UGI creates simple IOEs on failure, making it impossible to catch them, ignore them, have smart retry logic around them, etc.
- Have an explicit exception like KerberosAuthException extends IOException to raise instead. We can't use AuthenticationException as that doesn't extend IOE.
- move UGI, SecurityUtil and things related off simple IOEs and into the new one
- review exceptions raised and consider if they can provide more information
- for the strings that get created, put them as public static constants, so that tests can look for them explicitly —tests that don't break if the text is changed.
- maybe, getUGIFromTicketCache to throw this rather than an RTE if no login principals were found (it throws IOEs on login failures, after all)
- keep KDiag in sync with this