HADOOP-8855 changed KerberosAuthenticator to handle when the JDK did the SPNEGO already; but this change broke using the fallback authenticator (PseudoAuthenticator) with an anonymous user (see OOZIE-1010).
SSL-based image transfer does not work when Kerberos is disabled
Oozie CLI throws an NPE with Hadoop trunk with simple auth
KerberosAuthenticator can connect to a non-secure cluster
KerberosAuthenticator always does SPNEGO