@Laxman if you look at TableAuthManager there're two SkipList USER_CACHE and TABLE_USER_CACHE
USER_CACHE contains the global rights, TABLE_USER_CACHE contains the table one.
hbase.superuser is read at startup TableAuthManager.initGlobal() and fills the USER_CACHE with specified users with RWCA rights (so is not just ADMIN is RWCA)
All CA operation are checked against global rights (USER_CACHE)
so specifying CA in table rights has no effect.
grant 'user', 'RWCA' -> fill USER_CACHE global rights
grant 'user', 'RW', 'table' -> FILL TABLE_USER_CACHE
this means if you're "global granted" (CREATE/ADMIN) you can add/modify/remove tables with the restriction that, if you've CREATE you can just modify/delete your own table while ADMIN you can modify/delete all the available tables.
if you're table granted you can do just read/write depends on what is your permission, but you don't have the ability to create/modify/delete even if you've CA (CA are not checked against TABLE_USER_CACHE just USER_CACHE)
for checkAndPut()/checkAndDelete() there's a jira open
HBASE-6062 and yes it needs to check both Read and Write.