When RM HA is enabled, impersonation does not work correctly if the Yarn Client connects to the standby RM first. When this happens, the impersonation is "lost" and the client does things on behalf of the impersonator user. We saw this with the
OOZIE-1770 Oozie on Yarn feature.
I need to investigate this some more, but it appears to be related to delegation tokens. When this issue occurs, the tokens have the owner as "oozie" instead of the actual user. On a hunch, we found a workaround that explicitly adding a correct RM HA delegation token fixes the problem: