Automate creation of Ambari Server proxy users (secure/non-secure clusters), principal and keytab, setup of JAAS (secure clusters)

The aim of this improvement is to automate the following:

• creation of proxy users for Ambari server necessary for views (Files, Hive, Pig, Tez etc)
• creation of Ambari Server principal and keytab, and setup of JAAS which is currently a manual step documented here:

http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_Ambari_Security_Guide/content/_optional_set_up_kerberos_for_ambari_server.html

In case of a non secure cluster, Ambari proxy user will be set up for the user account Ambari Server is running as. This is specified in ambari-server.properties by ambari-server.user and can be adjusted by running 'ambari-server setup'.
Stackadvisor is responsible for configuring proxy users, both for secure / non-secure cluster, wizard or blueprint based deployments.
Therefore in case of blueprint based deployments proxy users will be only created if "config_recommendation_strategy": "ALWAYS_APPLY" in Cluster template.
The following proxy users will be configured by stackadvisor:

 
hadoop.proxyuser.${ambari_proxy_user}.groups=* 
hadoop.proxyuser.${ambari_proxy_user}.hosts=* 

hadoop.proxyuser.hcat.groups=* 
hadoop.proxyuser.hcat.hosts=* 

webhcat.proxyuser.${ambari_proxy_user}.groups=* 
webhcat.proxyuser.${ambari_proxy_user}.hosts=* 

yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.hosts=* 
yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.users=* 
yarn.timeline-service.http-authentication.proxyuser.${ambari_proxy_user}.groups=* 

For a secure (eg. securityType=KERBEROS) cluster proxy user will be setup based on Ambari Server principal.
A new identity 'ambari-server' will be added to default kerberos descriptor where principal name is specified which can be modified either in Kerberos Setup wizard screen, or by submitting a custom kerberos descriptor in Blueprint case.
By default, principal name is:

ambari-server-${cluster_name}@${realm}

Generate principal & keytab is set in JAAS configuration file.

Generation of Ambari Server principal and keytab can be enabled / disabled by setting config property create_ambari_principal = true / false in kerberos-env config. ('Create Ambari Principal & Keytab' on Keberos Setup wizard screen). This is enabled by default.

There is a new functionality in Kerberos related handling of configurations recommended by StackAdvisor, properties marked with delete flag by StackAdvisor are removed from configuration when running Enable Kerberos wizard. This is necessary to be able to remove old Ambari proxy users in non-secure mode.

In a scenario where multiple Ambari servers are managing a single cluster, only the operation master Ambari server will be affected. All other Ambari server instances will need to be manually updated. Meaning, the Ambari server keytab file will need to be manually distributed to the other Ambari server hosts. Also, the other Ambari servers' JAAS files will need to be manually updated either by editing the /etc/ambari-server/conf/krb5JAASLogin.conf file or by executing ambari-server setup-security and selecting option #3, Setup Ambari kerberos JAAS configuration.