Updates the authorization model for batches and adds support for non-authorized, small batches

[matsduf]

Purpose

This PR, firstly, moves away from authorization of batch creation by using username/password created through RPC API to using a token configured in the configuration file. Secondly, is supports the creation of small batches without authorization. In the latter case using undelegated data etc will not be supported.

When small batches without authorization can be created, that function is to be added to GUI.

• Updates configuration/backend.md:
  • Updates table of contents
  • Deprecates "enable_add_batch_job"
  • Deprecates "enable_add_api_user"
  • Redefines "enable_batch_create" to replace "enable_add_batch_job"
  • Defines "enable_batch_create" and "enable_add_batch_job" to be conflicting.
  • Removes experimental "enable_user_create"
  • Defines "batch_api_key" for a token to authorize batch creation.
  • Defines "max_batch_size_non_auth" to set to number of domains in batches created without batch_api_key.
  • Editorial updates.
• Updates rpcapi-reference.md
  • Updates table of contents
  • Defines data type "Batch API key"
  • Defines method "conf_max_batch_size_non_auth"
  • Deprecates methods "add_api_user" and "add_batch_job"
  • Redefines method "batch_create" to replace "add_batch_job"
  • Removes experimental "user_create"
  • Editorial updates
  • Deprecates "batch id" and introduces "hash batch id" which is the same kind of "hashed ID" as the test ID.
• Removal of deprecated parts:
  • Parts deprecated by this PR are to be removed by release v2026.2.

When the changes in this PR are approved the following changes are to be created:

• Updated docs/public/using/backend/Using-Zonemaster-Backend-for-batch-testing.md
• Implement the updates in Backend.

Context

• Simplify authorization model zonemaster-backend#1223 (batch authorization model)
• New batch id format zonemaster-backend#1154 ("hash format" on batch ID)
• Anonymous batch creation zonemaster-backend#1153 (batch creation without token)

How to test this PR

Review the changes.

[matsduf]

Renames some methods and keys. No change of logic.

[marc-vanderwal]

So does that mean that something like this will work?

[RPCAPI]
batch_api_key = "NotSoSecret"
batch_api_key = "NotSoSecretEither"
batch_api_key = "LikewiseNotASecret"

[matsduf]

Yes.

[matsduf]

Do think the language should be clarified? Do you think it is a good or bad idea?

[marc-vanderwal]

I think it’s a good idea because it helps avoid having shared secrets between more than two components.

Yes, maybe you could add an example like the one I gave in my previous comment in the text to make the syntax clearer.

[matsduf]

@marc-vanderwal, I like examples because it helps to understand. In that file we do not have much examples, but we have several examples in the zonemaster-backend:share/config.ini file. Do you agree that it would be better to put your examples in the ini file? It will be updated in an upcoming PR.

[marc-vanderwal]

I think it’s best to have this example both in the documentation and in the example configuration file. The syntax is a bit unorthodox because configuration keys are usually unique within a file. It should be crystal clear for users that yes, you can have multiple batch_api_key variables and that it makes all API keys work, not just the first or last one.

[matsduf]

Updated as suggested.

[MichaelTimbert]

Suggested change

	*Deprecated. To be removed with release v2025.2* Replaced by
	*Deprecated. To be removed with release v2026.2* Replaced by

[matsduf]

Already removed. I have to rebase the PR.

[MichaelTimbert]

It is confusing with the example. do we get

"result": "B-c45a3f8256c4a155"

or

"result": { "batch_id": "B-c45a3f8256c4a155" }

[matsduf]

Updates the specification. It should use the same model as "start_domain_test" and "add_batch_job".

[MichaelTimbert]

Look good for me.