As a LokiStack admin operating Loki-Operator on OCP, I want the lokistack-gateway's OPA agent to delegate authorization requests to OCP's apiserver to allow developers to access only namespaces they are authorized to.

Acceptance criteria:

1. The opa-openshift sidecar delegates authorization requests via SubjectAccessReviews to OCP apiserver.
2. The opa-openshift sidecar returns a list of permitted namespaces to the lokistack-gateway authorizer for the Developer persona.
3. The opa-openshift sidecar permits access to all namespaces to the lokistack-gateway for the Admin persona.
4. The lokistack-gateway passes a list of namespaces as extra label filter for the Developer persona to Loki's query frontend.

Dev notes:

• will need to implement this, based on https://github.com/observatorium/opa-ams
• single http handler that will run as a container in the lokistack-gateway pod
• will need to be connected to CPaaS (will be a separate card)
• Repo should be created under ViaQ org

Docs impact:

• Need to capture requirements to be considered Admin user for loki
  • cc rdlugyhe