Github user bbende commented on the issue:
https://github.com/apache/nifi/pull/2866
@pepov your description of the various kerberos options is correct, and the
SPNEGO approach is definitely the traditional way kerberos is intended to work.
The direct login is definitely more convenient in that you don't have to kinit
or configure your browser, however it does somewhat defeat the purpose of
kerberos by having the user provide their credentials directly to NiFi.---
