Thanks Zhe Zhang for updating the patch with additional. I agree with your analysis that this patch can handle the case where the current user is authenticated by KERBEROS with its Kerberos principle available in keytab but not in TGT cache (not login or expired). However, I think the currentUgi below should be actualUgi to handle the proxy user case.
The original comment I made is on a different use case where the currentUser is authenticated by TOKEN, e.g., a user token passed from distcp mappers on HDFS datanode when using webhdfs + KMS. When DN talks to KMS with the user token, it won't be able to do SPNEGO based authentication. The additional UGI#checkTGTAndReloginFromKeytab in KMSClientProvider will be a no-op in this case as the token based user won't have its Kerberos principle in local keytab or TGT cache, which failed later in doSpnego with a similar stack. I will open a separate JIRA for that.
Regarding simulating kerberos ticket timeout, I can do that with 'kinit -l' on a MIT KDC as shown below. The issue seems like a limitation of org.apache.directory.server.kerberos.kdc.KdcServer used by miniKDC. If there is no obvious solution for that, I'm fine without unit test as long we comment on this JIRA about the validation that have been done before commit.
[ambari-qa@c6402 vagrant]$ kinit -l 1m -kt /etc/security/keytabs/smokeuser.headless.keytab ambari-qa-hdp64@EXAMPLE.COM
[ambari-qa@c6402 vagrant]$ klist
Ticket cache: FILE:/tmp/krb5cc_1001
Default principal: ambari-qa-hdp64@EXAMPLE.COM
Valid starting Expires Service principal
12/22/15 08:41:04 12/22/15 08:42:04 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 12/22/15 08:41:04