Kudu clients do not automatically request fresh tokens after initial token expiration, so long-lived clients in secure clusters are not supported.
A process to refresh tokens about to expire would enable the use of long-lived clients with secure clusters.
NOTE: It's possible to get a new token only when primary user credentials are available. In case if a client is created using imported authenticaion_credentials (i.e. using AsyncKuduClient.importAuthenticationCredentials()), re-acquiring a new token is not possible by design.