We found that the SHOW GRANT statement does not really perform a check for the requesting user to determine whether the requesting user is authorized to access the result. Specifically, there is no such check in RangerImpaladAuthorizationManager#getPrivileges().
Recall that such a check was performed when we were using Sentry as the authorization provider. Refer to SentryImpaladAuthorizationManager#getPrivileges().
Such an issue is partly due to the fact that we do not have a dedicated Ranger API to check whether a user is a Ranger administrator, which is also currently tracked at RANGER-3127.