It is currently the client's responsibility to call SecurityUtil.getServerPrincipal() to replace the _HOST placeholder in any principal name used for a delegation token. This is a non-optional operation and should not be pushed onto the client.
All client apps that followed the distributed shell as the canonical example failed to do the replacement because distributed shell fails to do the replacement. (See
YARN-4629.) Rather than fixing the whole world, since the whole world use distributed shell as a model, let's move the operation into YARN where it belongs.