rbac: fix status code PERMISSION_DENIED (#8578)

RBAC should fail with PERMISSION_DENIED, fix https://github.com/grpc/grpc-java/issues/8576

xds/src/main/java/io/grpc/xds/RbacFilter.java

@@ -177,14 +177,13 @@ final class RbacFilter implements Filter, ServerInterceptorBuilder {
                 final ServerCall<ReqT, RespT> call,
                 final Metadata headers, ServerCallHandler<ReqT, RespT> next) {
           AuthDecision authResult = authEngine.evaluate(headers, call);
-          if (logger.isLoggable(Level.FINER)) {
-            logger.log(Level.FINER,
+          if (logger.isLoggable(Level.FINE)) {
+            logger.log(Level.FINE,
                 "Authorization result for serverCall {0}: {1}, matching policy: {2}.",
                 new Object[]{call, authResult.decision(), authResult.matchingPolicyName()});
           }
           if (GrpcAuthorizationEngine.Action.DENY.equals(authResult.decision())) {
-            Status status = Status.UNAUTHENTICATED.withDescription(
-                    "Access Denied, matching policy: " + authResult.matchingPolicyName());
+            Status status = Status.PERMISSION_DENIED.withDescription("Access Denied");
             call.close(status, new Metadata());
             return new ServerCall.Listener<ReqT>(){};
           }

xds/src/test/java/io/grpc/xds/RbacFilterTest.java

@@ -256,7 +256,8 @@ public class RbacFilterTest {
     verify(mockHandler, never()).startCall(eq(mockServerCall), any(Metadata.class));
     ArgumentCaptor<Status> captor = ArgumentCaptor.forClass(Status.class);
     verify(mockServerCall).close(captor.capture(), any(Metadata.class));
-    assertThat(captor.getValue().getCode()).isEqualTo(Status.UNAUTHENTICATED.getCode());
+    assertThat(captor.getValue().getCode()).isEqualTo(Status.PERMISSION_DENIED.getCode());
+    assertThat(captor.getValue().getDescription()).isEqualTo("Access Denied");
     verify(mockServerCall).getAttributes();
     verifyNoMoreInteractions(mockServerCall);