Add a way to push out updated service tokens to containers

All YARN apps with a planned lifespan of more than 24h need to have a way to push out updated tokens to containers; the tokens themselves coming from an AM with a keytab, a kinited user, or oozie.

Per-app solutions are likely to have different security flaws, testability/support problems etc. Yet we already have a mechanism for the RM to pass credentials to the NMs and into the local filesystem for container launch...this could be extended to support updated credential propagation, something like

1. AM/RM protocol adds operation to replace credentials on a container; NM uses this to pull down new value; UGI refresh thread can look for updated data @ HADOOP_TOKEN_FILES_LOCATION and reload.
2. YARN Client API extended to allow AM launch context credentials to be similarly updated