Add userns_idmap field to accounts

25.04.0 PR: https://github.com/truenas/middleware/pull/15832

This commit adds a field to user and group accounts to map the id in host to containers. This is intended to be used to simplify permissions management for processes in hosts and containers.

The possible values for this field are:

• None - do not map the account

• "DIRECT" - map it to the same ID as in host

• integer - valid uid / gid greater than zero

Validation Errors are raised if the user or group is privileged from the perspective of middleware (has one or more roles defined). This is to reduce the risk of privilege escalation if the process running in a container somehow gets access to the middlewared AF_UNIX socket.

A new method under the virt.instance namespace "get_account_idmaps" is added in order to provide details for a follow-on PR to use this information on incus instance start to write a custom idmap configuration.

The following is a brief example of using group userns_idmap. Generally, it's more efficient to use group membership to control access to filesystem resources.

Example: common groups between host and containers:
-------------------------------------------------------------

1. User has a dataset `dozer/MEDIA`
2. admin creates a "media_access_write" group on the TrueNAS host and sets `userns_idmap="DIRECT"` for the group.
3. admin sets an ACL entry on `dozer/MEDIA` that grants write access for the media_access_write group.

Once this initial setup has been completed, the admin can grant local users access to the `dozer/MEDIA` dataset by making them members of the "media_access_write" group, and can also grant access to a user in a container by creating a group with the same gid in the container and assigning making the group in the container a member of the new group.