Ok the individual changes:
1) In the JobTracker, the getStagingArea RPC needs to construct a path for the user to write job files to. The getStagingArea does a getFileSystem and internally the getFileSystem sets up a connection to the namenode. For this connection, the JobTracker's credential should be used. That's why the mrOwner.doAs in that method is required.
2) In Child.java, the task authenticates to the TaskTracker using the jobtoken. The username in the jobtoken is jobId. The doAs block done using taskOwner is required so that the username mentioned in the token and the one doing the operation matches.
3) In Child.java, the task execution and the task cleanup are within doAs blocks and those doAs blocks are run as the user submitting the job. In the former part, the task communicates with the namenode, and in the latter, it could potentially communicate with the namenode (abortTask creates a connection to the namenode, etc). These are within doAs blocks so that the username mentioned in the delegation token (the job submitting user) matches with the user performing the operation.