According to the `Hadoop : The Definitive Guide`
>A delegation token is generated by the server (the NameNode in this case),
and can be thought of as a shared secret between the client and the server.
On the first RPC call to the NameNode, the client has no delegation token,
so it uses Kerberos to authenticate, and as a part of the response it gets
a delegation token from the NameNode. In subsequent calls, it presents the
delegation token, which the NameNode can verify (since it generated it
using a secret key), and hence the client is authenticated to the server.
Once the TGS (Ticket Granting Server) gives a service ticket to the Client
for the NameNode, the service ticket can be used again and again to invoke
the service without contacting the KDC (Key Distribution Center) till the
service ticket expires. Then what is the advantage of the delegation token
over the Kerberos service ticket for accessing the NameNode?