REMOTE_USER should be unset for Pulp API cert authentication
Refs #28761 - Always set an empty REMOTE_USER for pulpcore API
8be796383668528c3841d7378a2f3ef0dd6e86f7 started to pass the REMOTE_USER header to the pulpcore API when SSL authentication is present. Otherwise the REMOTE_USER header stays untouched. This allows attackers to impersonate any user. By always setting it to an empty string before optionally overriding, this security concern is addressed.