diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/multitenant/RangerClientMultiTenantAccessController.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/multitenant/RangerClientMultiTenantAccessController.java
index 4aae4d9a77ed..31892199bf82 100644
--- a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/multitenant/RangerClientMultiTenantAccessController.java
+++ b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/multitenant/RangerClientMultiTenantAccessController.java
@@ -130,9 +130,15 @@ public RangerClientMultiTenantAccessController(OzoneConfiguration conf)
 
     LOG.info("authType = {}, login user = {}", authType, usernameOrPrincipal);
 
-    client = new RangerClient(rangerHttpsAddress,
-        authType, usernameOrPrincipal, passwordOrKeytab,
-        rangerServiceName, OzoneConsts.OZONE);
+    UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
+    try {
+      client = new RangerClient(rangerHttpsAddress,
+          authType, usernameOrPrincipal, passwordOrKeytab,
+          rangerServiceName, OzoneConsts.OZONE);
+    } finally {
+      // set back the expected login user
+      UserGroupInformation.setLoginUser(loginUser);
+    }
 
     // Whether or not the Ranger credentials are valid is unknown right after
     // RangerClient initialization here. Because RangerClient does not perform