sql/opt: treat privilege errors as stale memos during dependency checks

[michae2]

Previously, when the query cache's CheckDependencies re-resolved data sources from a cached memo and encountered a privilege error (e.g. because the memo referenced objects in a different database context), the error was propagated to the user. This caused unqualified function calls to fail with USAGE privilege errors referencing schemas from the wrong database when two databases had identically-named functions in custom schemas.

Now, maybeSwallowMetadataResolveErr also swallows pgcode.InsufficientPrivilege errors, treating them as indicators that the memo is stale. The memo is evicted and replanned in the correct user/database context, where genuine privilege errors will surface during planning.

Fixes: #168992

Release note (bug fix): Fixed a bug where unqualified function calls could fail with incorrect privilege errors when two databases on the same cluster had identically-named functions in custom schemas. The query cache could serve a memo from one database context to another, causing USAGE privilege errors referencing schemas from the wrong database.

[trunk-io]

😎 Merged successfully - details.

[cockroach-teamcity]

This change is 

[michae2]

How do we feel about backporting this without a session var or cluster setting?

[DrewKimball]

Thanks for the fix!

@DrewKimball reviewed 2 files and all commit messages, and made 1 comment.
Reviewable status: complete! 1 of 0 LGTMs obtained (waiting on mw5h and rafiss).

[michae2]

TFTR!

/trunk merge

[blathers-crl]

Detected infrastructure failure on trunk-merge branch (matched: self-hosted runner lost communication with the server). Automatically resubmitting to merge queue (attempt 1 of 2). (run link)

[blathers-crl]

/trunk merge

[blathers-crl]

Based on the specified backports for this PR, I applied new labels to the following linked issue(s). Please adjust the labels as needed to match the branches actually affected by the issue(s), including adding any known older branches.

---

Issue #168992: branch-release-25.2.18-rc, branch-release-25.4, branch-release-26.1, branch-release-26.2.

---

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[blathers-crl]

Encountered an error creating backports. Some common things that can go wrong:

1. The backport branch might have already existed.
2. There was a merge conflict.
3. The backport branch contained merge commits.

You might need to create your backport manually using the backport tool.

---

error creating backport branch refs/heads/blathers/backport-release-25.2-169190: POST https://api.github.com/repos/michae2/cockroach/git/refs: 403 Resource not accessible by integration []

Backport to branch 25.2.x failed. See errors above.

---

error creating backport branch refs/heads/blathers/backport-release-25.4-169190: POST https://api.github.com/repos/michae2/cockroach/git/refs: 403 Resource not accessible by integration []

Backport to branch 25.4.x failed. See errors above.

---

error creating backport branch refs/heads/blathers/backport-release-26.1-169190: POST https://api.github.com/repos/michae2/cockroach/git/refs: 403 Resource not accessible by integration []

Backport to branch 26.1.x failed. See errors above.

---

error creating backport branch refs/heads/blathers/backport-release-26.2-169190: POST https://api.github.com/repos/michae2/cockroach/git/refs: 403 Resource not accessible by integration []

Backport to branch 26.2.x failed. See errors above.

---

error creating backport branch refs/heads/blathers/backport-release-25.2.18-rc-169190: POST https://api.github.com/repos/michae2/cockroach/git/refs: 403 Resource not accessible by integration []

Backport to branch 25.2.18-rc failed. See errors above.

---

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}