Improve `AllowWithShadowDeny` (or/and RBAC in general)

[slonka]

Description

Right now AllowWithShadowDeny is not very useful due to the following:

• ~RBAC filter being applied on the L4 level means that counter is only bumped on new connections, it's a bit hard to correlate a policy change to stats~
• we don't have docs on how to interpret rbac.shadow_allowed and we bump that metric
• no RBAC stats in our dashboards
• we don't use access_log_hint which could make it easier to inspect interesting requests