[[new IAM integration]] viewer/json/query http request doesn't check rights properly and restricts access when it mustn't

[UgnineSirdis]

No description provided.

[UgnineSirdis]

When we request this http handle with Authorize header (and authorization enabled in YDB):

curl -vv 'http://localhost:2944/viewer/json/query?timeout=600000&base64=false&schema=modern' -H "Authorization: $YDB_TOKEN"  -H 'content-type: application/json' --data-raw '{"query":"select * from `test/test_table`","database":"/local","action":"execute-script","syntax":"yql_v1","stats":"profile"}'

the main difference from ydb cli is that ydb cli used grpc and http uses direct actor system request for query execution.

In grpc subsystem before executing any grpc request user access token is sent to ticket parser with authorize request (with rights check: ydb.databases.list, ydb.databases.create, ydb.databases.connect, ydb.tables.select, ydb.schemas.getMetadata), but in http we send to ticket parser only authenticate request (without rights check) here:
https://github.com/ydb-platform/ydb/blob/main/ydb/core/mon/mon.cpp#L65 (entries are empty array: https://github.com/ydb-platform/ydb/blob/main/ydb/core/mon/mon.cpp#L15). Then ticket parser says that everything is OK, user is 123@as and he participates in no interesting groups. This parsed token is passed then to KQP proxy actor service here: https://github.com/ydb-platform/ydb/blob/main/ydb/core/viewer/json_query.h#L225 => KQP failures to get needed rights for query execution (because we haven't requested any rights).

[UgnineSirdis]

Merge to 24-1: #6410
Merge to 24-2: #6422
Merge to 24-3 is not required (already there)