If an impersonated namespace is created with a complete kerberos principal containing primary/instance@REALM the authorization call for impersonated operations fail because the authorization enforcement calls are made with the complete principal as the username.
Our integration tests don't catch this because we configure our impersonated namespace with principal just as the primary (username) part of the Kerberos principal (short name).
This issue might be with an impersonated app, dataset or anything which supports impersonation. We need to verify this.
The current workaround is to avoid using full Kerberos principal.