This change adds the framework to support Kerberos authN in elasticsearch.
ES is the service protected by Kerberos, each ES service node will have its
own keytab. Keytab is the file with Service principal name and encrypted key.
This can be then used to validate the authenticator coming in the request.
This change only adds support for SPNEGO mechanism and uses JGSS.
JVM options -Djava.security.krb5.conf can be used to specify krb5.conf with
additional settings if required.

For Kerberos Realm,

KerberosRealmSettings: Captures settings required for Kerberos
Usually keytab (stored in the config), cache settings and krb debug flag
KerberosAuthenticationToken: Handles extraction of token from request
Extracts the token from request header:
"Authorization: Negotiate "
If any error condition occurs, throws Exception with Rest status 401
Also adds response header "WWW-Authenticate: Negotiate"
KerberosTicketValidator: Used for kerberos ticket validation and
gss context establishment.
On service side, we need to login first, uses Jaas to complete service login.
To avoid more file configurations, we generate the JAAS configuration with
required modules in memory. The token extracted from authnToken is
passed on to GSSContext which uses service credentials (keytab) to verify
the passed token and generates output token. If GSS context is established
it returns tuple of client-username and out token (can be empty). If out token
is present but context is yet not established then it will return tuple with no
username and out token. The out token needs to be returned as response
header 401 and "WWW-Authenticate: Negotiate " for ongoing
negotiation. This will continue till either it fails or successful authentication on
context establishment.
Changes in plugin-security policy to add required permissions
Few settings like Jaas config and kerberos keytab access requires permissions.
For testing,

KerberosTestCase is the base class to start/stop kdc server
and build test settings. SimpleKdcLdapServer is a wrapper around
SimpleKdcServer(ApacheDS), which simplifies in memory testing with KDC and
uses in-memory LDAP server as its backend.

As there are some system properties like `java.security.krb5.kdc`
, `java.security.krb5.realm` which can specify values that are
applicable to whole JVM. This is the reason for having only one
instance of Kerberos realm.
Each ES node will have a Kerberos keytab with credentials. This
keytab must exist for Kerberos authentication to work.
`KerberosRealmBootstrapCheck` performs these checks for given
configuration.

Till now we had support for 'Basic', 'Bearer' auth schemes and
this was sufficient for us to reply `WWW-Authenticate` header
with one value either for `Basic` or `Bearer` for unauthorized
access.
After introducing Kerberos we will be supporting `Negotiate` scheme.
As per [RFC7235](https://tools.ietf.org/html/rfc7235#section-4.1),
we may respond with the list of challenges. This list is of auth
schemes supported by the server. We can also have custom Realms
defining their own response header value for 'WWW-Authenticate'
header. This commit introduces a `getWWWAuthenticateHeaderValue`
in `Realm` to identify the scheme which it wants to use. By default
it uses 'Basic' auth scheme. This can be overriden
by realms like KerberosRealm to specify 'Negotiate' scheme or OAuth
to specify 'Bearer' or custom realms added by security extensions to
specify their own scheme.
SAML specifications do not specify anything related to the header but
unofficially many have used 'SAML' as auth scheme or used 'Bearer'
auth scheme for passing SAML tokens.
But most of the realms would use the existing schemes
like 'Basic', 'Digest', 'Bearer', 'Negotiate' etc.
At the startup, `Security#createComponents` will take care of
creating `DefaultAuthenticationFailureHandler` with default
response header values for 'WWW-Authenticate' as a list of configured
and enabled auth schemes.

This commit adds authentication realm for handling Kerberos
authentication by spnego mechanism.
The class `KerberosRealm` authenticates user for given kerberos
ticket after validating the ticket using `KerberosTicketValidator`.
It uses native role mapping store to find user details and
then creates an authenticated `User`.
On successful authentication, it will return populated `User`
object with roles. On failure to authenticate, it will terminate
authentication process with a failure message. The failure could be
due to gss context negotiation failure requiring further
negotiation and it might return outToken to be communicated with
peer as value for header `WWW-Authenticate` in the form
'Negotiate oYH1MIHyoAMK...'. There could be other failures like
JAAS login exception or GSS Exception which will terminate the
authentication process.

As KerberosRealm can terminate authentication process during
context negotiation with some outToken, the header value for
`WWW-Authenticate` needs to be preserved. Earlier the behavior
was to overwrite all the headers as defined in authentication
failure handler in my last commit. Negotiate does maintain kind
of state over HTTP and so we have to handle this in a special way.
For this, I have added a special check for if exception has header
'WWW-Authenticate' with 'Negotiate ' scheme and token, it will
not be overwritten.

We want Kerberos to be a platinum feature, so it is not
included as part of standard types similar to SAML.

TODO: Support for user lookup from other realms like AD/LDAP.
Authorizing realms feature is work in progress, once completed
I will add the support to KerberosRealm. I have a TODO note in
source code.

This commit adds support for removing realm name
from the Kerberos principal name. The principal names in
Kerberos are in the form primary/instance@realm.
Since we will be supporting user lookups and depending on the
scenario we may want to remove the REALM part and use the username
for lookup or role mapping.
This change adds a new setting with the default value false to
control removing of realm name.
Modified tests to randomly use this setting during testing.

This commit adds the rest client integration test for Kerberos.
This uses existing krb5kdc-fixture, which makes use of MIT Kerberos.
Added support to create principals with password in krb5kdc-fixture.
The rest test demonstrates the following:
- Use of rest client to invoke Elasticsearch APIs authenticating
  using spnego mechanism, example showing what customizations we
  need to do to build the rest client.
- test for login by keytab for user principal
- test for login by username password for user principal

This commit does some refactoring to remove support package
and move classes to kerberos package.
That was the only class in that package, so no need for it to be in
separate package.
Changes done to use default values for jaas configuration options
for the ones which we can use defaults.
Fix couple of random failures in tests.
Modified `refreshKrb5Config` to use default value `false` in
KerberosTicketValidator. If the krb5.conf file is modified then we
will need to restart JVM as the config will not be refreshed.
For testing, `refreshKrb5Config` is set to `true` as we keep
changing the kdc port. This is set in SpnegoClient and only for tests.

The exception was being sent twice due to incorrect handling
of conditional statements causing multiple authentication_failed
events in audit logs.

From 5.0 onwards use of few characters will not be allowed, one
of them is ':'. This commit removes that character. Also add
dependency for copy task on creation of principal names which
caused problems with clean test runs.