Cluster creds management

We need to allow cluster admins to manage credentials/access to the cluster.

Currently, magnum does not support cluster credential management. This is a problem for cluster admins as they are unable to restrict/deny access to an existing cluster once a user has been granted access.

At the Newton mid-cycle, we discussed two ways to manage cluster creds.

1) Replace cluster certificate.
2) Revoke certificate for a specific user.

These operations will fall under the cluster lifecycle operations umbrella and will leverage the heat software config agent that will be deployed on each cluster node for other operations such as rebuild and restart cluster.

Implementation plan:
---------------------------

This blueprint will be implemented in 2 phases. In the first phase, we'll implement point 1 listed above. This is mainly to provide at least one method of creds management to cluster admins as soon as possible. This operation will replace the cluster certificate and invalidate all user credentials. All users will need to create new certificates to gain access to the cluster again. This allows admins to revoke a users keystone creds (eg. a user has left the company ) and thus deny them access to the cluster.

In phase 2 we'll implement a finer-grained approach to cert revocation. This feature requires magnum to start storing a mapping between a keystone user and the certs they have generated in Magnum. Magnum currently does not have the plumbing required to do so. This will allow admins to list users for each cluster and revoke certs for a specific user. This might require us to contribute to upstream docker/kubernetes/mesos in order to support cert revocation lists. The Docker auth plugin work that's being done currently in Magnum can be leveraged to help with this.

Proposed change
===============
The /clusters api will need to be modified to support the new operation.
See the REST API section below for more details.

Steps needed to replace the cluster cert:
1) Generate a new keystone token and pass it to the cluster node.
     We will use the Heat software config agent to pass this token into the cluster node.
2) Invoke the make-cert.py script and generate a new certificate using the new
   keystone token.
3) Restart Swarm or Kubernetes and configure it to use the new certificate.

REST API impact
---------------
REST API will be added for :

PATCH /clusters/{id}/actions/rotate_cert

A user with "admin" role will be able to call the above operation. A user
with "non-admin" role will be restricted.