When Kerberos is enabled on a cluster, we only authenticate as the Kerberos admin user. However, HDFS directory checks are run as cdap['cdap-site']['hdfs.user'] rather than the Kerberos admin. Directory creation is done using cdap['fs_superuser'] which is normally "hdfs" user.
The cookbook doesn't properly get kerberos tickets. Functionality is piggy-backed on the existing credentials from using the hadoop_wrapper cookbook in the same run_list.
This causes the directories to be created every time.