It depends on the order of which region be opened first.
Suppose we have one 1 regionserver and only 1 user region REGION-A on this server, acl region was on another regionserver. acl was opened a few seconds before REGION-A.
The global authorization data read from Zookeeper was overwritten by the data read from configuration.
This issue can be easily reproduced by below steps:
1. Start a cluster with 3 regionservers.
2. Create a new table T1.
3. grant a new user USER-A with global authorization.
4. Kill 1 regionserver RS3 and switch balance off.
5. Start regionserver RS3.
6. Assign region T1 to RS3.
7. Put data with user USER-A.