HADOOP-14445, KMS client always authenticates itself using the credentials from login user, rather than current user.
The log message "Using loginUser when Kerberos is enabled but the actual user does not have either KMS Delegation Token or Kerberos Credentials" is printed because KMSClientProvider#containsKmsDt() is null when it definitely has the kms delegation token.
In fact, KMSClientProvider#containsKmsDt() should select delegation token using clientTokenProvider.selectDelegationToken(creds) rather than checking if its dtService is in the user credentials.
This is done correctly in KMSClientProvider#createAuthenticatedURL though.
We found this bug when it broke Cloudera's Backup and Disaster Recovery tool.