platform-checks: Add privileges validation to owners check

[def-]

Part of #17983

Depends on #18700

Motivation

• This PR adds a known-desirable feature.

Checklist

• This PR has adequate test coverage / QA involvement has been duly considered.
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• This PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way) and therefore is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).
• This PR includes the following user-facing behavior changes:

[def-]

@jkosh44 Is this an expected difference when upgrading from an older version? Happened from X-4: https://buildkite.com/materialize/nightlies/builds/2227#018794b2-33b1-44fc-85d2-ae5bf84b9d26

[2023-04-18T14:21:39Z] > SELECT role.name, member.name, grantor.name from mz_role_members JOIN mz_roles role ON mz_role_members.role_id = role.id JOIN mz_roles member ON mz_role_members.member = member.id JOIN mz_roles grantor ON mz_role_members.grantor = grantor.id WHERE role.name LIKE 'create_role%';
[2023-04-18T14:26:39Z] rows didn't match; sleeping to see if dataflow catches up 50ms 75ms 113ms 169ms 253ms 380ms 570ms 854ms 1s 2s 3s 4s 6s 10s 15s 22s 33s 49s 74s 78s
^^^ +++
[2023-04-18T14:26:39Z] 6:1: error: non-matching rows: expected:
[2023-04-18T14:26:39Z] [["create_role1", "materialize", "mz_system"], ["create_role2", "materialize", "mz_system"]]
[2023-04-18T14:26:39Z] got:
[2023-04-18T14:26:39Z] [["create_role1", "materialize", "materialize"], ["create_role2", "materialize", "materialize"]]
[2023-04-18T14:26:39Z] Poor diff:
[2023-04-18T14:26:39Z] + create_role1 materialize materialize
[2023-04-18T14:26:39Z] - create_role1 materialize mz_system
[2023-04-18T14:26:39Z] + create_role2 materialize materialize
[2023-04-18T14:26:39Z] - create_role2 materialize mz_system

[jkosh44]

@jkosh44 Is this an expected difference when upgrading from an older version? Happened from X-4: https://buildkite.com/materialize/nightlies/builds/2227#018794b2-33b1-44fc-85d2-ae5bf84b9d26

[2023-04-18T14:21:39Z] > SELECT role.name, member.name, grantor.name from mz_role_members JOIN mz_roles role ON mz_role_members.role_id = role.id JOIN mz_roles member ON mz_role_members.member = member.id JOIN mz_roles grantor ON mz_role_members.grantor = grantor.id WHERE role.name LIKE 'create_role%';
[2023-04-18T14:26:39Z] rows didn't match; sleeping to see if dataflow catches up 50ms 75ms 113ms 169ms 253ms 380ms 570ms 854ms 1s 2s 3s 4s 6s 10s 15s 22s 33s 49s 74s 78s
^^^ +++
[2023-04-18T14:26:39Z] 6:1: error: non-matching rows: expected:
[2023-04-18T14:26:39Z] [["create_role1", "materialize", "mz_system"], ["create_role2", "materialize", "mz_system"]]
[2023-04-18T14:26:39Z] got:
[2023-04-18T14:26:39Z] [["create_role1", "materialize", "materialize"], ["create_role2", "materialize", "materialize"]]
[2023-04-18T14:26:39Z] Poor diff:
[2023-04-18T14:26:39Z] + create_role1 materialize materialize
[2023-04-18T14:26:39Z] - create_role1 materialize mz_system
[2023-04-18T14:26:39Z] + create_role2 materialize materialize
[2023-04-18T14:26:39Z] - create_role2 materialize mz_system

Yes, I recently switched the grantor of all role membership to be mz_system. It used to be whoever executed the GRANT statement. The PR is here: #18780