diff --git a/docs/security/kinit.md b/docs/security/kinit.md
index 0d613e0006e..a5e86f7a207 100644
--- a/docs/security/kinit.md
+++ b/docs/security/kinit.md
@@ -101,6 +101,9 @@ hadoop.proxyuser.<user name in principal>.groups *
 hadoop.proxyuser.<user name in principal>.hosts *
 ```
 
+Also, you must configure `kyuubi.session.local.dir.allow.list` to exclude your Kyuubi server's keytab and any other credential from the local directories.
+Otherwise, any user who can login to the Kyuubi server via Kyuubi frontend protocols is possible to obtain the keytab and to impersonate the users configured by Hadoop proxy user settings.
+
 ## Further Readings
 
 - [Hadoop in Secure Mode](https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html)
diff --git a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KinitAuxiliaryService.scala b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KinitAuxiliaryService.scala
index a8997401acc..49f903fd692 100644
--- a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KinitAuxiliaryService.scala
+++ b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KinitAuxiliaryService.scala
@@ -44,6 +44,12 @@ class KinitAuxiliaryService() extends AbstractService("KinitAuxiliaryService") {
       kinitMaxAttempts = conf.get(KyuubiConf.KINIT_MAX_ATTEMPTS)
 
       require(keytab.nonEmpty && principal.nonEmpty, "principal or keytab is missing")
+      if (conf.get(KyuubiConf.ENGINE_DO_AS_ENABLED) &&
+        conf.get(KyuubiConf.SESSION_LOCAL_DIR_ALLOW_LIST).isEmpty) {
+        warn(s"User impersonation is enabled, but ${KyuubiConf.SESSION_LOCAL_DIR_ALLOW_LIST}" +
+          " is unset. We strongly recommend to configure the allowed local dir list" +
+          " to exclude any credential including keytab.")
+      }
       UserGroupInformation.loginUserFromKeytab(principal.get, keytab.get)
       val krb5Conf = Option(System.getProperty("java.security.krb5.conf"))
         .orElse(Option(System.getenv("KRB5_CONFIG")))