fix(frontend): keep DDL ownership on matched role

[ouyuanning]

What type of PR is this?

• API-change
• BUG
• Improvement
• Documentation
• Feature
• Test and CI
• Code Refactoring

Which issue(s) this PR fixes:

issue #24956

What this PR does / why we need it:

This PR fixes DDL ownership when privileges are satisfied by secondary or inherited roles.

• Track the role that actually satisfies CREATE DATABASE / CREATE TABLE privilege checks and use it as the DDL owner.
• Map inherited privilege matches back to the active role that introduced the inheritance chain, so ownership is granted to the active primary or secondary role instead of the inherited leaf role.
• Re-authenticate prepared DDL during EXECUTE so prepared CREATE DATABASE / CREATE TABLE also gets the correct owner role.
• Revoke implicit ownership from the actual object owner role before DROP DATABASE / DROP TABLE, including multi-table DROP.
• Propagate implicit ownership revoke errors instead of swallowing them.
• Add frontend tests and BVT coverage for secondary-role DDL ownership and prepared DDL ownership cleanup.

Validation:

• rtk git diff --check
• rtk go test -mod=mod ./pkg/defines -count=1
• rtk go test -mod=mod ./pkg/frontend -run TestCreateDatabaseOwnerRoleFollowsActiveInheritedRoleRoot|TestCreateTableOwnerRoleFollowsPrivilegeRole|Test_determineUserHasPrivilegeSet -count=1 could not complete locally because the frontend package fails to build with missing C header xxhash.h.
• Without -mod=mod, local Go reports inconsistent vendoring between go.mod and vendor/modules.txt.

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →