feat(security)!: Switch Consul's default_policy to deny

[jim-wang-intel]

• turn on Consul's "deny" default_policy
• use more restricted policy rules for Consul's agent token than the original global policy rules

Note: After this switch is on, Consul's GUI access like http://localhost:8500/ui
will be automatically locked with authentication required. Any direct accesses
to Consul require a legit token.

Closes: #3256

Signed-off-by: Jim Wang yutsung.jim.wang@intel.com

PR Checklist

Please check if your PR fulfills the following requirements:

• [x ] Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)

If your build fails due to your commit message not passing the build checks, please review the guidelines here: https://github.com/edgexfoundry/edgex-go/blob/master/.github/Contributing.md.

What is the current behavior?

Currently the default policy of Consul's server agent is "allow"

Issue Number: #3256

What is the new behavior?

Switch the default policy of Consul to "deny"

Does this PR introduce a breaking change?

• [x ] Yes

• No

  Note: After this switch is on, Consul's GUI access like http://localhost:8500/ui
  will be automatically locked with authentication required. Any direct accesses
  to Consul require a legit token.

New Imports

• Yes
• [x ] No

Specific Instructions

Are there any specific instructions or things that should be known prior to reviewing?

Other information

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[bnevis-i]

LGTM

[lenny-goodell]

LGTM

[lenny-goodell]

@jim-wang-intel , should this be in Draft until we are ready to merge? I.e TAF changes, in places etc...

[jim-wang-intel]

@jim-wang-intel , should this be in Draft until we are ready to merge? I.e TAF changes, in places etc...

I am ok with that OR we can take fail-fast approach and let the TAF tests failed and they can fix against it. @cloudxxx8 and @cherrycl what are your thoughts?

[lenny-goodell]

Naw, also this is dependent on your other PR?

[jim-wang-intel]

Naw, also this is dependent on your other PR?

No, this one doesn't depend on other PR.

[dipshirajput]

Hi @jim-wang-intel , @cloudxxx8 , @lenny-intel , @cherrycl ,
for running EdgeX (2.1) with vault (1.8.4) and consul (1.10.3) ,
In file, config_consul_acl.json , the configuration is as shown in the screenshot."default_policy" : "deny"what does this key --- "default_policy" signify ?
If its "deny", then I am unable to run device-virtual correctly. If I set it to "allow", device-virtual runs correctly.please let me know what ideally it should be ?
Thanks.

[bnevis-i]

@dipshirajput, the default deny policy is needed to enable ACL enforcement in Consul. Can you restart this discussion in the EdgeX Slack in the #security channel or in https://github.com/edgexfoundry/community/discussions ? I don't want to help you debug your issue in the pull request comments.