fix(frontend): harden SHOW object visibility

[tabVersion]

I hereby agree to the terms of the RisingWave Labs, Inc. Contributor License Agreement.

Replacement PR for #25571. The previous PR's GitHub synthetic ref refs/pull/25571/head became stale and Buildkite could only fetch the old head ref, causing checkout failures even though the branch and PR API head had advanced. This PR uses the same final code/tree from #25571 on a fresh branch so Buildkite can fetch the correct PR head ref.

What's changed and what's your intention?

This PR hardens user-visible SHOW metadata surfaces so a user with schema visibility alone cannot enumerate object names or secret references that they do not have object-level privilege for.

Changes:

• Switch clear SHOW object-list handlers to ACL-aware schema iterators:
  • SHOW TABLES
  • SHOW INTERNAL TABLES
  • SHOW VIEWS
  • SHOW MATERIALIZED VIEWS
  • SHOW SOURCES
  • SHOW SINKS
  • SHOW SUBSCRIPTIONS
  • SHOW SECRETS
  • SHOW CONNECTIONS
  • SHOW FUNCTIONS
• Make SHOW COLUMNS FROM <table/source> and SHOW INDEXES FROM <table> use the normal batch binder path instead of the system binder path, avoiding known-name metadata probing for hidden relations.
• Add explicit object-visibility checks for SHOW COLUMNS FROM <sink/view> while preserving system-view column introspection.
• Redact referenced secret names from visible connection output when the current user can see the connection but cannot see the referenced secret. In that case the output renders SECRET <redacted> instead of SECRET schema.secret_name.
• Apply the same connection secret-ref redaction to rw_catalog.rw_connections.
• Add targeted SQLLogicTest coverage for hidden object-list results, known-name probing, connection secret-ref redaction, and source/sink/connection SHOW visibility in their corresponding docker-backed e2e suites.

Current limitation / follow-up:

• During audit, rw_catalog.rw_sources was identified as a separate system-catalog surface that can still need visibility/secret-reference hardening. Iceberg-related catalog views should also be triaged in a follow-up pass.

Checklist

• I have written necessary rustdoc comments.
• I have added necessary unit tests and integration tests.
• I have added test labels as necessary.
• I have added fuzzing tests or opened an issue to track them.
• My PR contains breaking changes.
• My PR changes performance-critical code, so I will run (micro) benchmarks and present the results.
• I have checked the Release Timeline and Currently Supported Versions to determine which release branches I need to cherry-pick this PR into.

Documentation

• My PR needs documentation updates.

Release note

RisingWave now avoids exposing unauthorized object names through SHOW object-list commands and known-name SHOW COLUMNS / SHOW INDEXES probes. Visible connection metadata also redacts referenced secret names when the user cannot independently see the secret.

Local verification

Passed:

• git diff --check -- e2e_test/ddl/show_object_privilege.slt e2e_test/source_inline/connection/schema_registry.slt e2e_test/source_inline/kafka/secret_dep.slt e2e_test/sink/blackhole_sink.slt
• cargo fmt --all -- --check
• cargo check -p risingwave_frontend

Attempted but blocked locally:

• ./risedev psql -c "select 1" failed because no RisingWave server was running on 127.0.0.1:4566, so local SLT was not run.

[tabVersion]

Closing this first replacement in favor of #25585. This PR was created while #25571 still had a stale refs/pull/25571/head; GitHub never created refs/pull/25584/head, so Buildkite could not fetch the PR head ref. #25585 uses a newer fresh branch/commit with the same intended SHOW visibility fix plus a small explanatory SLT comment.