When accessing entities via REST, you needed:
- the
restful get entity:nodepermission to view nodes - the
restful post entity:nodepermission to create nodes - the
restful patch entity:commentpermission to update comments - and so on
This was actually only meant to be a temporary measure, because we already have an Entity Access API that governs access/operations to/on those entities. And in fact, Entity Access is respected when accessing entities via REST. So, there was no more reason for this to exist in Drupal 8.0.x and Drupal 8.1.x, but it was simply forgotten to be removed before Drupal 8.0.0's release.
The fact that you needed to grant both those permissions as well as Entity Access needing to grant you access, was a source of confusion and frustration with Drupal 8's REST API, which has now been fixed.
So, as of Drupal 8.2.0, new installations no longer need those permissions to access entities via REST. Existing installations continue to have the old behavior. Existing sites can opt out of that behavior, and opt in to the new behavior, by modifying the rest.settings configuration from
bc_entity_resource_permissions: true
to
bc_entity_resource_permissions: false
(The latter is the default on new Drupal 8.2 installations.)
