Long Living clients of HDFS (For eg. OOZIE) use cached DFSClients which in turn use a cached KMSClientProvider to talk to KMS.
Before an MR Job is run, the job client calls the DFClient.addDelegationTokens() method which calls addDelegationTokens() on the KMSClientProvider to get any delegation token associated to the user.
Unfortunately, this call uses a cached DelegationTokenAuthenticationURL.Token instance which can cause the SignerSecretProvider implementation of the AuthenticationFilter at the KMS Server end to fail validation. Which results in the MR job itself failing.