Make instance CPU metrics accessible to non-fleet users

[david-crespo]

Because of #5298, oxql queries to the main endpoint require fleet viewer permissions. But we want to be able to do things like show instance CPU metrics to people with view perms on the instance (technically, the instance's project). Short of the fully general authz solution, the easiest way to hack in access is to make a one-off endpoint for this analogous to the ones we already (reluctantly) have for disk metrics and silo metrics, where we call the timeseries_query function but do a different authz check.

Currently that function includes the fleet viewer check, so we'd probably have to move that up a level.

omicron/nexus/src/app/metrics.rs

Lines 136 to 147 in 836d3a2

	/// Run an OxQL query against the timeseries database.
	pub(crate) async fn timeseries_query(
	&self,
	opctx: &OpContext,
	query: impl AsRef<str>,
	) -> Result<Vec<oxql::Table>, Error> {
	// Must be a fleet user to list timeseries schema.
	//
	// TODO-security: We need to figure out how to implement proper security
	// checks here, letting less-privileged users fetch data for the
	// resources they have access to.
	opctx.authorize(authz::Action::Read, &authz::FLEET).await?;

[bnaecker]

I wrote up some notes here which might impact this work a bit.

[david-crespo]

Closed by #6873. Console side in progress in oxidecomputer/console#2654.