When does the delegation token that the namenode provides (redirectToRandomDataNode()) expire?
A lot of websites pass security tokens via cookies, because GET parameters tend to get written down in referrer fields and such. So there's the potential that someone will get their hands on your token. Am I right that the token lets anyone read any data as if they were you? I'd be more comfortable if it were cookie based (though that implies that your datanodes and your namenode are in the same domain, which might not be workable), though I do see how GET is simpler.
The web security part of me is also worried that this is liable to CSRF (http://en.wikipedia.org/wiki/Cross-site_request_forgery) attacks. The key there, I think, is to make sure that when the namenode is issuing tokens, it's absolutely confident that it's issuing them to someone who is asking for them.
Might be worthwhile to make this a constant. It's unlikely to change
This isn't necessary this JIRA's to fix (nor is it introduced in this patch), but the manual URL concatenation strikes me as a bit ugly. Most web frameworks have utilities to add GET parameters and such and to build URLs for you. Not sure if one is handy in our environment, but usually more readable than long string concatenations.
There aren't any Understandable in a preliminary patch.