Have an explicit KerberosAuthException for UGI to throw, text from public constants

UGI creates simple IOEs on failure, making it impossible to catch them, ignore them, have smart retry logic around them, etc.

1. Have an explicit exception like KerberosAuthException extends IOException to raise instead. We can't use AuthenticationException as that doesn't extend IOE.
2. move UGI, SecurityUtil and things related off simple IOEs and into the new one
3. review exceptions raised and consider if they can provide more information
4. for the strings that get created, put them as public static constants, so that tests can look for them explicitly —tests that don't break if the text is changed.
5. maybe, getUGIFromTicketCache to throw this rather than an RTE if no login principals were found (it throws IOEs on login failures, after all)
6. keep KDiag in sync with this