A way to disable console access through extra-specs in flavor

Operators sometime want to disable access to VNC (RDP/spice/etc) console for some (but not all) instances. After small IRC talk it was concluded that extra-specs for a flavor is the best way to do it. To control access to different consoles it may be nice to have an extra-spec which looks like 'os:consoles=none', or 'os:consoles=serial', or 'os:consoles=serial,vnc'. If this extra-spec is absent, behavior is 'all available', if this extra spec is present, API should reject any access to non-listed console types. None is a special value to disable all console access. Any attempt to access console under such conditions (f.e. by using nova get-vnc-console) should return error at API level with small explanation (f.e. "Access to this type of console is restricted").