Currently, if the Kudu client is used from a thread that has no JAAS Subject with Kerberos credentials, it will log in from the user's ticket cache (in a configurable location).
However, if that original ticket expires, then the client will never re-read the ticket cache. Instead, it will start to get authentication failures, even if the underlying ticket cache on disk has been updated with new credentials.
This causes big issues in Impala – Impala starts a thread which reacquires tickets from its keytab and writes them into its ticket cache, but with existing versions of Kudu, the client won't pick up these new tickets. Impala also currently caches Kudu clients "forever". So, after 30 days (or whatever the ticket lifetime is), Impala will become unable to query Kudu.