With the fix in
HDFS-5804, users don't have to use the same use to start NFS gateway and HDFS.
One should always specify the following two properties regardless the HDFS cluster is secure or not: hadoop.proxyuser.nfsserver.groups and hadoop.proxyuser.nfsserver.hosts. As pointed out in the user guide, "nfsserver" should be replace by the user who starts NFS gateway.
For secure HDFS cluster, it doesn't matter who starts NFS gateway. It's all about the user account in the keytab. In the above two properties, "nfsserver" should be replaced by the user in the keytab.