Merge branch 'master' into fix/client-cookie

Original commit: elastic/x-pack-elasticsearch@a9920d5626
2016-05-24 11:39:42 -07:00 · 2016-05-24 11:39:42 -07:00 · 00fba58c56
parent c2ae64c7ed 7d232e4133
commit 00fba58c56
63 changed files with 339 additions and 310 deletions
--- a/elasticsearch/license/base/build.gradle
+++ b/elasticsearch/license/base/build.gradle
@ -5,6 +5,8 @@ dependencies {
  testCompile "org.elasticsearch.test:framework:${version}"
 }
 compactProfile = 'full'
 dependencyLicenses.enabled = false
 jar {
--- a/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/CryptUtils.java
+++ b/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/CryptUtils.java
@ -6,8 +6,6 @@
 package org.elasticsearch.license.core;
 import org.elasticsearch.common.Base64;
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
@ -27,6 +25,7 @@ import java.security.SecureRandom;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.security.spec.X509EncodedKeySpec;
 import java.util.Base64;
 public class CryptUtils {
    private static final int minimumPadding = 20;
@ -251,6 +250,6 @@ public class CryptUtils {
    private static char[] hashPassPhrase(String passPhrase) throws NoSuchAlgorithmException {
        final byte[] passBytes = passPhrase.getBytes(StandardCharsets.UTF_8);
        final byte[] digest = MessageDigest.getInstance(passHashAlgorithm).digest(passBytes);
-        return new String(Base64.encodeBytesToBytes(digest), StandardCharsets.UTF_8).toCharArray();
+        return Base64.getEncoder().encodeToString(digest).toCharArray();
    }
 }
--- a/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/License.java
+++ b/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/License.java
@ -8,7 +8,6 @@ package org.elasticsearch.license.core;
 import org.apache.lucene.util.CollectionUtil;
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.ElasticsearchParseException;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.xcontent.ToXContent;
@ -20,6 +19,7 @@ import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.Base64;
 import java.util.Comparator;
 import java.util.List;
 import java.util.Locale;
@ -388,7 +388,7 @@ public class License implements ToXContent {
        }
        // not a license spec
        if (builder.signature != null) {
-            byte[] signatureBytes = Base64.decode(builder.signature);
+            byte[] signatureBytes = Base64.getDecoder().decode(builder.signature);
            ByteBuffer byteBuffer = ByteBuffer.wrap(signatureBytes);
            int version = byteBuffer.getInt();
            // we take the absolute version, because negative versions
@ -415,10 +415,10 @@ public class License implements ToXContent {
     */
    public static boolean isAutoGeneratedLicense(String signature) {
        try {
-            byte[] signatureBytes = Base64.decode(signature);
+            byte[] signatureBytes = Base64.getDecoder().decode(signature);
            ByteBuffer byteBuffer = ByteBuffer.wrap(signatureBytes);
            return byteBuffer.getInt() < 0;
-        } catch (IOException e) {
+        } catch (IllegalArgumentException e) {
            throw new IllegalStateException(e);
        }
    }
--- a/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/LicenseVerifier.java
+++ b/elasticsearch/license/base/src/main/java/org/elasticsearch/license/core/LicenseVerifier.java
@ -5,7 +5,6 @@
 */
 package org.elasticsearch.license.core;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.xcontent.ToXContent;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.common.xcontent.XContentFactory;
@ -18,6 +17,7 @@ import java.security.NoSuchAlgorithmException;
 import java.security.Signature;
 import java.security.SignatureException;
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.Collections;
 /**
@ -35,7 +35,7 @@ public class LicenseVerifier {
        byte[] signedContent = null;
        byte[] signatureHash = null;
        try {
-            byte[] signatureBytes = Base64.decode(license.signature());
+            byte[] signatureBytes = Base64.getDecoder().decode(license.signature());
            ByteBuffer byteBuffer = ByteBuffer.wrap(signatureBytes);
            int version = byteBuffer.getInt();
            int magicLen = byteBuffer.getInt();
@ -53,7 +53,7 @@ public class LicenseVerifier {
            rsa.initVerify(CryptUtils.readEncryptedPublicKey(encryptedPublicKeyData));
            rsa.update(contentBuilder.bytes().toBytes());
            return rsa.verify(signedContent)
-                    && Arrays.equals(Base64.encodeBytesToBytes(encryptedPublicKeyData), signatureHash);
+                    && Arrays.equals(Base64.getEncoder().encode(encryptedPublicKeyData), signatureHash);
        } catch (IOException | NoSuchAlgorithmException | SignatureException | InvalidKeyException e) {
            throw new IllegalStateException(e);
        } finally {
--- a/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/LicenseSigner.java
+++ b/elasticsearch/license/licensor/src/main/java/org/elasticsearch/license/licensor/LicenseSigner.java
@ -5,7 +5,6 @@
 */
 package org.elasticsearch.license.licensor;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.xcontent.ToXContent;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.common.xcontent.XContentFactory;
@ -22,6 +21,7 @@ import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.security.Signature;
 import java.security.SignatureException;
 import java.util.Base64;
 import java.util.Collections;
 /**
@ -63,7 +63,7 @@ public class LicenseSigner {
        final byte[] magic = new byte[MAGIC_LENGTH];
        SecureRandom random = new SecureRandom();
        random.nextBytes(magic);
-        final byte[] hash = Base64.encodeBytesToBytes(Files.readAllBytes(publicKeyPath));
+        final byte[] hash = Base64.getEncoder().encode(Files.readAllBytes(publicKeyPath));
        assert hash != null;
        byte[] bytes = new byte[4 + 4 + MAGIC_LENGTH + 4 + hash.length + 4 + signedContent.length];
        ByteBuffer byteBuffer = ByteBuffer.wrap(bytes);
@ -76,7 +76,7 @@ public class LicenseSigner {
                .put(signedContent);
        return License.builder()
-                .fromLicenseSpec(licenseSpec, Base64.encodeBytes(bytes))
+                .fromLicenseSpec(licenseSpec, Base64.getEncoder().encodeToString(bytes))
                .build();
    }
 }
--- a/elasticsearch/qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/SearchTransformIT.java
+++ b/elasticsearch/qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/SearchTransformIT.java
@ -10,7 +10,6 @@ import org.elasticsearch.action.search.SearchRequest;
 import org.elasticsearch.action.search.SearchResponse;
 import org.elasticsearch.action.search.SearchType;
 import org.elasticsearch.client.Requests;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.io.Streams;
@ -60,6 +59,7 @@ import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.Base64;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.Map;
@ -214,7 +214,7 @@ public class SearchTransformIT extends ESIntegTestCase {
        assertThat(map.get("query"), instanceOf(String.class));
        String queryAsBase64 = (String) map.get("query");
-        String decodedQuery = new String(Base64.decode(queryAsBase64), StandardCharsets.UTF_8);
+        String decodedQuery = new String(Base64.getDecoder().decode(queryAsBase64), StandardCharsets.UTF_8);
        assertThat(decodedQuery, containsString("_unknown_query_"));
    }
--- a/elasticsearch/x-dev-tools/smoke_test_xpack_rc.py
+++ b/elasticsearch/x-dev-tools/smoke_test_xpack_rc.py
@ -140,12 +140,12 @@ def smoke_test_release(release, files, expected_hash):
        # put the supplied license to ensure that system was built with 
        license = read_fully(os.path.join(os.path.dirname(__file__), 'license.json'))
-        conn.request('PUT', '/_license?acknowledge=true', license, headers=headers)
+        conn.request('PUT', '/_xpack/license?acknowledge=true', license, headers=headers)
        res = conn.getresponse()
        # reading the result, so we can execute the next request on the same connection
        license_resp = json.loads(res.read().decode('utf-8'))
        if res.status != 200:
-          raise RuntimeError('Could not PUT _license, got status %s' % res.status)
+          raise RuntimeError('Could not PUT _xpack/license, got status %s' % res.status)
        if license_resp['license_status'] != 'valid':
          raise RuntimeError('Expected license to be valid, but was %s' % license_resp['license_status'])
--- a/elasticsearch/x-pack/build.gradle
+++ b/elasticsearch/x-pack/build.gradle
@ -35,6 +35,10 @@ dependencies {
  compile 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:r239'
  compile 'com.google.guava:guava:16.0.1' // needed by watcher for the html sanitizer and shield tests for jimfs
  compile 'com.sun.mail:javax.mail:1.5.3'
  // HACK: java 9 removed javax.activation from the default modules, so instead of trying to add modules, which would have
  // to be conditionalized for java 8/9, we pull in the classes directly
  compile 'javax.activation:activation:1.1'
  testCompile 'org.subethamail:subethasmtp:3.1.7'
  // needed for subethasmtp, has @GuardedBy annotation
  testCompile 'com.google.code.findbugs:jsr305:3.0.1'
@ -169,6 +173,42 @@ thirdPartyAudit.excludes = [
    'com.google.common.cache.Striped64$Cell',
    'com.google.common.primitives.UnsignedBytes$LexicographicalComparatorHolder$UnsafeComparator',
    'com.google.common.primitives.UnsignedBytes$LexicographicalComparatorHolder$UnsafeComparator$1',
    // pulled in as external dependency to work on java 9
    'com.sun.activation.registries.LineTokenizer',
    'com.sun.activation.registries.LogSupport',
    'com.sun.activation.registries.MailcapFile',
    'com.sun.activation.registries.MailcapParseException',
    'com.sun.activation.registries.MailcapTokenizer',
    'com.sun.activation.registries.MimeTypeEntry',
    'com.sun.activation.registries.MimeTypeFile',
    'javax.activation.ActivationDataFlavor',
    'javax.activation.CommandInfo',
    'javax.activation.CommandMap',
    'javax.activation.CommandObject',
    'javax.activation.DataContentHandler',
    'javax.activation.DataContentHandlerFactory',
    'javax.activation.DataHandler$1',
    'javax.activation.DataHandler',
    'javax.activation.DataHandlerDataSource',
    'javax.activation.DataSource',
    'javax.activation.DataSourceDataContentHandler',
    'javax.activation.FileDataSource',
    'javax.activation.FileTypeMap',
    'javax.activation.MailcapCommandMap',
    'javax.activation.MimeType',
    'javax.activation.MimeTypeParameterList',
    'javax.activation.MimeTypeParseException',
    'javax.activation.MimetypesFileTypeMap',
    'javax.activation.ObjectDataContentHandler',
    'javax.activation.SecuritySupport$1',
    'javax.activation.SecuritySupport$2',
    'javax.activation.SecuritySupport$3',
    'javax.activation.SecuritySupport$4',
    'javax.activation.SecuritySupport$5',
    'javax.activation.SecuritySupport',
    'javax.activation.URLDataSource',
    'javax.activation.UnsupportedDataTypeException'    
 ]
 // someone figure out what the x-plugins logic should be
--- a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/LicensesMetaData.java
+++ b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/LicensesMetaData.java
@ -9,7 +9,6 @@ import org.apache.lucene.util.CollectionUtil;
 import org.elasticsearch.Version;
 import org.elasticsearch.cluster.AbstractDiffable;
 import org.elasticsearch.cluster.metadata.MetaData;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.xcontent.ToXContent;
@ -21,6 +20,7 @@ import org.elasticsearch.license.core.License;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Base64;
 import java.util.Collections;
 import java.util.EnumSet;
 import java.util.List;
@ -114,7 +114,7 @@ public class LicensesMetaData extends AbstractDiffable<MetaData.Custom> implemen
                            while (parser.nextToken() != XContentParser.Token.END_ARRAY) {
                                if (parser.currentToken().isValue()) {
                                    // trial license
-                                    byte[] data = decrypt(Base64.decode(parser.text()));
+                                    byte[] data = decrypt(Base64.getDecoder().decode(parser.text()));
                                    try (XContentParser trialLicenseParser =
                                                 XContentFactory.xContent(XContentType.JSON).createParser(data)) {
                                        trialLicenseParser.nextToken();
@ -186,7 +186,7 @@ public class LicensesMetaData extends AbstractDiffable<MetaData.Custom> implemen
                XContentBuilder contentBuilder = XContentFactory.contentBuilder(XContentType.JSON);
                license.toXContent(contentBuilder,
                        new ToXContent.MapParams(Collections.singletonMap(License.LICENSE_SPEC_VIEW_MODE, "true")));
-                streamOutput.writeString(Base64.encodeBytes(encrypt(contentBuilder.bytes().toBytes())));
+                streamOutput.writeString(Base64.getEncoder().encodeToString(encrypt(contentBuilder.bytes().toBytes())));
            }
        } else {
            if (license == LICENSE_TOMBSTONE) {
@ -209,7 +209,7 @@ public class LicensesMetaData extends AbstractDiffable<MetaData.Custom> implemen
            }
            int numTrialLicenses = streamInput.readVInt();
            for (int i = 0; i < numTrialLicenses; i++) {
-                byte[] data = decrypt(Base64.decode(streamInput.readString()));
+                byte[] data = decrypt(Base64.getDecoder().decode(streamInput.readString()));
                try (XContentParser trialLicenseParser = XContentFactory.xContent(XContentType.JSON).createParser(data)) {
                    trialLicenseParser.nextToken();
                    License pre20TrialLicense = License.fromXContent(trialLicenseParser);
--- a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/LicensesService.java
+++ b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/LicensesService.java
@ -149,7 +149,7 @@ public class LicensesService extends AbstractLifecycleComponent<LicensesService>
    }
    private void populateExpirationCallbacks() {
-        expirationCallbacks.add(new ExpirationCallback.Pre(days(7), days(30), days(1)) {
+        expirationCallbacks.add(new ExpirationCallback.Pre(days(7), days(25), days(1)) {
                                    @Override
                                    public void on(License license) {
                                        String general = LoggerMessageFormat.format(null, "\n" +
@ -174,9 +174,9 @@ public class LicensesService extends AbstractLifecycleComponent<LicensesService>
                                                    }
                                                }
                                            }
-                                            logger.error("{}", builder);
+                                            logger.warn("{}", builder);
                                        } else {
-                                            logger.error("{}", general);
+                                            logger.warn("{}", general);
                                        }
                                    }
                                }
@ -206,9 +206,9 @@ public class LicensesService extends AbstractLifecycleComponent<LicensesService>
                                                    }
                                                }
                                            }
-                                            logger.error("{}", builder.toString());
+                                            logger.warn("{}", builder.toString());
                                        } else {
-                                            logger.error("{}", general);
+                                            logger.warn("{}", general);
                                        }
                                    }
                                }
@ -238,9 +238,9 @@ public class LicensesService extends AbstractLifecycleComponent<LicensesService>
                                                    }
                                                }
                                            }
-                                            logger.error("{}", builder.toString());
+                                            logger.warn("{}", builder.toString());
                                        } else {
-                                            logger.error("{}", general);
+                                            logger.warn("{}", general);
                                        }
                                    }
                                }
--- a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/TrialLicense.java
+++ b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/TrialLicense.java
@ -5,7 +5,6 @@
 */
 package org.elasticsearch.license.plugin.core;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.xcontent.ToXContent;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.common.xcontent.XContentFactory;
@ -15,6 +14,7 @@ import org.elasticsearch.license.core.License;
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.util.Base64;
 import java.util.Collections;
 import static org.elasticsearch.license.core.CryptUtils.decrypt;
@ -39,7 +39,7 @@ public class TrialLicense {
            byteBuffer.putInt(-License.VERSION_CURRENT)
                    .putInt(encrypt.length)
                    .put(encrypt);
-            signature = Base64.encodeBytes(bytes);
+            signature = Base64.getEncoder().encodeToString(bytes);
        } catch (IOException e) {
            throw new IllegalStateException(e);
        }
@ -48,7 +48,7 @@ public class TrialLicense {
    public static boolean verify(final License license) {
        try {
-            byte[] signatureBytes = Base64.decode(license.signature());
+            byte[] signatureBytes = Base64.getDecoder().decode(license.signature());
            ByteBuffer byteBuffer = ByteBuffer.wrap(signatureBytes);
            int version = byteBuffer.getInt();
            int contentLen = byteBuffer.getInt();
--- a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/rest/RestDeleteLicenseAction.java
+++ b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/rest/RestDeleteLicenseAction.java
@ -23,7 +23,7 @@ public class RestDeleteLicenseAction extends BaseRestHandler {
    @Inject
    public RestDeleteLicenseAction(Settings settings, RestController controller, Client client) {
        super(settings, client);
-        controller.registerHandler(DELETE, "/_license", this);
+        controller.registerHandler(DELETE, "/_xpack/license", this);
    }
    @Override
--- a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/rest/RestGetLicenseAction.java
+++ b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/rest/RestGetLicenseAction.java
@ -34,7 +34,7 @@ public class RestGetLicenseAction extends BaseRestHandler {
    @Inject
    public RestGetLicenseAction(Settings settings, RestController controller, Client client) {
        super(settings, client);
-        controller.registerHandler(GET, "/_license", this);
+        controller.registerHandler(GET, "/_xpack/license", this);
    }
    /**
--- a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/rest/RestPutLicenseAction.java
+++ b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/rest/RestPutLicenseAction.java
@ -30,8 +30,8 @@ public class RestPutLicenseAction extends BaseRestHandler {
    @Inject
    public RestPutLicenseAction(Settings settings, RestController controller, Client client) {
        super(settings, client);
-        controller.registerHandler(PUT, "/_license", this);
+        controller.registerHandler(PUT, "/_xpack/license", this);
-        controller.registerHandler(POST, "/_license", this);
+        controller.registerHandler(POST, "/_xpack/license", this);
    }
    @Override
--- a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/TrialLicenseTests.java
+++ b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/TrialLicenseTests.java
@ -5,7 +5,6 @@
 */
 package org.elasticsearch.license.plugin;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.xcontent.ToXContent;
 import org.elasticsearch.common.xcontent.XContentBuilder;
@ -17,6 +16,7 @@ import org.elasticsearch.test.ESTestCase;
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.util.Base64;
 import java.util.Collections;
 import java.util.UUID;
@ -102,7 +102,7 @@ public class TrialLicenseTests extends ESTestCase {
            byteBuffer.putInt(-spec.version())
                    .putInt(encrypt.length)
                    .put(encrypt);
-            signature = Base64.encodeBytes(bytes);
+            signature = Base64.getEncoder().encodeToString(bytes);
        } catch (IOException e) {
            throw new IllegalStateException(e);
        }
--- a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/core/LicensesMetaDataSerializationTests.java
+++ b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/core/LicensesMetaDataSerializationTests.java
@ -9,7 +9,6 @@ import org.elasticsearch.Version;
 import org.elasticsearch.cluster.metadata.MetaData;
 import org.elasticsearch.cluster.metadata.RepositoriesMetaData;
 import org.elasticsearch.cluster.metadata.RepositoryMetaData;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.io.stream.ByteBufferStreamInput;
 import org.elasticsearch.common.io.stream.BytesStreamOutput;
 import org.elasticsearch.common.settings.Settings;
@ -26,6 +25,7 @@ import org.elasticsearch.license.plugin.TestUtils;
 import org.elasticsearch.test.ESTestCase;
 import java.nio.ByteBuffer;
 import java.util.Base64;
 import java.util.Collections;
 import java.util.UUID;
@ -113,7 +113,7 @@ public class LicensesMetaDataSerializationTests extends ESTestCase {
        builder.startArray("trial_licenses");
        XContentBuilder contentBuilder = XContentFactory.contentBuilder(XContentType.JSON);
        trialLicense.toXContent(contentBuilder, new ToXContent.MapParams(Collections.singletonMap(License.LICENSE_SPEC_VIEW_MODE, "true")));
-        builder.value(Base64.encodeBytes(encrypt(contentBuilder.bytes().toBytes())));
+        builder.value(Base64.getEncoder().encodeToString(encrypt(contentBuilder.bytes().toBytes())));
        builder.endArray();
        builder.startArray("signed_licenses");
        builder.endArray();
@ -143,7 +143,7 @@ public class LicensesMetaDataSerializationTests extends ESTestCase {
        builder.startArray("trial_licenses");
        contentBuilder = XContentFactory.contentBuilder(XContentType.JSON);
        trialLicense.toXContent(contentBuilder, new ToXContent.MapParams(Collections.singletonMap(License.LICENSE_SPEC_VIEW_MODE, "true")));
-        builder.value(Base64.encodeBytes(encrypt(contentBuilder.bytes().toBytes())));
+        builder.value(Base64.getEncoder().encodeToString(encrypt(contentBuilder.bytes().toBytes())));
        builder.endArray();
        builder.startArray("signed_licenses");
        signedLicense.toXContent(builder, ToXContent.EMPTY_PARAMS);
@ -162,7 +162,7 @@ public class LicensesMetaDataSerializationTests extends ESTestCase {
        builder.startArray("trial_licenses");
        contentBuilder = XContentFactory.contentBuilder(XContentType.JSON);
        trialLicense.toXContent(contentBuilder, new ToXContent.MapParams(Collections.singletonMap(License.LICENSE_SPEC_VIEW_MODE, "true")));
-        builder.value(Base64.encodeBytes(encrypt(contentBuilder.bytes().toBytes())));
+        builder.value(Base64.getEncoder().encodeToString(encrypt(contentBuilder.bytes().toBytes())));
        builder.endArray();
        builder.startArray("signed_licenses");
        signedLicense.toXContent(builder, ToXContent.EMPTY_PARAMS);
@ -190,7 +190,7 @@ public class LicensesMetaDataSerializationTests extends ESTestCase {
        output.writeVInt(1);
        XContentBuilder contentBuilder = XContentFactory.contentBuilder(XContentType.JSON);
        trialLicense.toXContent(contentBuilder, new ToXContent.MapParams(Collections.singletonMap(License.LICENSE_SPEC_VIEW_MODE, "true")));
-        output.writeString(Base64.encodeBytes(encrypt(contentBuilder.bytes().toBytes())));
+        output.writeString(Base64.getEncoder().encodeToString(encrypt(contentBuilder.bytes().toBytes())));
        byte[] bytes = output.bytes().toBytes();
        ByteBufferStreamInput input = new ByteBufferStreamInput(ByteBuffer.wrap(bytes));
--- a/elasticsearch/x-pack/license-plugin/src/test/resources/rest-api-spec/api/license.delete.json
+++ b/elasticsearch/x-pack/license-plugin/src/test/resources/rest-api-spec/api/license.delete.json
@ -3,8 +3,8 @@
    "documentation": "https://www.elastic.co/guide/en/shield/current/license-management.html",
    "methods": ["DELETE"],
    "url": {
-      "path": "/_license",
+      "path": "/_xpack/license",
-      "paths": ["/_license"],
+      "paths": ["/_xpack/license"],
      "parts" : {}
    },
    "body": null
--- a/elasticsearch/x-pack/license-plugin/src/test/resources/rest-api-spec/api/license.get.json
+++ b/elasticsearch/x-pack/license-plugin/src/test/resources/rest-api-spec/api/license.get.json
@ -3,8 +3,8 @@
    "documentation": "https://www.elastic.co/guide/en/shield/current/license-management.html",
    "methods": ["GET"],
    "url": {
-      "path": "/_license",
+      "path": "/_xpack/license",
-      "paths": ["/_license"],
+      "paths": ["/_xpack/license"],
      "parts" : {
      },
      "params": {
--- a/elasticsearch/x-pack/license-plugin/src/test/resources/rest-api-spec/api/license.post.json
+++ b/elasticsearch/x-pack/license-plugin/src/test/resources/rest-api-spec/api/license.post.json
@ -3,8 +3,8 @@
    "documentation": "https://www.elastic.co/guide/en/shield/current/license-management.html",
    "methods": ["PUT", "POST"],
    "url": {
-      "path": "/_license",
+      "path": "/_xpack/license",
-      "paths": ["/_license"],
+      "paths": ["/_xpack/license"],
      "parts" : {
      },
      "params": {
--- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/exporter/http/HttpExporter.java
+++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/exporter/http/HttpExporter.java
@ -9,7 +9,6 @@ import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.ExceptionsHelper;
 import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.Version;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.inject.Inject;
@ -53,6 +52,7 @@ import java.security.AccessController;
 import java.security.KeyStore;
 import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Base64;
 import java.util.Collection;
 import java.util.Map;
 import java.util.stream.Collectors;
@ -683,7 +683,7 @@ public class HttpExporter extends Exporter {
        void apply(HttpURLConnection connection) throws UnsupportedEncodingException {
            String userInfo = username + ":" + (password != null ? new String(password) : "");
-            String basicAuth = "Basic " + Base64.encodeBytes(userInfo.getBytes("ISO-8859-1"));
+            String basicAuth = "Basic " + Base64.getEncoder().encodeToString(userInfo.getBytes("ISO-8859-1"));
            connection.setRequestProperty("Authorization", basicAuth);
        }
    }
--- a/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/collector/AbstractCollectorTestCase.java
+++ b/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/collector/AbstractCollectorTestCase.java
@ -161,7 +161,7 @@ public abstract class AbstractCollectorTestCase extends MarvelIntegTestCase {
            public void run() {
                for (String nodeId : internalCluster().getNodeNames()) {
                    try {
-                        assertTrue(waitForNoBlocksOnNode(nodeId));
+                        waitForNoBlocksOnNode(nodeId);
                    } catch (Exception e) {
                        fail("failed to wait for no blocks on node [" + nodeId + "]: " + e.getMessage());
                    }
@ -170,13 +170,12 @@ public abstract class AbstractCollectorTestCase extends MarvelIntegTestCase {
        });
    }
-    public boolean waitForNoBlocksOnNode(final String nodeId) throws Exception {
+    public void waitForNoBlocksOnNode(final String nodeId) throws Exception {
-        return assertBusy(() -> {
+        assertBusy(() -> {
            ClusterBlocks clusterBlocks =
                    client(nodeId).admin().cluster().prepareState().setLocal(true).execute().actionGet().getState().blocks();
            assertTrue(clusterBlocks.global().isEmpty());
            assertTrue(clusterBlocks.indices().values().isEmpty());
            return true;
        }, 30L, TimeUnit.SECONDS);
    }
--- a/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/exporter/AbstractExporterTemplateTestCase.java
+++ b/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/exporter/AbstractExporterTemplateTestCase.java
@ -121,7 +121,8 @@ public abstract class AbstractExporterTemplateTestCase extends MarvelIntegTestCa
        assertNotNull(exporters);
        // Wait for exporting bulks to be ready to export
-        assertBusy(() -> assertThat(exporters.openBulk(), notNullValue()));
+        Runnable busy = () -> assertThat(exporters.openBulk(), notNullValue());
        assertBusy(busy);
        exporters.export(collector.collect());
    }
--- a/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/exporter/http/HttpExporterTemplateTests.java
+++ b/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/exporter/http/HttpExporterTemplateTests.java
@ -93,7 +93,8 @@ public class HttpExporterTemplateTests extends AbstractExporterTemplateTestCase
    @Override
    protected void awaitIndexExists(String index) throws Exception {
-        assertBusy(() -> assertThat("could not find index " + index, dispatcher.hasIndex(index), is(true)), 10, TimeUnit.SECONDS);
+        Runnable busy = () -> assertThat("could not find index " + index, dispatcher.hasIndex(index), is(true));
        assertBusy(busy, 10, TimeUnit.SECONDS);
    }
    class MockServerDispatcher extends Dispatcher {
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
@ -7,7 +7,6 @@ package org.elasticsearch.shield.authc;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.Version;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.component.AbstractComponent;
 import org.elasticsearch.common.inject.Inject;
@ -29,6 +28,7 @@ import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.TransportMessage;
 import java.io.IOException;
 import java.util.Base64;
 import static org.elasticsearch.shield.Security.setting;
 import static org.elasticsearch.shield.support.Exceptions.authenticationError;
@ -157,7 +157,7 @@ public class InternalAuthenticationService extends AbstractComponent implements
    static User decodeUser(String text) {
        try {
-            byte[] bytes = Base64.decode(text);
+            byte[] bytes = Base64.getDecoder().decode(text);
            StreamInput input = StreamInput.wrap(bytes);
            Version version = Version.readVersion(input);
            input.setVersion(version);
@ -173,7 +173,7 @@ public class InternalAuthenticationService extends AbstractComponent implements
            Version.writeVersion(Version.CURRENT, output);
            User.writeTo(user, output);
            byte[] bytes = output.bytes().toBytes();
-            return Base64.encodeBytes(bytes);
+            return Base64.getEncoder().encodeToString(bytes);
        } catch (IOException ioe) {
            if (logger != null) {
                logger.error("could not encode authenticated user in message header... falling back to token headers", ioe);
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/ReservedRealm.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/ReservedRealm.java
@ -18,7 +18,7 @@ import org.elasticsearch.shield.support.Exceptions;
 import org.elasticsearch.shield.user.AnonymousUser;
 import org.elasticsearch.shield.user.KibanaUser;
 import org.elasticsearch.shield.user.User;
-import org.elasticsearch.shield.user.XPackUser;
+import org.elasticsearch.shield.user.ElasticUser;
 import java.util.Arrays;
 import java.util.Collection;
@ -86,7 +86,7 @@ public class ReservedRealm extends CachingUsernamePasswordRealm {
    public static boolean isReserved(String username) {
        assert username != null;
        switch (username) {
-            case XPackUser.NAME:
+            case ElasticUser.NAME:
            case KibanaUser.NAME:
                return true;
            default:
@ -97,8 +97,8 @@ public class ReservedRealm extends CachingUsernamePasswordRealm {
    public static User getUser(String username) {
        assert username != null;
        switch (username) {
-            case XPackUser.NAME:
+            case ElasticUser.NAME:
-                return XPackUser.INSTANCE;
+                return ElasticUser.INSTANCE;
            case KibanaUser.NAME:
                return KibanaUser.INSTANCE;
            default:
@ -111,9 +111,9 @@ public class ReservedRealm extends CachingUsernamePasswordRealm {
    public static Collection<User> users() {
        if (AnonymousUser.enabled()) {
-            return Arrays.asList(XPackUser.INSTANCE, KibanaUser.INSTANCE, AnonymousUser.INSTANCE);
+            return Arrays.asList(ElasticUser.INSTANCE, KibanaUser.INSTANCE, AnonymousUser.INSTANCE);
        }
-        return Arrays.asList(XPackUser.INSTANCE, KibanaUser.INSTANCE);
+        return Arrays.asList(ElasticUser.INSTANCE, KibanaUser.INSTANCE);
    }
    private char[] getPasswordHash(final String username) {
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/Hasher.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/Hasher.java
@ -5,13 +5,12 @@
 */
 package org.elasticsearch.shield.authc.support;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.Randomness;
 import org.elasticsearch.common.hash.MessageDigests;
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
 import java.util.Locale;
 import java.util.Random;
@ -145,7 +144,7 @@ public enum Hasher {
            byte[] textBytes = CharArrays.toUtf8Bytes(text.internalChars());
            MessageDigest md = MessageDigests.sha1();
            md.update(textBytes);
-            String hash = Base64.encodeBytes(md.digest());
+            String hash = Base64.getEncoder().encodeToString(md.digest());
            return (SHA1_PREFIX + hash).toCharArray();
        }
@ -158,7 +157,7 @@ public enum Hasher {
            byte[] textBytes = CharArrays.toUtf8Bytes(text.internalChars());
            MessageDigest md = MessageDigests.sha1();
            md.update(textBytes);
-            String passwd64 = Base64.encodeBytes(md.digest());
+            String passwd64 = Base64.getEncoder().encodeToString(md.digest());
            String hashNoPrefix = hashStr.substring(SHA1_PREFIX.length());
            return SecuredString.constantTimeEquals(hashNoPrefix, passwd64);
        }
@ -169,7 +168,7 @@ public enum Hasher {
        public char[] hash(SecuredString text) {
            MessageDigest md = MessageDigests.md5();
            md.update(CharArrays.toUtf8Bytes(text.internalChars()));
-            String hash = Base64.encodeBytes(md.digest());
+            String hash = Base64.getEncoder().encodeToString(md.digest());
            return (MD5_PREFIX + hash).toCharArray();
        }
@ -182,7 +181,7 @@ public enum Hasher {
            hashStr = hashStr.substring(MD5_PREFIX.length());
            MessageDigest md = MessageDigests.md5();
            md.update(CharArrays.toUtf8Bytes(text.internalChars()));
-            String computedHashStr = Base64.encodeBytes(md.digest());
+            String computedHashStr = Base64.getEncoder().encodeToString(md.digest());
            return SecuredString.constantTimeEquals(hashStr, computedHashStr);
        }
    },
@ -194,7 +193,7 @@ public enum Hasher {
            md.update(CharArrays.toUtf8Bytes(text.internalChars()));
            char[] salt = SaltProvider.salt(8);
            md.update(CharArrays.toUtf8Bytes(salt));
-            String hash = Base64.encodeBytes(md.digest());
+            String hash = Base64.getEncoder().encodeToString(md.digest());
            char[] result = new char[SSHA256_PREFIX.length() + salt.length + hash.length()];
            System.arraycopy(SSHA256_PREFIX.toCharArray(), 0, result, 0, SSHA256_PREFIX.length());
            System.arraycopy(salt, 0, result, SSHA256_PREFIX.length(), salt.length);
@ -213,7 +212,7 @@ public enum Hasher {
            MessageDigest md = MessageDigests.sha256();
            md.update(CharArrays.toUtf8Bytes(text.internalChars()));
            md.update(new String(saltAndHash, 0, 8).getBytes(StandardCharsets.UTF_8));
-            String computedHash = Base64.encodeBytes(md.digest());
+            String computedHash = Base64.getEncoder().encodeToString(md.digest());
            return SecuredString.constantTimeEquals(computedHash, new String(saltAndHash, 8, saltAndHash.length - 8));
        }
    },
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/UsernamePasswordToken.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/UsernamePasswordToken.java
@ -5,13 +5,12 @@
 */
 package org.elasticsearch.shield.authc.support;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.shield.authc.AuthenticationToken;
 import java.io.IOException;
 import java.nio.CharBuffer;
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.Objects;
 import static org.elasticsearch.shield.support.Exceptions.authenticationError;
@ -85,8 +84,8 @@ public class UsernamePasswordToken implements AuthenticationToken {
        char[] userpasswd;
        try {
-            userpasswd = CharArrays.utf8BytesToChars(Base64.decode(headerValue.substring(BASIC_AUTH_PREFIX.length()).trim()));
+            userpasswd = CharArrays.utf8BytesToChars(Base64.getDecoder().decode(headerValue.substring(BASIC_AUTH_PREFIX.length()).trim()));
-        } catch (IllegalArgumentException | IOException e) {
+        } catch (IllegalArgumentException e) {
            throw authenticationError("invalid basic authentication header encoding", e);
        }
@ -109,7 +108,7 @@ public class UsernamePasswordToken implements AuthenticationToken {
        chars.put(username).put(':').put(passwd.internalChars());
        //TODO we still have passwords in Strings in headers
-        String basicToken = Base64.encodeBytes(CharArrays.toUtf8Bytes(chars.array()));
+        String basicToken = Base64.getEncoder().encodeToString(CharArrays.toUtf8Bytes(chars.array()));
        return "Basic " + basicToken;
    }
 }
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/permission/KibanaRole.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/permission/KibanaRole.java
@ -17,7 +17,7 @@ public class KibanaRole extends Role {
    private static final String[] CLUSTER_PRIVILEGES = new String[] { "monitor", MonitoringBulkAction.NAME};
    private static final RoleDescriptor.IndicesPrivileges[] INDICES_PRIVILEGES = new RoleDescriptor.IndicesPrivileges[] {
-            RoleDescriptor.IndicesPrivileges.builder().indices(".kibana").privileges("all").build() };
+            RoleDescriptor.IndicesPrivileges.builder().indices(".kibana*", ".reporting-*").privileges("all").build() };
    public static final String NAME = "kibana";
    public static final RoleDescriptor DESCRIPTOR = new RoleDescriptor(NAME, CLUSTER_PRIVILEGES, INDICES_PRIVILEGES, null);
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java
@ -6,7 +6,6 @@
 package org.elasticsearch.shield.crypto;
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.component.AbstractLifecycleComponent;
 import org.elasticsearch.common.inject.Inject;
@ -39,6 +38,7 @@ import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.Collections;
 import java.util.List;
 import java.util.Objects;
@ -138,11 +138,7 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
        keyFile = resolveSystemKey(settings, env);
        systemKey = readSystemKey(keyFile);
        randomKey = generateSecretKey(RANDOM_KEY_SIZE);
-        try {
+        randomKeyBase64 = Base64.getUrlEncoder().encodeToString(randomKey.getEncoded());
            randomKeyBase64 = Base64.encodeBytes(randomKey.getEncoded(), 0, randomKey.getEncoded().length, Base64.URL_SAFE);
        } catch (IOException e) {
            throw new ElasticsearchException("failed to encode key data as base64", e);
        }
        signingKey = createSigningKey(systemKey, randomKey);
@ -256,17 +252,17 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
        } else {
            byte[] randomKeyBytes;
            try {
-                randomKeyBytes = Base64.decode(base64RandomKey, Base64.URL_SAFE);
+                randomKeyBytes = Base64.getUrlDecoder().decode(base64RandomKey);
            } catch (IllegalArgumentException e) {
                logger.error("error occurred while decoding key data", e);
                throw new IllegalStateException("error while verifying the signed text");
            }
            if (randomKeyBytes.length * 8 != RANDOM_KEY_SIZE) {
                logger.debug("incorrect random key data length. received [{}] bytes", randomKeyBytes.length);
                throw new IllegalArgumentException("tampered signed text");
            }
            SecretKey randomKey = new SecretKeySpec(randomKeyBytes, KEY_ALGO);
            signingKey = createSigningKey(systemKey, randomKey);
            } catch (IOException e) {
                logger.error("error occurred while decoding key data", e);
                throw new IllegalStateException("error while verifying the signed text");
            }
        }
        try {
@ -297,7 +293,7 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
        }
        byte[] charBytes = CharArrays.toUtf8Bytes(chars);
-        String base64 = Base64.encodeBytes(encryptInternal(charBytes, key));
+        String base64 = Base64.getEncoder().encodeToString(encryptInternal(charBytes, key));
        return ENCRYPTED_TEXT_PREFIX.concat(base64).toCharArray();
    }
@ -335,8 +331,8 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
        String encrypted = new String(chars, ENCRYPTED_TEXT_PREFIX.length(), chars.length - ENCRYPTED_TEXT_PREFIX.length());
        byte[] bytes;
        try {
-            bytes = Base64.decode(encrypted);
+            bytes = Base64.getDecoder().decode(encrypted);
-        } catch (IOException e) {
+        } catch (IllegalArgumentException e) {
            throw new ElasticsearchException("unable to decode encrypted data", e);
        }
@ -430,7 +426,7 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
    private static String signInternal(String text, SecretKey key) throws IOException {
        Mac mac = createMac(key);
        byte[] sig = mac.doFinal(text.getBytes(StandardCharsets.UTF_8));
-        return Base64.encodeBytes(sig, 0, sig.length, Base64.URL_SAFE);
+        return Base64.getUrlEncoder().encodeToString(sig);
    }
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/user/AnonymousUser.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/user/AnonymousUser.java
@ -25,7 +25,7 @@ import static org.elasticsearch.shield.Security.setting;
 */
 public class AnonymousUser extends ReservedUser {
-    public static final String DEFAULT_ANONYMOUS_USERNAME = "_es_anonymous_user";
+    public static final String DEFAULT_ANONYMOUS_USERNAME = "_anonymous";
    public static final Setting<String> USERNAME_SETTING =
            new Setting<>(setting("authc.anonymous.username"), DEFAULT_ANONYMOUS_USERNAME, s -> s, Property.NodeScope);
    public static final Setting<List<String>> ROLES_SETTING =
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/user/ElasticUser.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/user/ElasticUser.java
@ -0,0 +1,42 @@
 /*
 * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
 * or more contributor license agreements. Licensed under the Elastic License;
 * you may not use this file except in compliance with the Elastic License.
 */
 package org.elasticsearch.shield.user;
 import org.elasticsearch.shield.authz.permission.SuperuserRole;
 import org.elasticsearch.shield.user.User.ReservedUser;
 /**
 * The reserved {@code elastic} superuser. As full permission/access to the cluster/indices and can
 * run as any other user.
 */
 public class ElasticUser extends ReservedUser {
    public static final String NAME = "elastic";
    public static final String ROLE_NAME = SuperuserRole.NAME;
    public static final ElasticUser INSTANCE = new ElasticUser();
    private ElasticUser() {
        super(NAME, ROLE_NAME);
    }
    @Override
    public boolean equals(Object o) {
        return INSTANCE == o;
    }
    @Override
    public int hashCode() {
        return System.identityHashCode(this);
    }
    public static boolean is(User user) {
        return INSTANCE.equals(user);
    }
    public static boolean is(String principal) {
        return NAME.equals(principal);
    }
 }
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/user/SystemUser.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/user/SystemUser.java
@ -16,8 +16,8 @@ import java.util.function.Predicate;
 */
 public class SystemUser extends User {
-    public static final String NAME = "__es_system_user";
+    public static final String NAME = "_system";
-    public static final String ROLE_NAME = "__es_system_role";
+    public static final String ROLE_NAME = "_system";
    public static final User INSTANCE = new SystemUser();
@ -41,6 +41,10 @@ public class SystemUser extends User {
        return INSTANCE.equals(user);
    }
    public static boolean is(String principal) {
        return NAME.equals(principal);
    }
    public static boolean isAuthorized(String action) {
        return PREDICATE.test(action);
    }
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/user/User.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/user/User.java
@ -187,12 +187,14 @@ public class User implements ToXContent {
    public static User readFrom(StreamInput input) throws IOException {
        if (input.readBoolean()) {
            String name = input.readString();
-            if (SystemUser.NAME.equals(name)) {
+            if (SystemUser.is(name)) {
                return SystemUser.INSTANCE;
            } else if (XPackUser.is(name)) {
                return XPackUser.INSTANCE;
            }
            User user = ReservedRealm.getUser(name);
            if (user == null) {
-                throw new IllegalStateException("invalid internal user");
+                throw new IllegalStateException("invalid reserved user");
            }
            return user;
        }
@ -217,6 +219,9 @@ public class User implements ToXContent {
        if (SystemUser.is(user)) {
            output.writeBoolean(true);
            output.writeString(SystemUser.NAME);
        } else if (XPackUser.is(user)) {
            output.writeBoolean(true);
            output.writeString(XPackUser.NAME);
        } else if (ReservedRealm.isReserved(user.principal())) {
            output.writeBoolean(true);
            output.writeString(user.principal());
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/user/XPackUser.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/user/XPackUser.java
@ -12,9 +12,9 @@ import org.elasticsearch.shield.user.User.ReservedUser;
 * XPack internal user that manages xpack. Has all cluster/indices permissions for watcher,
 * shield and monitoring to operate.
 */
-public class XPackUser extends ReservedUser {
+public class XPackUser extends User {
-    public static final String NAME = "elastic";
+    public static final String NAME = "_xpack";
    public static final String ROLE_NAME = SuperuserRole.NAME;
    public static final XPackUser INSTANCE = new XPackUser();
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java
@ -9,8 +9,6 @@ import org.apache.lucene.search.join.ScoreMode;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.action.get.GetResponse;
 import org.elasticsearch.action.get.MultiGetResponse;
 import org.elasticsearch.action.percolate.PercolateResponse;
 import org.elasticsearch.action.percolate.PercolateSourceBuilder;
 import org.elasticsearch.action.search.SearchResponse;
 import org.elasticsearch.action.termvectors.MultiTermVectorsResponse;
 import org.elasticsearch.action.termvectors.TermVectorsRequest;
@ -605,86 +603,6 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
        assertThat(searchResponse.getHits().getAt(1).id(), equalTo("c2"));
    }
    public void testPercolateApi() {
        assertAcked(client().admin().indices().prepareCreate("test")
            .addMapping("query", "query", "type=percolator", "field1", "type=text", "field2", "type=text", "field3", "type=text")
        );
        client().prepareIndex("test", "query", "1")
                .setSource("{\"query\" : { \"match_all\" : {} }, \"field1\" : \"value1\"}")
                .setRefresh(true)
                .get();
        // Percolator without a query just evaluates all percolator queries that are loaded, so we have a match:
        PercolateResponse response = client()
                .filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD)))
                .preparePercolate()
                .setDocumentType("query")
                .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
                .get();
        assertThat(response.getCount(), equalTo(1L));
        assertThat(response.getMatches()[0].getId().string(), equalTo("1"));
        response = client()
                .filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
                .preparePercolate()
                .setDocumentType("query")
                .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
                .get();
        assertThat(response.getCount(), equalTo(0L));
        response = client()
                .filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user3", USERS_PASSWD)))
                .preparePercolate()
                .setDocumentType("query")
                .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
                .get();
        assertThat(response.getCount(), equalTo(1L));
        assertThat(response.getMatches()[0].getId().string(), equalTo("1"));
        // Percolator with a query on a document that the current user can see. Percolator will have one query to evaluate, so there is a
        // match:
        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD)))
                .preparePercolate()
                .setDocumentType("query")
                .setPercolateQuery(termQuery("field1", "value1"))
                .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
                .get();
        assertThat(response.getCount(), equalTo(1L));
        assertThat(response.getMatches()[0].getId().string(), equalTo("1"));
        // Percolator with a query on a document that the current user can't see. Percolator will not have queries to evaluate, so there
        // is no match:
        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
                .preparePercolate()
                .setDocumentType("query")
                .setPercolateQuery(termQuery("field1", "value1"))
                .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
                .get();
        assertThat(response.getCount(), equalTo(0L));
        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user3", USERS_PASSWD)))
                .preparePercolate()
                .setDocumentType("query")
                .setPercolateQuery(termQuery("field1", "value1"))
                .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
                .get();
        assertThat(response.getCount(), equalTo(1L));
        assertThat(response.getMatches()[0].getId().string(), equalTo("1"));
        assertAcked(client().admin().indices().prepareClose("test"));
        assertAcked(client().admin().indices().prepareOpen("test"));
        ensureGreen("test");
        // Ensure that the query loading that happens at startup has permissions to load the percolator queries:
        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD)))
                .preparePercolate()
                .setDocumentType("query")
                .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
                .get();
        assertThat(response.getCount(), equalTo(1L));
        assertThat(response.getMatches()[0].getId().string(), equalTo("1"));
    }
    public void testScroll() throws Exception {
        assertAcked(client().admin().indices().prepareCreate("test")
                .setSettings(Settings.builder().put(IndicesRequestCache.INDEX_CACHE_REQUEST_ENABLED_SETTING.getKey(), true))
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
@ -10,8 +10,6 @@ import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.action.fieldstats.FieldStatsResponse;
 import org.elasticsearch.action.get.GetResponse;
 import org.elasticsearch.action.get.MultiGetResponse;
 import org.elasticsearch.action.percolate.PercolateResponse;
 import org.elasticsearch.action.percolate.PercolateSourceBuilder;
 import org.elasticsearch.action.search.SearchResponse;
 import org.elasticsearch.action.termvectors.MultiTermVectorsResponse;
 import org.elasticsearch.action.termvectors.TermVectorsRequest;
@ -1122,49 +1120,6 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
        assertThat(response.getResponses()[0].getResponse().getFields().terms("field2").size(), equalTo(1L));
    }
    public void testPercolateApi() {
        assertAcked(client().admin().indices().prepareCreate("test")
                        .addMapping("query", "query", "type=percolator", "field1", "type=text", "field2", "type=text")
        );
        client().prepareIndex("test", "query", "1")
                .setSource("{\"query\" : { \"match_all\" : {} }, \"field1\" : \"value1\"}")
                .setRefresh(true)
                .get();
        // Percolator without a query just evaluates all percolator queries that are loaded, so we have a match:
        PercolateResponse response = client()
                .filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
                .preparePercolate()
                .setDocumentType("query")
                .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
                .get();
        assertThat(response.getCount(), equalTo(1L));
        assertThat(response.getMatches()[0].getId().string(), equalTo("1"));
        // Percolator with a query on a field that the current user can't see. Percolator will not have queries to evaluate, so there is
        // no match:
        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
                .preparePercolate()
                .setDocumentType("query")
                .setPercolateQuery(termQuery("field1", "value1"))
                .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
                .get();
        assertThat(response.getCount(), equalTo(0L));
        assertAcked(client().admin().indices().prepareClose("test"));
        assertAcked(client().admin().indices().prepareOpen("test"));
        ensureGreen("test");
        // Ensure that the query loading that happens at startup has permissions to load the percolator queries:
        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
                .preparePercolate()
                .setDocumentType("query")
                .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
                .get();
        assertThat(response.getCount(), equalTo(1L));
        assertThat(response.getMatches()[0].getId().string(), equalTo("1"));
    }
    public void testParentChild() {
        assertAcked(prepareCreate("test")
                .addMapping("parent")
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/action/user/TransportAuthenticateActionTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/action/user/TransportAuthenticateActionTests.java
@ -11,10 +11,10 @@ import org.elasticsearch.action.support.ActionFilters;
 import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.shield.SecurityContext;
 import org.elasticsearch.shield.user.ElasticUser;
 import org.elasticsearch.shield.user.KibanaUser;
 import org.elasticsearch.shield.user.SystemUser;
 import org.elasticsearch.shield.user.User;
 import org.elasticsearch.shield.user.XPackUser;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.TransportService;
@ -83,7 +83,7 @@ public class TransportAuthenticateActionTests extends ESTestCase {
    }
    public void testValidUser() {
-        final User user = randomFrom(XPackUser.INSTANCE, KibanaUser.INSTANCE, new User("joe"));
+        final User user = randomFrom(ElasticUser.INSTANCE, KibanaUser.INSTANCE, new User("joe"));
        SecurityContext securityContext = mock(SecurityContext.class);
        when(securityContext.getUser()).thenReturn(user);
        TransportAuthenticateAction action = new TransportAuthenticateAction(Settings.EMPTY, mock(ThreadPool.class),
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/action/user/TransportChangePasswordActionTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/action/user/TransportChangePasswordActionTests.java
@ -14,10 +14,10 @@ import org.elasticsearch.shield.authc.esnative.NativeUsersStore;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.user.AnonymousUser;
 import org.elasticsearch.shield.user.ElasticUser;
 import org.elasticsearch.shield.user.KibanaUser;
 import org.elasticsearch.shield.user.SystemUser;
 import org.elasticsearch.shield.user.User;
 import org.elasticsearch.shield.user.XPackUser;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.TransportService;
@ -109,7 +109,7 @@ public class TransportChangePasswordActionTests extends ESTestCase {
    }
    public void testValidUser() {
-        final User user = randomFrom(XPackUser.INSTANCE, KibanaUser.INSTANCE, new User("joe"));
+        final User user = randomFrom(ElasticUser.INSTANCE, KibanaUser.INSTANCE, new User("joe"));
        NativeUsersStore usersStore = mock(NativeUsersStore.class);
        ChangePasswordRequest request = new ChangePasswordRequest();
        request.username(user.principal());
@ -147,7 +147,7 @@ public class TransportChangePasswordActionTests extends ESTestCase {
    }
    public void testException() {
-        final User user = randomFrom(XPackUser.INSTANCE, KibanaUser.INSTANCE, new User("joe"));
+        final User user = randomFrom(ElasticUser.INSTANCE, KibanaUser.INSTANCE, new User("joe"));
        NativeUsersStore usersStore = mock(NativeUsersStore.class);
        ChangePasswordRequest request = new ChangePasswordRequest();
        request.username(user.principal());
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java
@ -8,7 +8,6 @@ package org.elasticsearch.shield.authc;
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.Version;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.io.stream.BytesStreamOutput;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.settings.Settings;
@ -37,6 +36,7 @@ import org.junit.Rule;
 import org.junit.rules.ExpectedException;
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.Collections;
 import static org.elasticsearch.shield.support.Exceptions.authenticationError;
@ -751,7 +751,7 @@ public class InternalAuthenticationServiceTests extends ESTestCase {
        User user = new User("username", "r1", "r2", "r3");
        String text = InternalAuthenticationService.encodeUser(user, null);
-        StreamInput input = StreamInput.wrap(Base64.decode(text));
+        StreamInput input = StreamInput.wrap(Base64.getDecoder().decode(text));
        Version version = Version.readVersion(input);
        assertThat(version, is(Version.CURRENT));
    }
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/NativeRealmIntegTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/NativeRealmIntegTests.java
@ -16,25 +16,25 @@ import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.shield.ShieldTemplateService;
 import org.elasticsearch.shield.action.role.DeleteRoleResponse;
 import org.elasticsearch.shield.action.role.GetRolesResponse;
 import org.elasticsearch.shield.action.user.AuthenticateAction;
 import org.elasticsearch.shield.action.user.AuthenticateRequest;
 import org.elasticsearch.shield.action.user.AuthenticateResponse;
 import org.elasticsearch.shield.action.user.ChangePasswordResponse;
 import org.elasticsearch.shield.authz.permission.KibanaRole;
 import org.elasticsearch.shield.authz.permission.SuperuserRole;
 import org.elasticsearch.shield.user.AnonymousUser;
 import org.elasticsearch.shield.user.KibanaUser;
 import org.elasticsearch.shield.user.SystemUser;
 import org.elasticsearch.shield.user.User;
 import org.elasticsearch.shield.action.role.DeleteRoleResponse;
 import org.elasticsearch.shield.action.role.GetRolesResponse;
 import org.elasticsearch.shield.action.user.DeleteUserResponse;
 import org.elasticsearch.shield.action.user.GetUsersResponse;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.authz.RoleDescriptor;
 import org.elasticsearch.shield.authz.permission.KibanaRole;
 import org.elasticsearch.shield.authz.permission.Role;
 import org.elasticsearch.shield.authz.permission.SuperuserRole;
 import org.elasticsearch.shield.client.SecurityClient;
-import org.elasticsearch.shield.user.XPackUser;
+import org.elasticsearch.shield.user.AnonymousUser;
 import org.elasticsearch.shield.user.ElasticUser;
 import org.elasticsearch.shield.user.KibanaUser;
 import org.elasticsearch.shield.user.SystemUser;
 import org.elasticsearch.shield.user.User;
 import org.elasticsearch.test.NativeRealmIntegTestCase;
 import org.elasticsearch.test.ShieldSettingsSource;
 import org.junit.BeforeClass;
@ -457,7 +457,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase {
    }
    public void testOperationsOnReservedUsers() throws Exception {
-        final String username = randomFrom(XPackUser.NAME, KibanaUser.NAME);
+        final String username = randomFrom(ElasticUser.NAME, KibanaUser.NAME);
        IllegalArgumentException exception = expectThrows(IllegalArgumentException.class,
                () -> securityClient().preparePutUser(username, randomBoolean() ? "changeme".toCharArray() : null, "admin").get());
        assertThat(exception.getMessage(), containsString("user [" + username + "] is reserved"));
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ReservedRealmIntegTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ReservedRealmIntegTests.java
@ -7,8 +7,8 @@ package org.elasticsearch.shield.authc.esnative;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
 import org.elasticsearch.shield.user.ElasticUser;
 import org.elasticsearch.shield.user.KibanaUser;
 import org.elasticsearch.shield.user.XPackUser;
 import org.elasticsearch.shield.action.user.ChangePasswordResponse;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.test.NativeRealmIntegTestCase;
@ -29,7 +29,7 @@ public class ReservedRealmIntegTests extends NativeRealmIntegTestCase {
    private static final SecuredString DEFAULT_PASSWORD = new SecuredString("changeme".toCharArray());
    public void testAuthenticate() {
-        for (String username : Arrays.asList(XPackUser.NAME, KibanaUser.NAME)) {
+        for (String username : Arrays.asList(ElasticUser.NAME, KibanaUser.NAME)) {
            ClusterHealthResponse response = client()
                    .filterWithHeader(singletonMap("Authorization", basicAuthHeaderValue(username, DEFAULT_PASSWORD)))
                    .admin()
@ -42,7 +42,7 @@ public class ReservedRealmIntegTests extends NativeRealmIntegTestCase {
    }
    public void testChangingPassword() {
-        String username = randomFrom(XPackUser.NAME, KibanaUser.NAME);
+        String username = randomFrom(ElasticUser.NAME, KibanaUser.NAME);
        final char[] newPassword = "supersecretvalue".toCharArray();
        if (randomBoolean()) {
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ReservedRealmTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ReservedRealmTests.java
@ -13,9 +13,9 @@ import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
 import org.elasticsearch.shield.user.AnonymousUser;
 import org.elasticsearch.shield.user.ElasticUser;
 import org.elasticsearch.shield.user.KibanaUser;
 import org.elasticsearch.shield.user.User;
 import org.elasticsearch.shield.user.XPackUser;
 import org.elasticsearch.test.ESTestCase;
 import org.junit.Before;
@ -49,7 +49,7 @@ public class ReservedRealmTests extends ESTestCase {
    public void testUserStoreNotStarted() {
        when(usersStore.started()).thenReturn(false);
        final ReservedRealm reservedRealm = new ReservedRealm(mock(Environment.class), Settings.EMPTY, usersStore);
-        final String principal = randomFrom(XPackUser.NAME, KibanaUser.NAME);
+        final String principal = randomFrom(ElasticUser.NAME, KibanaUser.NAME);
        ElasticsearchSecurityException expected = expectThrows(ElasticsearchSecurityException.class,
                () -> reservedRealm.doAuthenticate(new UsernamePasswordToken(principal, DEFAULT_PASSWORD)));
@ -65,7 +65,7 @@ public class ReservedRealmTests extends ESTestCase {
            when(usersStore.shieldIndexExists()).thenReturn(true);
        }
        final ReservedRealm reservedRealm = new ReservedRealm(mock(Environment.class), Settings.EMPTY, usersStore);
-        final User expected = randomFrom((User) XPackUser.INSTANCE, (User) KibanaUser.INSTANCE);
+        final User expected = randomFrom((User) ElasticUser.INSTANCE, KibanaUser.INSTANCE);
        final String principal = expected.principal();
        final User authenticated = reservedRealm.doAuthenticate(new UsernamePasswordToken(principal, DEFAULT_PASSWORD));
@ -81,7 +81,7 @@ public class ReservedRealmTests extends ESTestCase {
    public void testAuthenticationWithStoredPassword() throws Throwable {
        final ReservedRealm reservedRealm = new ReservedRealm(mock(Environment.class), Settings.EMPTY, usersStore);
-        final User expectedUser = randomFrom((User) XPackUser.INSTANCE, (User) KibanaUser.INSTANCE);
+        final User expectedUser = randomFrom((User) ElasticUser.INSTANCE, KibanaUser.INSTANCE);
        final String principal = expectedUser.principal();
        final SecuredString newPassword = new SecuredString("foobar".toCharArray());
        when(usersStore.shieldIndexExists()).thenReturn(true);
@ -107,7 +107,7 @@ public class ReservedRealmTests extends ESTestCase {
    public void testLookup() {
        final ReservedRealm reservedRealm = new ReservedRealm(mock(Environment.class), Settings.EMPTY, usersStore);
-        final User expectedUser = randomFrom((User) XPackUser.INSTANCE, (User) KibanaUser.INSTANCE);
+        final User expectedUser = randomFrom((User) ElasticUser.INSTANCE, KibanaUser.INSTANCE);
        final String principal = expectedUser.principal();
        final User user = reservedRealm.doLookupUser(principal);
@ -120,7 +120,7 @@ public class ReservedRealmTests extends ESTestCase {
    }
    public void testHelperMethods() {
-        final User expectedUser = randomFrom((User) XPackUser.INSTANCE, KibanaUser.INSTANCE);
+        final User expectedUser = randomFrom((User) ElasticUser.INSTANCE, KibanaUser.INSTANCE);
        final String principal = expectedUser.principal();
        assertThat(ReservedRealm.isReserved(principal), is(true));
        assertThat(ReservedRealm.getUser(principal), sameInstance(expectedUser));
@ -129,19 +129,20 @@ public class ReservedRealmTests extends ESTestCase {
        assertThat(ReservedRealm.isReserved(notExpected), is(false));
        assertThat(ReservedRealm.getUser(notExpected), nullValue());
-        assertThat(ReservedRealm.users(), containsInAnyOrder((User) XPackUser.INSTANCE, KibanaUser.INSTANCE));
+        assertThat(ReservedRealm.users(), containsInAnyOrder((User) ElasticUser.INSTANCE, KibanaUser.INSTANCE));
    }
    public void testFailedAuthentication() {
        final ReservedRealm reservedRealm = new ReservedRealm(mock(Environment.class), Settings.EMPTY, usersStore);
        // maybe cache a successful auth
        if (randomBoolean()) {
-            User user = reservedRealm.authenticate(new UsernamePasswordToken(XPackUser.NAME, new SecuredString("changeme".toCharArray())));
+            User user = reservedRealm.authenticate(
-            assertThat(user, sameInstance(XPackUser.INSTANCE));
+                    new UsernamePasswordToken(ElasticUser.NAME, new SecuredString("changeme".toCharArray())));
            assertThat(user, sameInstance(ElasticUser.INSTANCE));
        }
        try {
-            reservedRealm.authenticate(new UsernamePasswordToken(XPackUser.NAME, new SecuredString("foobar".toCharArray())));
+            reservedRealm.authenticate(new UsernamePasswordToken(ElasticUser.NAME, new SecuredString("foobar".toCharArray())));
            fail("authentication should throw an exception otherwise we may allow others to impersonate reserved users...");
        } catch (ElasticsearchSecurityException e) {
            assertThat(e.getMessage(), containsString("failed to authenticate"));
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/tool/UsersToolTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/tool/UsersToolTests.java
@ -92,6 +92,7 @@ public class UsersToolTests extends CommandTestCase {
    public static void closeJimfs() throws IOException {
        if (jimfs != null) {
            jimfs.close();
            jimfs = null;
        }
    }
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/OpenLdapTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/OpenLdapTests.java
@ -119,7 +119,7 @@ public class OpenLdapTests extends ESTestCase {
        Map<String, Object> stats = realm.usageStats();
        assertThat(stats, is(notNullValue()));
-        assertThat(stats, hasEntry("size", "small"));
+        assertThat(stats, hasEntry("size", "tiny"));
        assertThat(stats, hasEntry("ssl", true));
        assertThat(stats, hasEntry("user_search", userSearch));
        assertThat(stats, hasEntry("load_balance_type", loadBalanceType));
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/support/UsernamePasswordRealmTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/support/UsernamePasswordRealmTests.java
@ -20,7 +20,7 @@ public class UsernamePasswordRealmTests extends ESTestCase {
        int count = randomIntBetween(0, 1000);
        UsernamePasswordRealm.UserbaseSize size = UsernamePasswordRealm.UserbaseSize.resolve(count);
        if (count < 10) {
-            assertThat(size, is(UsernamePasswordRealm.UserbaseSize.SMALL));
+            assertThat(size, is(UsernamePasswordRealm.UserbaseSize.TINY));
        } else if (count < 100) {
            assertThat(size, is(UsernamePasswordRealm.UserbaseSize.SMALL));
        } else if (count < 500) {
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/support/UsernamePasswordTokenTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/support/UsernamePasswordTokenTests.java
@ -6,7 +6,6 @@
 package org.elasticsearch.shield.authc.support;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.test.ESTestCase;
@ -14,6 +13,7 @@ import org.junit.Rule;
 import org.junit.rules.ExpectedException;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import static org.elasticsearch.test.ShieldTestsUtils.assertAuthenticationException;
 import static org.hamcrest.Matchers.equalTo;
@ -35,7 +35,7 @@ public class UsernamePasswordTokenTests extends ESTestCase {
        assertThat(header, notNullValue());
        assertTrue(header.startsWith("Basic "));
        String token = header.substring("Basic ".length());
-        token = new String(Base64.decode(token), StandardCharsets.UTF_8);
+        token = new String(Base64.getDecoder().decode(token), StandardCharsets.UTF_8);
        int i = token.indexOf(":");
        assertTrue(i > 0);
        String username = token.substring(0, i);
@ -46,7 +46,7 @@ public class UsernamePasswordTokenTests extends ESTestCase {
    public void testExtractToken() throws Exception {
        ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
-        String header = "Basic " + Base64.encodeBytes("user1:test123".getBytes(StandardCharsets.UTF_8));
+        String header = "Basic " + Base64.getEncoder().encodeToString("user1:test123".getBytes(StandardCharsets.UTF_8));
        threadContext.putHeader(UsernamePasswordToken.BASIC_AUTH_HEADER, header);
        UsernamePasswordToken token = UsernamePasswordToken.extractToken(threadContext);
        assertThat(token, notNullValue());
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/permission/KibanaRoleTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/permission/KibanaRoleTests.java
@ -22,6 +22,8 @@ import org.elasticsearch.shield.user.User;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.transport.TransportRequest;
 import java.util.Arrays;
 import static org.hamcrest.Matchers.is;
 /**
@ -45,17 +47,27 @@ public class KibanaRoleTests extends ESTestCase {
        assertThat(KibanaRole.INSTANCE.runAs().isEmpty(), is(true));
    }
-    public void testIndices() {
+    public void testUnauthorizedIndices() {
        final String kibanaIndex = ".kibana";
        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher("indices:foo").test(kibanaIndex), is(true));
        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher("indices:bar").test(kibanaIndex), is(true));
        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(kibanaIndex), is(true));
        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(kibanaIndex), is(true));
        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(IndexAction.NAME).test(kibanaIndex), is(true));
        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(DeleteAction.NAME).test(kibanaIndex), is(true));
        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(kibanaIndex), is(true));
        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(IndexAction.NAME).test("foo"), is(false));
        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(IndexAction.NAME).test(".reporting"), is(false));
        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher("indices:foo").test(randomAsciiOfLengthBetween(8, 24)), is(false));
    }
    public void testKibanaIndices() {
        Arrays.asList(".kibana", ".kibana-devnull").forEach(this::testAllIndexAccess);
    }
    public void testReportingIndices() {
        testAllIndexAccess(".reporting-" + randomAsciiOfLength(randomIntBetween(0, 13)));
    }
    private void testAllIndexAccess(String index) {
        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher("indices:foo").test(index), is(true));
        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher("indices:bar").test(index), is(true));
        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(DeleteIndexAction.NAME).test(index), is(true));
        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(CreateIndexAction.NAME).test(index), is(true));
        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(IndexAction.NAME).test(index), is(true));
        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(DeleteAction.NAME).test(index), is(true));
        assertThat(KibanaRole.INSTANCE.indices().allowedIndicesMatcher(UpdateSettingsAction.NAME).test(index), is(true));
    }
 }
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java
@ -358,7 +358,7 @@ public class FileRolesStoreTests extends ESTestCase {
        assertThat(messages, notNullValue());
        assertThat(messages, hasSize(4));
        // the system role will always be checked first
-        assertThat(messages.get(0).text, containsString("role [__es_system_role] is reserved"));
+        assertThat(messages.get(0).text, containsString("role [_system] is reserved"));
        assertThat(messages.get(1).text, containsString("role [superuser] is reserved"));
        assertThat(messages.get(2).text, containsString("role [kibana] is reserved"));
        assertThat(messages.get(3).text, containsString("role [transport_client] is reserved"));
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/ReservedRolesStoreTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/ReservedRolesStoreTests.java
@ -9,10 +9,10 @@ import org.elasticsearch.shield.SecurityContext;
 import org.elasticsearch.shield.authz.permission.KibanaRole;
 import org.elasticsearch.shield.authz.permission.SuperuserRole;
 import org.elasticsearch.shield.authz.permission.TransportClientRole;
 import org.elasticsearch.shield.user.ElasticUser;
 import org.elasticsearch.shield.user.KibanaUser;
 import org.elasticsearch.shield.user.SystemUser;
 import org.elasticsearch.shield.user.User;
 import org.elasticsearch.shield.user.XPackUser;
 import org.elasticsearch.test.ESTestCase;
 import org.junit.Before;
@ -41,7 +41,7 @@ public class ReservedRolesStoreTests extends ESTestCase {
    public void testRetrievingReservedRolesNonKibanaUser() {
        if (randomBoolean()) {
-            when(securityContext.getUser()).thenReturn(XPackUser.INSTANCE);
+            when(securityContext.getUser()).thenReturn(ElasticUser.INSTANCE);
        }
        assertThat(reservedRolesStore.role(SuperuserRole.NAME), sameInstance(SuperuserRole.INSTANCE));
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/user/UserTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/user/UserTests.java
@ -10,6 +10,7 @@ import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.io.stream.ByteBufferStreamInput;
 import org.elasticsearch.common.io.stream.BytesStreamOutput;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.XPackClient;
 import java.util.Arrays;
 import java.util.Collections;
@ -58,7 +59,7 @@ public class UserTests extends ESTestCase {
        assertThat(readFromRunAs.runAs(), is(nullValue()));
    }
-    public void testSystemReadAndWrite() throws Exception {
+    public void testSystemUserReadAndWrite() throws Exception {
        BytesStreamOutput output = new BytesStreamOutput();
        User.writeTo(SystemUser.INSTANCE, output);
@ -68,6 +69,16 @@ public class UserTests extends ESTestCase {
        assertThat(readFrom.runAs(), is(nullValue()));
    }
    public void testXPackUserReadAndWrite() throws Exception {
        BytesStreamOutput output = new BytesStreamOutput();
        User.writeTo(XPackUser.INSTANCE, output);
        User readFrom = User.readFrom(ByteBufferStreamInput.wrap(output.bytes()));
        assertThat(readFrom, is(sameInstance(XPackUser.INSTANCE)));
        assertThat(readFrom.runAs(), is(nullValue()));
    }
    public void testFakeInternalUserSerialization() throws Exception {
        BytesStreamOutput output = new BytesStreamOutput();
        output.writeBoolean(true);
@ -102,10 +113,10 @@ public class UserTests extends ESTestCase {
    public void testReservedUserSerialization() throws Exception {
        BytesStreamOutput output = new BytesStreamOutput();
-        User.writeTo(XPackUser.INSTANCE, output);
+        User.writeTo(ElasticUser.INSTANCE, output);
        User readFrom = User.readFrom(ByteBufferStreamInput.wrap(output.bytes()));
-        assertThat(readFrom, is(sameInstance(XPackUser.INSTANCE)));
+        assertThat(readFrom, is(sameInstance(ElasticUser.INSTANCE)));
        output = new BytesStreamOutput();
        User.writeTo(KibanaUser.INSTANCE, output);
--- a/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/authz/store/reserved_roles.yml
+++ b/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/authz/store/reserved_roles.yml
@ -5,7 +5,7 @@ admin:
    - names: '*'
      privileges: [ all ]
-__es_system_role:
+_system:
  cluster:
    - all
  indices:
--- a/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/transport/actions
+++ b/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/transport/actions
@ -59,10 +59,8 @@ indices:data/read/field_stats
 indices:data/read/get
 indices:data/read/xpack/graph/explore
 indices:data/read/mget
 indices:data/read/mpercolate
 indices:data/read/msearch
 indices:data/read/mtv
 indices:data/read/percolate
 cluster:admin/script/get
 indices:data/read/scroll
 indices:data/read/scroll/clear
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
@ -37,6 +37,8 @@ import org.elasticsearch.xpack.common.secret.SecretModule;
 import org.elasticsearch.xpack.extensions.XPackExtension;
 import org.elasticsearch.xpack.extensions.XPackExtensionsService;
 import org.elasticsearch.xpack.notification.Notification;
 import org.elasticsearch.xpack.notification.email.Account;
 import org.elasticsearch.xpack.notification.email.support.BodyPartSource;
 import org.elasticsearch.xpack.rest.action.RestXPackInfoAction;
 import org.elasticsearch.xpack.common.text.TextTemplateModule;
 import org.elasticsearch.xpack.rest.action.RestXPackUsageAction;
@ -84,6 +86,9 @@ public class XPackPlugin extends Plugin {
                throw bogus; // some other bug
            }
        }
        // some classes need to have their own clinit blocks
        BodyPartSource.init();
        Account.init();
    }
    protected final Settings settings;
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/common/http/auth/basic/ApplicableBasicAuth.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/common/http/auth/basic/ApplicableBasicAuth.java
@ -5,12 +5,12 @@
 */
 package org.elasticsearch.xpack.common.http.auth.basic;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.xpack.common.http.auth.ApplicableHttpAuth;
 import org.elasticsearch.xpack.common.secret.SecretService;
 import java.net.HttpURLConnection;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 /**
 */
@ -24,7 +24,7 @@ public class ApplicableBasicAuth extends ApplicableHttpAuth<BasicAuth> {
    }
    public static String headerValue(String username, char[] password) {
-        return "Basic " + Base64.encodeBytes((username + ":" + new String(password)).getBytes(StandardCharsets.UTF_8));
+        return "Basic " + Base64.getEncoder().encodeToString((username + ":" + new String(password)).getBytes(StandardCharsets.UTF_8));
    }
    public void apply(HttpURLConnection connection) {
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/notification/email/Account.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/notification/email/Account.java
@ -32,13 +32,6 @@ public class Account {
    static final String SMTP_PROTOCOL = "smtp";
    static {
        // required as java doesn't always find the correct mailcap to properly handle mime types
        final MailcapCommandMap mailcap = (MailcapCommandMap) CommandMap.getDefaultCommandMap();
        mailcap.addMailcap("text/html;; x-java-content-handler=com.sun.mail.handlers.text_html");
        mailcap.addMailcap("text/xml;; x-java-content-handler=com.sun.mail.handlers.text_xml");
        mailcap.addMailcap("text/plain;; x-java-content-handler=com.sun.mail.handlers.text_plain");
        mailcap.addMailcap("multipart/*;; x-java-content-handler=com.sun.mail.handlers.multipart_mixed");
        mailcap.addMailcap("message/rfc822;; x-java-content-handler=com.sun.mail.handlers.message_rfc822");
        SecurityManager sm = System.getSecurityManager();
        if (sm != null) {
            sm.checkPermission(new SpecialPermission());
@ -46,12 +39,22 @@ public class Account {
        AccessController.doPrivileged(new PrivilegedAction<Void>() {
            @Override
            public Void run() {
                // required as java doesn't always find the correct mailcap to properly handle mime types
                final MailcapCommandMap mailcap = (MailcapCommandMap) CommandMap.getDefaultCommandMap();
                mailcap.addMailcap("text/html;; x-java-content-handler=com.sun.mail.handlers.text_html");
                mailcap.addMailcap("text/xml;; x-java-content-handler=com.sun.mail.handlers.text_xml");
                mailcap.addMailcap("text/plain;; x-java-content-handler=com.sun.mail.handlers.text_plain");
                mailcap.addMailcap("multipart/*;; x-java-content-handler=com.sun.mail.handlers.multipart_mixed");
                mailcap.addMailcap("message/rfc822;; x-java-content-handler=com.sun.mail.handlers.message_rfc822");
                CommandMap.setDefaultCommandMap(mailcap);
                return null;
            }
        });
    }
    // exists only to allow ensuring class is initialized
    public static void init() {}
    static final Settings DEFAULT_SMTP_TIMEOUT_SETTINGS = Settings.builder()
            .put("connection_timeout", TimeValue.timeValueMinutes(2))
            .put("write_timeout", TimeValue.timeValueMinutes(2))
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/notification/email/support/BodyPartSource.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/notification/email/support/BodyPartSource.java
@ -5,18 +5,30 @@
 */
 package org.elasticsearch.xpack.notification.email.support;
 import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.common.xcontent.ToXContent;
 import javax.activation.CommandMap;
 import javax.activation.FileTypeMap;
 import javax.mail.MessagingException;
 import javax.mail.internet.MimeBodyPart;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 /**
 *
 */
 public abstract class BodyPartSource implements ToXContent {
-    protected static FileTypeMap fileTypeMap = FileTypeMap.getDefaultFileTypeMap();
+    protected static FileTypeMap fileTypeMap;
    static {
        SecurityManager sm = System.getSecurityManager();
        if (sm != null) {
            sm.checkPermission(new SpecialPermission());
        }
        fileTypeMap = AccessController.doPrivileged(
            (PrivilegedAction<FileTypeMap>)() -> FileTypeMap.getDefaultFileTypeMap());
    }
    protected final String id;
    protected final String name;
@ -46,4 +58,7 @@ public abstract class BodyPartSource implements ToXContent {
    public abstract MimeBodyPart bodyPart() throws MessagingException;
    // exists only to allow ensuring class is initialized
    public static void init() {}
 }
--- a/elasticsearch/x-pack/src/main/plugin-metadata/plugin-security.policy
+++ b/elasticsearch/x-pack/src/main/plugin-metadata/plugin-security.policy
@ -11,6 +11,8 @@ grant {
  // to load the class with the application class loader
  permission java.lang.RuntimePermission "setContextClassLoader";
  permission java.lang.RuntimePermission "getClassLoader";
  // TODO: remove use of this jar as soon as possible!!!!
  permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries";
  // bouncy castle
  permission java.security.SecurityPermission "putProviderProperty.BC";
--- a/elasticsearch/x-pack/src/test/resources/rest-api-spec/api/xpack.info.json
+++ b/elasticsearch/x-pack/src/test/resources/rest-api-spec/api/xpack.info.json
@ -1,6 +1,6 @@
 {
  "xpack.info": {
-    "documentation": "Retrieve information about xpack, including buid number/timestamp and license status",
+    "documentation": "Retrieve information about xpack, including build number/timestamp and license status",
    "methods": [ "GET" ],
    "url": {
      "path": "/_xpack",
--- a/elasticsearch/x-pack/src/test/resources/rest-api-spec/api/xpack.usage.json
+++ b/elasticsearch/x-pack/src/test/resources/rest-api-spec/api/xpack.usage.json
@ -1,5 +1,5 @@
 {
-  "xpack.info": {
+  "xpack.usage": {
    "documentation": "Retrieve information about xpack features usage",
    "methods": [ "GET" ],
    "url": {
--- a/elasticsearch/x-pack/src/test/resources/rest-api-spec/test/xpack/15_basic.yaml
+++ b/elasticsearch/x-pack/src/test/resources/rest-api-spec/test/xpack/15_basic.yaml
@ -1,6 +1,6 @@
-# Integration tests xpack info API
+# Integration tests xpack info and usage API
 #
-"X-Pack Info":
+"X-Pack Info and Usage":
  - do:
      cluster.health:
@ -83,6 +83,17 @@
  - is_true:    features.monitoring.description
  - is_true:    tagline
  - do:
    xpack.usage: {}
  - is_true:    watcher.enabled
  - is_true:    watcher.available
  - is_true:    security.enabled
  - is_true:    security.available
  - is_true:    graph.enabled
  - is_true:    graph.available
  - is_true:    monitoring.enabled
  - is_true:    monitoring.available
  - do:
    xpack.info:
      categories: "_none"
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/script/MockMustacheScriptEngine.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/script/MockMustacheScriptEngine.java
@ -5,7 +5,6 @@
 */
 package org.elasticsearch.script;
 import org.elasticsearch.script.ScriptMode;
 import org.elasticsearch.xpack.common.text.DefaultTextTemplateEngine;
 import java.util.Collections;
@ -29,8 +28,7 @@ public class MockMustacheScriptEngine extends MockScriptEngine {
        }
        public void onModule(ScriptModule module) {
-            module.addScriptEngine(new ScriptEngineRegistry.ScriptEngineRegistration(MockMustacheScriptEngine.class,
+            module.addScriptEngine(new ScriptEngineRegistry.ScriptEngineRegistration(MockMustacheScriptEngine.class, NAME, true));
                            NAME, ScriptMode.ON));
        }
    }
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/script/SleepScriptEngine.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/script/SleepScriptEngine.java
@ -7,7 +7,6 @@ package org.elasticsearch.script;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.script.ScriptMode;
 import org.elasticsearch.search.lookup.SearchLookup;
 import java.io.IOException;
@ -39,7 +38,7 @@ public class SleepScriptEngine implements ScriptEngineService {
        public void onModule(ScriptModule module) {
            module.addScriptEngine(new ScriptEngineRegistry.ScriptEngineRegistration(SleepScriptEngine.class,
-                            SleepScriptEngine.NAME, ScriptMode.ON));
+                            SleepScriptEngine.NAME, true));
        }
    }
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/history/HistoryTemplateEmailMappingsTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/history/HistoryTemplateEmailMappingsTests.java
@ -6,6 +6,9 @@
 package org.elasticsearch.xpack.watcher.history;
 import org.elasticsearch.action.search.SearchResponse;
 import org.elasticsearch.common.logging.ESLogger;
 import org.elasticsearch.common.logging.ESLoggerFactory;
 import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.search.aggregations.Aggregations;
 import org.elasticsearch.search.aggregations.bucket.terms.Terms;
@ -15,6 +18,9 @@ import org.elasticsearch.xpack.watcher.execution.ExecutionState;
 import org.elasticsearch.xpack.watcher.test.AbstractWatcherIntegrationTestCase;
 import org.elasticsearch.xpack.watcher.transport.actions.put.PutWatchResponse;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import static org.elasticsearch.search.aggregations.AggregationBuilders.terms;
 import static org.elasticsearch.search.builder.SearchSourceBuilder.searchSource;
@ -32,15 +38,18 @@ import static org.hamcrest.Matchers.notNullValue;
 * not analyzed so they can be used in aggregations
 */
 public class HistoryTemplateEmailMappingsTests extends AbstractWatcherIntegrationTestCase {
    private static final ESLogger logger = Loggers.getLogger(HistoryTemplateEmailMappingsTests.class);
    static final String USERNAME = "_user";
    static final String PASSWORD = "_passwd";
-    private EmailServer server;
+    private static EmailServer server;
-    @After
+    @AfterClass
-    public void cleanup() throws Exception {
+    public static void cleanup() throws Exception {
        if (server != null) {
            server.stop();
        }
    }
    @Override
    protected boolean timeWarped() {
@ -52,12 +61,16 @@ public class HistoryTemplateEmailMappingsTests extends AbstractWatcherIntegratio
        return false; // remove shield noise from this test
    }
-    @Override
+    @BeforeClass
-    protected Settings nodeSettings(int nodeOrdinal) {
+    public static void setupEmailServer() {
        if(server == null) {
            //Need to construct the Email Server here as this happens before init()
            server = EmailServer.localhost("2500-2600", USERNAME, PASSWORD, logger);
        }
    }
    @Override
    protected Settings nodeSettings(int nodeOrdinal) {
        return Settings.builder()
                .put(super.nodeSettings(nodeOrdinal))