If multiple clients with the same principal try to connect to the same server at the same time,
the server assumes a replay attack is in progress. This is a feature of kerberos. In order to
work around this, what is done is that the client backs off randomly and tries to initiate the
connection again. The other problem is to do with ticket expiry. To handle that, a relogin is
attempted.
The retry logic is governed by the
#shouldAuthenticateOverKrb method. In case when the
user doesn't have valid credentials, we don't need to retry (from cache or ticket). In such
cases, it is prudent to throw a runtime exception when we receive a SaslException from the
underlying authentication implementation, so there is no retry from other high level (for eg,
HCM or HBaseAdmin).