Github user dyozie commented on a diff in the pull request:
https://github.com/apache/incubator-hawq-docs/pull/131#discussion_r143873572
--- Diff: markdown/clientaccess/kerberos.html.md.erb ---
@@ -476,7 +476,8 @@ Perform the following steps to configure Kerberos
authentication for specific HA
### <a id="hawq_kerb_dbaccess"></a>Authenticating User Access to HAWQ
-When Kerberos user authentication is enabled for HAWQ, users must request
a ticket from the Kerberos KDC server before connecting to HAWQ. You must
request the ticket for a principal matching the requested database user name.
When granted, the ticket expires after a set period of time, after which you
will need to request another ticket.
+When Kerberos user authentication is enabled for HAWQ, users must request
a ticket from the Kerberos KDC server before connecting to HAWQ. You must
request the ticket for a principal matching the requested database user name.
When granted, the ticket expires after a set period of time, after which you
must either request another ticket or have the ticket renewed. The default
expiration time is 12 hours, set in the parameter
`server_ticket_renew_interval`. To avoid KDC access issues, the ticket should
be renewed before it expires.
--- End diff --
Should probably add that the actual expiration default/configuration is
kerberos software-dependent.
---
