fix(rbac): forbiden grant create-ownership-object privilege to user

[TCeason]

I hereby agree to the terms of the CLA available at: https://docs.databend.com/dev/policies/cla/

Summary

• now rejects granting CREATE-like privileges directly to a USER; they must be attached to a role and the session’s current/default role must carry the privilege. This prevents the common mistake where a user with CREATE but default role public creates tables/sequences/etc. whose owner role becomes public, leaking access to everyone.
• drops the “grant everything” helper so the engine no longer hands out the entire privilege bitset to users, and
• forces CREATE Masking Policy checks to run against the current role only, so CREATE operations can’t “borrow” privileges from other secondary roles silently. Together those changes make the privilege model match the intended “users operate via
• roles” design and stop ownership from falling back to public.
• Example (tables):
  Old flow was as simple as GRANT CREATE ON default. * TO USER b; and CREATE TABLE t AS ...; which implicitly set the owner to public. Now the tests at tests/suites/0_stateless/18_rbac/18_0007_privilege_access.sh:239-258 show the
  enforced pattern:

CREATE ROLE role_test_b;
GRANT CREATE ON default.* TO ROLE role_test_b;
GRANT ROLE role_test_b TO b;
ALTER USER b WITH DEFAULT_ROLE = role_test_b;
CREATE TABLE t AS SELECT 1;   -- succeeds and owner = role_test_b, not public

In pr

grant create on default.* to user <username> -- will failed.

-- user role is account_admin and public, and current role is public that does not contain create privilege create will be failed.
create table t(id int) --failed

If b reverts to SET ROLE public the final CREATE is rejected, so there is no chance to create a table owned by public.

Tests

• Unit Test
• Logic Test
• Benchmark Test
• No Test - Explain why

Type of change

• Bug Fix (non-breaking change which fixes an issue)
• New Feature (non-breaking change which adds functionality)
• Breaking Change (fix or feature that could cause existing functionality not to work as expected)
• Documentation Update
• Refactoring
• Performance Improvement
• Other (please describe):

---

This change is 

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".