diff --git a/paimon-common/src/main/java/org/apache/paimon/fs/hadoop/HadoopSecuredFileSystem.java b/paimon-common/src/main/java/org/apache/paimon/fs/hadoop/HadoopSecuredFileSystem.java
index d229579ce5d6..cbfca1b6d953 100644
--- a/paimon-common/src/main/java/org/apache/paimon/fs/hadoop/HadoopSecuredFileSystem.java
+++ b/paimon-common/src/main/java/org/apache/paimon/fs/hadoop/HadoopSecuredFileSystem.java
@@ -21,6 +21,7 @@
 import org.apache.paimon.options.Options;
 import org.apache.paimon.security.HadoopModule;
 import org.apache.paimon.security.SecurityConfiguration;
+import org.apache.paimon.utils.StringUtils;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FSDataInputStream;
@@ -200,6 +201,14 @@ public static FileSystem trySecureFileSystem(
             throws IOException {
         SecurityConfiguration config = new SecurityConfiguration(options);
         if (config.isLegal()) {
+            if (StringUtils.isNullOrWhitespaceOnly(config.getKeytab())
+                    && StringUtils.isNullOrWhitespaceOnly(config.getPrincipal())) {
+                LOG.info(
+                        "No paimon Kerberos credentials configured "
+                                + "(security.kerberos.login.keytab/principal); "
+                                + "skip HadoopModule.install() to preserve externally-established UGI.");
+                return fileSystem;
+            }
             LOG.info("Hadoop security configuration is legal, use the secured FileSystem.");
             HadoopModule module = new HadoopModule(config, configuration);
             module.install();
diff --git a/paimon-common/src/test/java/org/apache/paimon/fs/hadoop/HadoopSecuredFileSystemTest.java b/paimon-common/src/test/java/org/apache/paimon/fs/hadoop/HadoopSecuredFileSystemTest.java
index 10d60f2bc415..8a14c7d264f6 100644
--- a/paimon-common/src/test/java/org/apache/paimon/fs/hadoop/HadoopSecuredFileSystemTest.java
+++ b/paimon-common/src/test/java/org/apache/paimon/fs/hadoop/HadoopSecuredFileSystemTest.java
@@ -47,4 +47,28 @@ public void test() throws Exception {
         assertThat(fileIO.getFileSystem(new org.apache.hadoop.fs.Path("file:///tmp/test")))
                 .isInstanceOf(HadoopSecuredFileSystem.class);
     }
+
+    @Test
+    public void testPreserveExternalUgiWhenNoKerberosCredentials() throws Exception {
+        Options options = new Options();
+
+        HadoopFileIO fileIO = new HadoopFileIO(new Path("file:///tmp/test"));
+        fileIO.configure(CatalogContext.create(options));
+        assertThat(fileIO.getFileSystem(new org.apache.hadoop.fs.Path("file:///tmp/test")))
+                .isNotInstanceOf(HadoopSecuredFileSystem.class);
+    }
+
+    @Test
+    public void testReturnOriginalFileSystemWhenSecurityConfigIsIllegal() throws Exception {
+        File keytabFile = new File(tmp.toFile(), "test-keytab.keytab");
+        assertThat(keytabFile.createNewFile()).isTrue();
+
+        Options options = new Options();
+        options.set("security.kerberos.login.keytab", keytabFile.getAbsolutePath());
+
+        HadoopFileIO fileIO = new HadoopFileIO(new Path("file:///tmp/test"));
+        fileIO.configure(CatalogContext.create(options));
+        assertThat(fileIO.getFileSystem(new org.apache.hadoop.fs.Path("file:///tmp/test")))
+                .isNotInstanceOf(HadoopSecuredFileSystem.class);
+    }
 }