Trailing slash on cluster resource causes incorrect authorization logic flow. It is debatable whether Ambari should allow this, but since it seems to in other cases - like if the user was an Ambari Administrator - this should be fixed.
The problem occurs in the org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter where the filter attempts to figure out what the user is trying to get access to. Since the regular expression for Cluster resources does acknowledge that a trailing "/" after the cluster name indicates a cluster, the request does not fall through to the Cluster resource handler (org.apache.ambari.server.controller.internal.ClusterResourceProvider) for authorization checks. It uses the legacy logic, which is a little flawed as well.
The fix for this is to allow the trailing "/" in the regular expression representing Cluster requests: