note that UGI.renewTGT is low cost if not needed

Author: steveloughran

sections/jdk_versions.md

@@ -39,10 +39,10 @@ Using internal classes is one of those "don't do this your code will be unreliab
 ### Key things to know
 
 * Hadoop is built and tested against the Oracle JDKs
-* Open JDK has the same classes & methods, so will behave consistently; it's tested against too.
+* Open JDK has the same classes and methods, so will behave consistently; it's tested against too.
 * It's left to the vendors of other JVMs to test their code; the patches are taken on trust.
 * The Kerberos internal access usually needs fixing across Java versions. This means secure Hadoop clusters absolutely require the Java versions listed on the download requirements.
-* Releases within a Java version  may break the internals and/or the public API's behaviour.
+* Releases within a Java version may break the internals and/or the public API's behaviour.
 * If you want to see the details of Hadoop's binding, look in `org.apache.hadoop.security.authentication.util.KerberosUtil` in the `hadoop-auth` module.
 
 To put it differently: 

sections/ugi.md

@@ -126,9 +126,14 @@ must be loaded in advance.
 
 If security is not enabled, this is a no-op.
 
-If security is enabled, this will trigger a re-login if needed (which may fail,
+If security is enabled, and the last login took place "long enough ago",
+this will trigger a re-login if needed (which may fail,
 of course).
 
+If the last successful login was recent enough, this will be a no-op. This makes it a low
+cost operation to include in IPC/REST client operations so as to ensure that your
+tickets are up to date.
+
 *Important*: If the login fails, UGI will remember this and not retry until a time
 limit has passed, even if other methods invoke the operation. The property
 `hadoop.kerberos.min.seconds.before.relogin` controls this delay; the default is 60s.