Add support to expire and update any API token, not just the admin ones
Basically we normally restrict the API token by them having one of the
ADMIN_API_ACLS acl, which meant we could not update or expire API tokens
that did not have any of these acls.
With this change, we can lift this constraint by using --all.
Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>