We are going to need to determine whether this Jira is going to break existing functionality in Knox and tests:
https://issues.apache.org/jira/browse/HADOOP-10301 Changing the response code from an inappropriate 401 with no WWW-Authenticate headers to a 403 - forbidden.
