@@ -70,6 +70,8 @@ func TestSerializeParseRestrictAndCheck(t *testing.T) {
 		ActionPutObjectLegalHold,
 		ActionGetObjectLegalHold,
 		ActionBypassGovernanceRetention,
+		ActionPutBucketObjectLockConfiguration,
+		ActionGetBucketObjectLockConfiguration,
 		ActionLock,
 	} {
 		action1.Op = actionType
 
@@ -22,6 +22,8 @@ message Caveat {
   bool disallow_put_legal_hold = 8;
   bool disallow_get_legal_hold = 9;
   bool disallow_bypass_governance_retention = 11;
+  bool disallow_put_bucket_object_lock_configuration = 12;
+  bool disallow_get_bucket_object_lock_configuration = 13;
 
   // If any entries exist, require all access to happen in at least
   // one of them.
 
@@ -57,6 +57,16 @@
                 "name": "disallow_bypass_governance_retention",
                 "type": "bool"
               },
+              {
+                "id": 12,
+                "name": "disallow_put_bucket_object_lock_configuration",
+                "type": "bool"
+              },
+              {
+                "id": 13,
+                "name": "disallow_get_bucket_object_lock_configuration",
+                "type": "bool"
+              },
               {
                 "id": 10,
                 "name": "allowed_paths",