We noticed that when authentication is required
(with `-hash_login` for h2o backend/external cluster),
and users connecting to it from Sparkling Water,
then using SW endpoint they can login without username/password.
Seems to be a security loophole in authentication.
We would expect if authentication is enabled, all connections have to be authenticated,
not just ones that are going directly to h2o,
In Sparkling water 220.127.116.11 this is fixed on external backend by running it with the option spark.ext.h2o.rest.api.based.client=true for Python apps