Some of our issues with Spark job failing may have been caused by our 24-hour Kerberos tickets expiring while the jobs were running.
To help alleviate this, we can update the check_kerberos_auth function to fail unless the user's Kerberos ticket is valid for at least 8 hours more. This will mean users need to kinit slightly more often, but in any case no more than once a workday.