multitenant: make AdminMerge onlySystemTenant

Fixes #95138

AdminMerge is currently only called by the system tenant even though it is
named similarly to other Admin* functions so it does not need its own
capability for now.

This changes its required capability from noCapCheckNeeded to onlySystemTenant
to prevent secondary tenants from calling it.

Release note: None

pkg/multitenant/tenantcapabilities/tenantcapabilitiesauthorizer/authorizer.go

@@ -161,11 +161,9 @@ var reqMethodToCap = map[kvpb.Method]tenantcapabilities.CapabilityID{
 	kvpb.AdminRelocateRange:  tenantcapabilities.CanAdminRelocateRange,
 	kvpb.AdminTransferLease:  tenantcapabilities.CanAdminRelocateRange,
 
-	// TODO(ecwall): The following should also be authorized via specific capabilities.
-	kvpb.AdminMerge: noCapCheckNeeded,
-
 	// TODO(knz,arul): Verify with the relevant teams whether secondary
 	// tenants have legitimate access to any of those.
+	kvpb.AdminMerge:                    onlySystemTenant,
 	kvpb.AdminVerifyProtectedTimestamp: onlySystemTenant,
 	kvpb.CheckConsistency:              onlySystemTenant,
 	kvpb.ComputeChecksum:               onlySystemTenant,