[Backport] Add kerberos grant_type to get token in exchange for Kerberos ticket …

[bizybot]

…(#42847)

Kibana wants to create access_token/refresh_token pair using Token
management APIs in exchange for kerberos tickets. client_credentials
grant_type requires every user to have cluster:admin/xpack/security/token/create
cluster privilege.

This commit introduces _kerberos grant_type for generating access_token
and refresh_token in exchange for a valid base64 encoded kerberos ticket.
In addition, kibana_user role now has cluster privilege to create tokens.
This allows Kibana to create access_token/refresh_token pair in exchange for
kerberos tickets.

Note:
The lifetime from the kerberos ticket is not used in ES and so even after it expires
the access_token/refresh_token pair will be valid. Care must be taken to invalidate
such tokens using token management APIs if required.

Closes #41943