Self Service Must Prevent Tenant Cache Key Overlap

Making this issue so we don't forget.

For Self-Service, we have to make it impossible for one tenant to overlap the Cache Key of another. Otherwise, one tenant could accidentally or maliciously break someone else.

But, it's a useful (albeit dangerous) thing for tenants to be able to use the same Cache Key in multiple Delivery Services.

One option is to always prefix the Tenant name/id to the Cache Key.

It would also be ideal if Tenants couldn't accidentally overlap DSes. Maybe also have a default-checked box to Use Delivery Service Name In Cache Key.

It would also be ideal if a Base Tenant of two Sub-Tenants could overlap the Cache Key between their two sub-tenants. Maybe have an option allowing a User of the Base Tenant to specify that the DS Cache Key Tenant prefix is the Base Tenant instead of the actual owning Tenant? That may be overthinking it, though.

This will be a critical vulnerability once Self Service exists, but it doesn't yet, so I'm not adding the "bug" or "critical" tag yet, so it doesn't show up in searches and annoy people.

I'm submitting a ...

[ ] bug report
[ ] new feature / enhancement request
[ ] improvement request (usability, performance, tech debt, etc.)
[x] other - Vulnerability, but only after Self Service exists

Traffic Control components affected ...

[ ] CDN in a Box
[ ] Documentation
[ ] Grove
[ ] Traffic Control Client
[ ] Traffic Monitor
[x] Traffic Ops
[x] Traffic Ops ORT
[ ] Traffic Portal
[ ] Traffic Router
[ ] Traffic Stats
[ ] Traffic Vault
[ ] unknown

Current behavior:

Self Service doesn't currently exist. But when it does, this will become a critical vulnerability.

Minimal reproduction of the problem with instructions:

Cache Key can currently be manually configured so completely different Delivery Services owned by different Tenants can overlap, with no restriction.

apache / trafficcontrol