HADOOP-14047 makes KMS call HttpServer2#setACL. Access control works fine for /conf, /jmx, /logLevel, and /stacks, but not for /logs.
The code in AdminAuthorizedServlet#doGet for /logs and ConfServlet#doGet for /conf are quite similar. This makes me believe that /logs should subject to the same access control as intended by the original developer.
IMHO this could either be my misconfiguration or there is a bug somewhere in HttpServer2.