Fix initial security.json rbap rules

[thelabdude]

Fixes #274 and #289

Very minor change to remove the users role from the all permission, move the all permission to the last index in the json file, and add a new rule for the /admin/zookeeper/status path needed for updates to the exporter in 8.9 (see #289 )

Manual integration-style testing required:
Create a SolrCloud running Apache Solr 8.9.0, created a collection, and then tried to index some docs as the solr user, which now fails with a 403 ~ Unauthorized. Indexing as the admin user works. The solr user can log in to the Admin UI but can only query collections.

Also verified the Prometheus exporter (also running 8.9) can now retrieve metrics when basic auth is enabled.

[HoustonPutman]

+1 to the change, but we need to update the documentation to use the new rules and also explain that the default solr user will not be able to add/update/delete docs.

[HoustonPutman]

Also an addition in the changelog of the Solr Operator helm chart would be nice! You can follow the templates of the other entries. Possible change kind values are found here, fixed or security probably work best. Also if you think it's a serious security concern being addressed, you could always change artifacthub.io/containsSecurityUpdates to true.

[thelabdude]

Also an addition in the changelog of the Solr Operator helm chart would be nice! You can follow the templates of the other entries. Possible change kind values are found here, fixed or security probably work best. Also if you think it's a serious security concern being addressed, you could always change artifacthub.io/containsSecurityUpdates to true.

I don't think it's a serious security issue (willing to be convinced though) ... mainly the solr user ended up getting more access than I intended but users still have to give out the solr user's credentials, which presumes they've reviewed that account's access privileges before handing it out willy-nilly ;-)

[HoustonPutman]

Looks good!