diff --git a/core/modules/node/src/NodeAccessControlHandler.php b/core/modules/node/src/NodeAccessControlHandler.php
index 6475f9b..d70a8a9 100644
--- a/core/modules/node/src/NodeAccessControlHandler.php
+++ b/core/modules/node/src/NodeAccessControlHandler.php
@@ -109,7 +109,7 @@ protected function checkAccess(EntityInterface $node, $operation, $langcode, Acc
       return AccessResult::allowed()->cachePerPermissions()->cachePerUser()->cacheUntilEntityChanges($node);
     }
 
-    // Evaluate node_access table records created by hook_node_grants().
+    // Evaluate node grants.
     return $this->grantStorage->access($node, $operation, $langcode, $account);
   }
 
diff --git a/core/modules/node/src/NodeGrantDatabaseStorage.php b/core/modules/node/src/NodeGrantDatabaseStorage.php
index a44f855..9355aa0 100644
--- a/core/modules/node/src/NodeGrantDatabaseStorage.php
+++ b/core/modules/node/src/NodeGrantDatabaseStorage.php
@@ -69,8 +69,8 @@ public function access(NodeInterface $node, $operation, $langcode, AccountInterf
     // If no module implements the hook or the node does not have an id there is
     // no point in querying the database for access grants.
     if (!$this->moduleHandler->getImplementations('node_grants') || !$node->id()) {
-      // Return the equivalent of the fallback grant: allow to view if node is
-      // published.
+      // Return the equivalent of the default grant, defined by
+      // self::writeDefault().
       if ($operation === 'view') {
         return AccessResult::allowedIf($node->getTranslation($langcode)->isPublished())->cacheUntilEntityChanges($node);
       }
diff --git a/core/modules/node/src/NodeGrantDatabaseStorageInterface.php b/core/modules/node/src/NodeGrantDatabaseStorageInterface.php
index e2f132d..1361c0d 100644
--- a/core/modules/node/src/NodeGrantDatabaseStorageInterface.php
+++ b/core/modules/node/src/NodeGrantDatabaseStorageInterface.php
@@ -106,7 +106,12 @@ public function writeDefault();
    *   The user for which to check access.
    *
    * @return \Drupal\Core\Access\AccessResultInterface
-   *   The access result, either allowed or neutral.
+   *   The access result, either allowed or neutral. If there are no node
+   *   grants, the default grant defined by writeDefault() is applied.
+   *
+   * @see hook_node_grants()
+   * @see hook_node_access_records()
+   * @see \Drupal\node\NodeGrantDatabaseStorageInterface::writeDefault()
    */
   public function access(NodeInterface $node, $operation, $langcode, AccountInterface $account);
 
diff --git a/core/modules/node/src/Tests/NodeAccessGrantsTest.php b/core/modules/node/src/Tests/NodeAccessGrantsTest.php
index 4c924c8..99dedaf 100644
--- a/core/modules/node/src/Tests/NodeAccessGrantsTest.php
+++ b/core/modules/node/src/Tests/NodeAccessGrantsTest.php
@@ -7,14 +7,14 @@
 
 namespace Drupal\node\Tests;
 
-use Drupal\node\Entity\NodeType;
-
 /**
  * Tests basic node_access functionality with hook_node_grants().
  *
  * This test just wraps the existing default permissions test while a module
  * that implements hook_node_grants() is enabled.
  *
+ * @see \Drupal\node\NodeGrantDatabaseStorage
+ *
  * @group node
  */
 class NodeAccessGrantsTest extends NodeAccessTest {
@@ -24,19 +24,6 @@ class NodeAccessGrantsTest extends NodeAccessTest {
    *
    * @var array
    */
-  public static $modules = array('node', 'datetime', 'node_access_test');
-
-  /**
-   * {@inheritdoc}
-   */
-  protected function setUp() {
-    parent::setUp();
-
-    // Make sure the grants in node_access_test_node_access_records() are not
-    // actually considered, because they break assertions in NodeAccessTest. The
-    // fact that the hook is implemented is enough for this test.
-    \Drupal::state()->set('node_access_test.private', TRUE);
-    node_access_test_add_field(NodeType::load('page'));
-  }
+  public static $modules = array('node_access_test_empty');
 
 }
diff --git a/core/modules/node/tests/modules/node_access_test_empty/node_access_test_empty.info.yml b/core/modules/node/tests/modules/node_access_test_empty/node_access_test_empty.info.yml
new file mode 100644
index 0000000..8daafc2
--- /dev/null
+++ b/core/modules/node/tests/modules/node_access_test_empty/node_access_test_empty.info.yml
@@ -0,0 +1,6 @@
+name: 'Node module empty access tests'
+type: module
+description: 'Support module for node permission testing. Provides empty grants hook implementations.'
+package: Testing
+version: VERSION
+core: 8.x
diff --git a/core/modules/node/tests/modules/node_access_test_empty/node_access_test_empty.module b/core/modules/node/tests/modules/node_access_test_empty/node_access_test_empty.module
new file mode 100644
index 0000000..67558e6
--- /dev/null
+++ b/core/modules/node/tests/modules/node_access_test_empty/node_access_test_empty.module
@@ -0,0 +1,22 @@
+<?php
+
+/**
+ * @file
+ * Empty node access hook implementations.
+ */
+
+use Drupal\node\NodeInterface;
+
+/**
+ * Implements hook_node_grants().
+ */
+function node_access_test_empty_node_grants($account, $op) {
+  return array();
+}
+
+/**
+ * Implements hook_node_access_records().
+ */
+function node_access_test_empty_node_access_records(NodeInterface $node) {
+  return array();
+}