The HBaseAdmin has a connection inside that contains the current UGI at the creation time. Reusing will break impersonation, because now Flow's HBase operations may be using the wrong UGI, which may not have privileges on the appropriate namespace (not should the incorrect user be used to create the HBase tables).
Fixed an issue that allows impersonation in flows to work correctly, by not re-using HBaseAdmin across different UGI.
Fix for 3.5 in https://github.com/caskdata/cdap/pull/6895
Additionally, we renew the Kerberos login for the master principal, but not for any impersonated principal's UGIs. Because of that, if the first HBaseAdmin is created for an impersonated namespace, that UGI's kerberos credentials will not be renewed/updated. After some time, it will expire and I believe that is the reason that this error log can be seen upon any Flow's HBase operation:
Reopen as it hasn't port back to 4.0
Fix is ported to 3.6 and develop. Marking the JIRA as resolved.