There *may* be a better way to get results from syndics to the Master of
Masters, but this at least works.

Fixes saltstack#62933

Aiming to simplify publish where possible, to make it easier to follow.

This is a complete restructure of how Master-of-Masters and Syndics
communicate when publishing a job.

In the past, if we were a MoM, the undocumented but desired approach was
that the MoM would not have any minions attached to it. Because when a
Salt Master was a MoM it would simply publish the job 100% of the time
unless the ACL denied the command. But this was not based on whether or
not there were minions that could be targeted. In fact, when no valid
minions were found then the job would be published, it was only when
there were *invalid* minions found that things would be rejected.

This new approach is for the MoM to make a request of the syndics to
return a list of minions that match both the allowed ACL targets as well
as the requested targets.

On the MoM if the user has requested more minions than they have access
to then we will fail on authorization.

There are a few known issues with the existing architecture:

1. It's possible (though undocumented as to what the behavior should be)
   for multiple syndics to have different minions with the same ID.
2. Based on timing, and without a complete rearchitecture of Syndics
   (planned for 2023), if a syndic comes online *after* targeting data
   is returned and *before* the job is published it's possible that a
   user may be able to publish jobs to minions they should not have
   access to.
3. It's undocumented how things should work if a Syndic is a MoM.

But now - when using external auth, or publisher_acl, the only time a
job should be published is when the provided user actually has the
correct ACL to publish the jobs.

Yeah, maybe Syndics have been around for a while but a lot of their
behavior is not well-defined.

Required by Anil

Do our tests care we cannot connect to docker in the environment? We do
not. If docker can't get the client to connect it's OK, we'll just skip
the tests. At least *one* of our platforms should be running these
tests, which is enough.

No need to fail when we can't clean up. VMs *should* be going away, and
if you're running locally you can clean up yourself 👍