Default value for hbase.security.authorization has been changed from true to false. Secured clusters should make sure to explicitly set it to true in XML configuration file before upgrading to one of these versions. ( https://issues.apache.org/jira/browse/HBASE-19483)
True as default value of hbase.security.authorization doesn't make any sense, since not all clusters need authorization. (History: HBASE-13275 <https://issues.apache.org/jira/browse/HBASE-13275>) Rather, only the clusters which need authorization should set this config as false. Going further, setting this config should be single switch to enable/disable authorization, conditional on appropriate coprocessors loaded (a condition we'll try to remove in future by incorporating access control directly into hbase as core feature rather then as coprocessor). -- Appy