This should work for the REST route as well as it is not specific to REST or Thrift. Needless to say, the real user or their groups need to be given the appropriate privileges (ACLs / visibility tag authorizations).
Additionally, these properties added to core-site.xml would enable group lookup for a real user, so groups needed for authorizing a real user can be enumerated (we are yet to test this):
It is a bug. There is a jira for the issue and apparently it was resolved in version 3.0.0. This is the apache hbase site - not necessarily your distro version. Cloudera say the issue is resolved in 3.1.4. We have raised a support ticket with Cloudera and they are patching our current distro version of hbase and providing us with a new binary.