You can replicate this bug by recreating my setup, which I describe below:
I have our "default" database set up to only allow SELECT for user "skrishnan". But user skrishnan has "ALL" privileges on database "skrishnan".
The following works correctly (i.e user shouldn't be able to create a table in the default database):
hive> use default;
Time taken: 0.043 seconds
hive> create table skrishnan_test(i int);
Authorization failed:No privilege 'Create' found for outputs
. Use show grant to get more details. (Correct Behavior)
However, user skrishnan can indeed create tables in the default database by doing this:
hive> use skrishnan;
Time taken: 0.038 seconds
hive> create table default.skrishnan_test(i int);
Time taken: 0.34 seconds (Incorrect behavior)
That means that the database level authorization is basically circumvented by first using a database that a user has all privileges to. And then using the fully qualified table name (db_name.table_name) for a database that a user doesn't have permissions to.