Rework JAAS configuration to support user-supplied entries

Recent issues (see linked) have brought to light a critical deficiency in the handling of JAAS configuration.

1. the MapR distribution relies on an explicit JAAS conf, rather than in-memory conf used by stock Hadoop.
2. the ZK/Kafka/Hadoop security configuration is supposed to be independent (one can enable each element separately) but isn't.

Perhaps we should rework the JAAS conf code to merge any user-supplied configuration with our defaults, rather than using an all-or-nothing approach.

We should also address some recent regressions:

1. The HadoopSecurityContext should be installed regardless of auth mode, to login with UserGroupInformation, which:

• handles the HADOOP_USER_NAME variable.
• installs an OS-specific user principal (from UnixLoginModule etc.) unrelated to Kerberos.
• picks up the HDFS/HBASE delegation tokens.

2. Fix the use of alternative authentication methods - delegation tokens and Kerberos ticket cache.