The patch in
HADOOP-15808 turns out not to be enough; Token.toString() fails if any token in the service lists isn't known.
If any JAR lists a class in META-INF/services/org.apache.hadoop.security.token.TokenIdentifier which refers to a class which for any reason cannot load (e.g. it depends on a class which is in a JAR that is not on the classpath), then the enumeration of all tokens and their supported kinds will fail. This can surface in Token.toString(), but it will also break the RM token renewal thread.