If I set `--credentials` on the master, framework and slave authentication are allowed, but not required. On the other hand, http authentication is now required for authenticated endpoints (currently only `/shutdown`). That means that I cannot enable framework or slave authentication without also enabling http endpoint authentication. This is undesirable.
Framework and slave authentication have separate flags (`--authenticate` and `--authenticate_slaves`) to require authentication for each. It would be great if there was also such a flag for http authentication. Or maybe we get rid of these flags altogether and rely on ACLs to determine which unauthenticated principals are even allowed to authenticate for each endpoint/action.