I've been playing with site-to-site and found an interesting quirk. I had the full DN's from my certificates for my usernames, but decided to setup nifi.security.identity.mapping patterns for both the DN's and for Kerberos; which by the way works great for normal users.
I renamed just my own account in users.xml so I could login. I was getting site-to-site login errors so I renamed the user accounts to be just the CN name, and in nifi-user.log I started seeing successful authentications. Then I started seeing this message in the nifi-app.log and eventually it started showing up as bulletin messages: EndpointConnectionPool[Cluster URL=https://host1:8443/nifi] failed to communicate with Peer[url=nifi://host1:8500,CLOSED] due to org.apache.nifi.remote.exception.HandshakeException: Received unexpected response User Not Authorized: StandardRootGroupPort[id=1c60dcc0-0157-1000-c554-002d2b3e3702] authorization failed for user EMAILADDRESS=pwi...@micron.com, CN=host2, OU=ou, O=Micron Technology Inc., L=Boise, ST=ID, C=US because Unknown user with identity 'EMAILADDRESS=pwi...@micron.com, CN=host2, OU=ou, O=Micron Technology Inc., L=Boise, ST=ID, C=US'. I worked around my site-to-site auth issue by adding a second account with the full DN from the certificate. This allowed site-to-site to start working again. This feels like a bug in Site-to-Site (StandardRootGroupPort). I cut a Jira for it: https://issues.apache.org/jira/browse/NIFI-2757. If I'm missing something from a configuration perspective please let me know.