Console Policy

Updates policy file so serial console can be
properly used by owners and lessees.

Author: ljmcgann

docs/source/usage/index.rst

@@ -225,6 +225,43 @@ In order to use an external provisioning service, simply attach the node to the
 | Attach Network to Node        | ``openstack esi node network attach (--network <network> | --port <port>) <node>`` |
 +-------------------------------+------------------------------------------------------------------------------------+
 
+Serial Console Access
+---------------------
+
+In order to access a node using a serial console, the admin or owner must configure the node's console interface.
+Instructions for this can be found under `Configuring Web or Serial Console`_ in Ironic's documentation.
+Once the node is properly configured, the console can be enabled and disabled as needed.
+
++-----------------+-----------------------------------------------------+
+|                 | **Actions**                                         |
++-----------------+-----------------------------------------------------+
+| Enable Console  | ``openstack baremetal node console enable <node>``  |
++-----------------+-----------------------------------------------------+
+| Disable Console | ``openstack baremetal node console disable <node>`` |
++-----------------+-----------------------------------------------------+
+
+Serial console information is available from the Bare Metal service. Get
+serial console information for a node from the Bare Metal service as follows:
+
++---------------------------+--------------------------------------------------+
+|                           | **Actions**                                      |
++---------------------------+--------------------------------------------------+
+| Show Console Information  | ``openstack baremetal node console show <node>`` |
++---------------------------+--------------------------------------------------+
+
+``openstack baremetal node console show <node>`` will generate the following output:
+
++-----------------+----------------------------------------------------------------------+
+| Property        | Value                                                                |
++-----------------+----------------------------------------------------------------------+
+| console_enabled | True                                                                 |
++-----------------+----------------------------------------------------------------------+
+| console_info    | {u'url': u'``tcp://<host>:<port>``', u'type': u'socat'}              |
++-----------------+----------------------------------------------------------------------+
+
+If ``console_enabled`` is ``false`` or ``console_info`` is ``None`` then
+the serial console is disabled. Note, there can only be one ipmi connection to the node, meaning only one user may access the console at a time.
+
 Additional ESI CLI Actions
 --------------------------
 
@@ -284,3 +321,4 @@ Trunk Ports
 .. _Ironic boot-from-volume documentation: https://docs.openstack.org/ironic/latest/admin/boot-from-volume.html
 .. _python-esiclient: https://github.com/CCI-MOC/python-esiclient
 .. _python-esileapclient: https://github.com/CCI-MOC/python-esileapclient
+.. _Configuring Web or Serial Console: https://docs.openstack.org/ironic/latest/admin/console.html

etc/ironic/policy.yaml.sample

@@ -128,11 +128,11 @@
 
 # Get Node console connection information
 # GET  /nodes/{node_ident}/states/console
-#"baremetal:node:get_console": "rule:is_admin"
+#"baremetal:node:get_console": "rule:is_admin or rule:is_node_owner or rule:is_node_lessee"
 
 # Change Node console status
 # PUT  /nodes/{node_ident}/states/console
-#"baremetal:node:set_console_state": "rule:is_admin"
+#"baremetal:node:set_console_state": "rule:is_admin or rule:is_node_owner or rule:is_node_lessee"
 
 # List VIFs attached to node
 # GET  /nodes/{node_ident}/vifs