rbac: improve permission denied error messages

[maheshwarip]

Summary

Improves "permission denied" error messages to provide more actionable information to users:

Direct errors (role lacks privileges on an object):

• Shows which role needs which privileges
• Shows who owns the object
• Provides HINT with suggested GRANT command

Indirect errors (MV/view owner lacks privileges on dependency):

• Explains the dependency relationship
• Shows which object in the lineage is causing the problem
• Provides HINT targeting the correct role (the owner who needs access)

Example - Direct Error

SELECT * FROM some_table;

ERROR: permission denied for TABLE "schema.some_table"
DETAIL: The 'user1' role needs SELECT privileges on TABLE "schema.some_table"
The owner of TABLE "schema.some_table" is 'user2'
HINT: The owner ('user2') of TABLE "schema.some_table" or a superuser can grant access: GRANT SELECT ON TABLE "schema.some_table" TO 'user1'

Example - Indirect Error (querying MV where owner lost access to dependency)

SELECT * FROM some_mv;

ERROR: permission denied for TABLE "schema.source_table"
DETAIL: The 'mv_owner' role needs SELECT privileges on TABLE "schema.source_table"
The owner of TABLE "schema.source_table" is 'source_owner'
MATERIALIZED VIEW "schema.my_mv" references TABLE "schema.source_table"
HINT: The owner ('source_owner') of TABLE "schema.source_table" or a superuser can grant access: GRANT SELECT ON TABLE "schema.source_table" TO 'mv_owner'

Motivation

Users encountering permission denied errors often don't know:

1. Who owns the object they're trying to access
2. What GRANT command would fix the issue
3. Why they can't access an MV when the real problem is the MV owner lost access to a dependency

This PR addresses all three by enriching error messages with owner information and actionable HINT suggestions.

Test plan

• Run bin/sqllogictest -- test/sqllogictest/permission_denied_errors.slt
• Run bin/sqllogictest -- --rewrite-results test/sqllogictest/privilege_checks.slt to update remaining tests for new error format
• Verify error messages display correctly in psql client

Related

Slack thread: https://materializeinc.slack.com/archives/CU7ELJ6E9/p1775481281751919

https://claude.ai/code/session_01FLZQqa7mRprzCTQT6oQ3Ss

[github-actions]

Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone.

PR title guidelines

• Use imperative mood: "Fix X" not "Fixed X" or "Fixes X"
• Be specific: "Fix panic in catalog sync when controller restarts" not "Fix bug" or "Update catalog code"
• Prefix with area if helpful: compute: , storage: , adapter: , sql:

Pre-merge checklist

• The PR title is descriptive and will make sense in the git log.
• This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
• If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).

[maheshwarip]

There's a chance this is slop - I'm not familiar with this part of our repo! At a glance, if this is wrong, feel free to just close the PR