server: tenants should read their own timeseries without capabilities + can_view_tsdb_metrics capability should control access to storage-level metrics

[aadityasondhi]

Is your feature request related to a problem? Please describe.

In the first implementation of the can_view_tsdb_metrics, the following behavior was implemented:

• by default, a secondary tenant cannot read timeseries at all.
• if they are granted the can_view_tsdb_metrics capability, they become able to read their own timeseries.

This is overly restrictive.

Describe the solution you'd like

• make tenants able to observe their own timeseries without a capability
• make the new capability control access to system-wide metrics by a tenant (but not that of other tenants)

Also as a result we will probably want to rename that capability to can_view_storage_metrics.

Additional context

• Related comment: https://github.com/cockroachdb/cockroach/pull/86524#issuecomment-1523734065

Jira issue: CRDB-27417 Epic CRDB-34076

[rafiss]

This is referenced as a skipped test here: https://github.com/cockroachdb/cockroach/blob/60fa6c0b8521b103da81bd967f0335c1d9503418/pkg/server/authserver/authentication_test.go#L777