LU-18694 sec: nodemap local root user capabilities

LU-18694 sec: nodemap local root user capabilities

Add a new 'local_admin' rbac role, on by default. The purpose of this
new role is to keep capabilities for root even if it is mapped or
offset. This allows to have root mapped to a non-privileged storage id
while still being able to perform 'admin-like' tasks thanks to
capabilities, such as changing file permissions or file ownership.

Note that setquota and changing project id is also impacted by the
local_admin role. When enabled, root on the client that gets mapped on
file system side is still able to interact with those.

Be aware that if root is squashed, then capabilities are dropped as
for any other regular user.

New test sanity-sec test_64h exercises the local_admin role.

Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I5832b21106b2829134a596c2aacf04839be856e9
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/57966
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Marc Vef <mvef@whamcloud.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>