multitenant: introduce kv portion of the tenant capabilities framework

[arulajmani]

Is your feature request related to a problem? Please describe.

This issue tracks the KV work required to enable tenant capabilities, as described in #85954.

Required

• Introduce TenantCapabilities proto which describes the capabilities a specific tenant has tenantcapabilities: introduce TenantCapabilities proto #94644
• Introduce a Decoder for rows produced by the rangefeed on system.tenants table. tenantcapabilities: introduce a decoder for tenant capabilities #94722
• Introduce a Watcher, which establishes a range feed over system.tenants and maintains an in-memory view of all tenant capabilities in the system. tenantcapabilities: introduce a Watcher over system.tenants #95040
• Introduce an Authorizer interface, which accepts tenant capabilities state as input, and makes authorizes incoming requests based on the tenant capabilities state. tenantcapabilities: introduce a Watcher over system.tenants #95040
• Hook up the Watcher to server startup and use the Authorizer in the RPC auth layer. server: hook up tenant capabilities subsystem on startup #96390

Follow-on:

• Allow secondary tenants to introspect their capabilities: tenantcapabilities: allow secondary tenants to query capability state when performing SQL operations #95514

See https://cockroachlabs.atlassian.net/browse/CRDB-18503 for the JIRA epic describing this work.

Jira issue: CRDB-23060

Epic CRDB-18503