LoadBalancingKMSClientProvider only gets delegation token from one KMS instance, in a round-robin fashion. This is arguably a bug, as JavaDoc for KeyProviderDelegationTokenExtension#addDelegationTokens states:
- The implementer of this class will take a renewer and add all
- delegation tokens associated with the renewer to the
- <code>Credentials</code> object if it is not already present,
This bug doesn't pop up very often, because HDFS clients such as MapReduce unintentionally calls FileSystem#addDelegationTokens multiple times.
We have a custom client that accesses HDFS/KMS-HA using delegation token, and we were puzzled why it always throws "Failed to find any Kerberos tgt" exceptions talking to one KMS but not the other. Turns out that client couldn't talk to the KMS because FileSystem#addDelegationTokens only gets one KMS delegation token at a time.