When accessing entities via REST, you needed:
restful get entity:nodepermission to view nodes
restful post entity:nodepermission to create nodes
restful patch entity:commentpermission to update comments
- and so on
This was actually only meant to be a temporary measure, because we already have an Entity Access API that governs access/operations to/on those entities. And in fact, Entity Access is respected when accessing entities via REST. So, there was no more reason for this to exist in Drupal 8.0.x and Drupal 8.1.x, but it was simply forgotten to be removed before Drupal 8.0.0's release.
The fact that you needed to grant both those permissions as well as Entity Access needing to grant you access, was a source of confusion and frustration with Drupal 8's REST API, which has now been fixed.
So, as of Drupal 8.2.0, new installations no longer need those permissions to access entities via REST. Existing installations continue to have the old behavior. Existing sites can opt out of that behavior, and opt in to the new behavior, by modifying the
rest.settings configuration from
(The latter is the default on new Drupal 8.2 installations.)