Authorization requests/results are now explicitly audited. This change was due to the fact that the Ranger was auditing a lot of false positives previously. This is partly because the NiFi uses authorization to check which features the user may have permissions to. This check is used to enable/disable various parts of the UI. The remainder of the false positives came from the authorizer not knowing the entire context of the request. For instance, when a Processor has no policy we check its parent and so on.
The memory leak is due to the authorizer holding onto authorization results that are never destined for auditing.