Github user joewitt commented on the issue:
https://github.com/apache/nifi/pull/2360
Yeah the docs suggest it will be true by default but in the environment(s)
we were running against it was consistently being set to false which opened us
up to this risk. By explicitly setting it to true for NiFi we're correctly
asserting that under no circumstance should the NiFi app ever be asked to go
grab user supplied input for Kerberos logins.---
