diff --git a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/filecache/ClientDistributedCacheManager.java b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/filecache/ClientDistributedCacheManager.java
index 23f3cfcadf5..e3b50bf7e50 100644
--- a/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/filecache/ClientDistributedCacheManager.java
+++ b/hadoop-mapreduce-project/hadoop-mapreduce-client/hadoop-mapreduce-client-core/src/main/java/org/apache/hadoop/mapreduce/filecache/ClientDistributedCacheManager.java
@@ -274,10 +274,21 @@ public class ClientDistributedCacheManager {
       FsAction action, Map<URI, FileStatus> statCache) throws IOException {
     FileStatus status = getFileStatus(fs, path.toUri(), statCache);
     FsPermission perms = status.getPermission();
-    FsAction otherAction = perms.getOtherAction();
-    if (otherAction.implies(action)) {
-      return true;
+
+    // Encrypted files are always treated as private. This stance has two
+    // important side effects.  The first is that the encrypted files will be
+    // downloaded as the job owner instead of the YARN user, which is required
+    // for the KMS ACLs to work as expected.  Second, it prevent a file with
+    // world readable permissions that is stored in an encryption zone from
+    // being localized as a publicly shared file with world readable
+    // permissions.
+    if (!perms.getEncryptedBit()) {
+      FsAction otherAction = perms.getOtherAction();
+      if (otherAction.implies(action)) {
+        return true;
+      }
     }
+
     return false;
   }