From c0f9b217a506a356162dfdec9dbc80e6731b97af Mon Sep 17 00:00:00 2001
From: Ryan Ernst <ryan@iernst.net>
Date: Mon, 23 May 2016 11:34:51 -0700
Subject: [PATCH 01/22] Build: Only build uber xpack if kibana was built

Original commit: elastic/x-pack-elasticsearch@0fe21ef46a8bc175bf4acc882037626ae61d7ec6
---
 build.gradle | 1 +
 1 file changed, 1 insertion(+)

diff --git a/build.gradle b/build.gradle
index 78a6222af03..ebffdb9973b 100644
--- a/build.gradle
+++ b/build.gradle
@@ -14,6 +14,7 @@ subprojects {
 }
 
 task bundlePack(type: Zip) {
+  onlyIf { project('kibana').bundlePlugin.enabled }
   dependsOn 'elasticsearch:x-pack:bundlePlugin'
   dependsOn 'kibana:bundlePlugin'
   from { zipTree(project('elasticsearch:x-pack').bundlePlugin.outputs.files.singleFile) }

From 9774e5472a14b9b61832f72f9b42068a41fdf910 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christoph=20B=C3=BCscher?= <christoph@elastic.co>
Date: Thu, 14 Apr 2016 19:19:56 +0200
Subject: [PATCH 02/22] Adapt to api changes in es core, inner query parsing
 now return Optional<QueryBuilder>

Changes relate to elastic/elasticsearch#17624

Original commit: elastic/x-pack-elasticsearch@bd9d31a9ffce2238761e21564398224ea45abccb
---
 .../graph/rest/action/RestGraphAction.java    | 20 +++++++++----------
 .../ShieldIndexSearcherWrapper.java           |  9 ++++++---
 ...dIndexSearcherWrapperIntegrationTests.java |  4 +++-
 3 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/rest/action/RestGraphAction.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/rest/action/RestGraphAction.java
index b4b5c56afe0..6e5a9582af4 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/rest/action/RestGraphAction.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/rest/action/RestGraphAction.java
@@ -5,15 +5,6 @@
  */
 package org.elasticsearch.graph.rest.action;
 
-import static org.elasticsearch.graph.action.GraphExploreAction.INSTANCE;
-import static org.elasticsearch.rest.RestRequest.Method.GET;
-import static org.elasticsearch.rest.RestRequest.Method.POST;
-
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-
 import org.elasticsearch.ElasticsearchParseException;
 import org.elasticsearch.action.support.IndicesOptions;
 import org.elasticsearch.client.Client;
@@ -39,6 +30,15 @@ import org.elasticsearch.rest.RestRequest;
 import org.elasticsearch.rest.action.support.RestActions;
 import org.elasticsearch.rest.action.support.RestToXContentListener;
 
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+
+import static org.elasticsearch.graph.action.GraphExploreAction.INSTANCE;
+import static org.elasticsearch.rest.RestRequest.Method.GET;
+import static org.elasticsearch.rest.RestRequest.Method.POST;
+
 /**
  * @see GraphExploreRequest
  */
@@ -128,7 +128,7 @@ public class RestGraphAction extends BaseRestHandler {
                 }
             } else if (token == XContentParser.Token.START_OBJECT) {
                 if (context.getParseFieldMatcher().match(fieldName, QUERY_FIELD)) {
-                    currentHop.guidingQuery(context.parseInnerQueryBuilder());
+                    context.parseInnerQueryBuilder().ifPresent(currentHop::guidingQuery);
                 } else if (context.getParseFieldMatcher().match(fieldName, CONNECTIONS_FIELD)) {
                     parseHop(parser, context, graphRequest.createNextHop(null), graphRequest);
                 } else if (context.getParseFieldMatcher().match(fieldName, CONTROLS_FIELD)) {
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapper.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapper.java
index 1bd5519b0a4..f759543a3b6 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapper.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapper.java
@@ -52,6 +52,7 @@ import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Optional;
 import java.util.Set;
 
 import static org.apache.lucene.search.BooleanClause.Occur.SHOULD;
@@ -122,9 +123,11 @@ public class ShieldIndexSearcherWrapper extends IndexSearcherWrapper {
                 for (BytesReference bytesReference : permissions.getQueries()) {
                     QueryShardContext queryShardContext = copyQueryShardContext(this.queryShardContext);
                     try (XContentParser parser = XContentFactory.xContent(bytesReference).createParser(bytesReference)) {
-                        QueryBuilder queryBuilder = queryShardContext.newParseContext(parser).parseInnerQueryBuilder();
-                        ParsedQuery parsedQuery = queryShardContext.toQuery(queryBuilder);
-                        filter.add(parsedQuery.query(), SHOULD);
+                        Optional<QueryBuilder> queryBuilder = queryShardContext.newParseContext(parser).parseInnerQueryBuilder();
+                        if (queryBuilder.isPresent()) {
+                            ParsedQuery parsedQuery = queryShardContext.toQuery(queryBuilder.get());
+                            filter.add(parsedQuery.query(), SHOULD);
+                        }
                     }
                 }
                 // at least one of the queries should match
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapperIntegrationTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapperIntegrationTests.java
index 2c6fb58c4bc..c65b4a2c0a6 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapperIntegrationTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapperIntegrationTests.java
@@ -39,6 +39,7 @@ import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.test.IndexSettingsModule;
 
 import java.util.Collections;
+import java.util.Optional;
 
 import static java.util.Collections.singleton;
 import static java.util.Collections.singletonMap;
@@ -138,7 +139,8 @@ public class ShieldIndexSearcherWrapperIntegrationTests extends ESTestCase {
         for (int i = 0; i < numValues; i++) {
             ParsedQuery parsedQuery = new ParsedQuery(new TermQuery(new Term("field", values[i])));
             when(queryShardContext.newParseContext(any(XContentParser.class))).thenReturn(queryParseContext);
-            when(queryParseContext.parseInnerQueryBuilder()).thenReturn((QueryBuilder) new TermQueryBuilder("field", values[i]));
+            when(queryParseContext.parseInnerQueryBuilder())
+                    .thenReturn(Optional.of((QueryBuilder) new TermQueryBuilder("field", values[i])));
             when(queryShardContext.toQuery(any(QueryBuilder.class))).thenReturn(parsedQuery);
             DirectoryReader wrappedDirectoryReader = wrapper.wrap(directoryReader);
             IndexSearcher indexSearcher = wrapper.wrap(new IndexSearcher(wrappedDirectoryReader));

From ad53f0080a38993a64b712567dffd816bf72294f Mon Sep 17 00:00:00 2001
From: Alexander Reelsen <alexander@reelsen.net>
Date: Mon, 6 Jun 2016 12:00:10 +0200
Subject: [PATCH 03/22] X-pack: Fix xpack usage action name to not use info
 action name

Original commit: elastic/x-pack-elasticsearch@a26e913521e7323937a3b80721aa652c87de2654
---
 .../elasticsearch/xpack/action/TransportXPackUsageAction.java   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/action/TransportXPackUsageAction.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/action/TransportXPackUsageAction.java
index 0aab9211c00..86dca578ad6 100644
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/action/TransportXPackUsageAction.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/action/TransportXPackUsageAction.java
@@ -29,7 +29,7 @@ public class TransportXPackUsageAction extends HandledTransportAction<XPackUsage
     public TransportXPackUsageAction(Settings settings, ThreadPool threadPool, TransportService transportService,
                                      ActionFilters actionFilters, IndexNameExpressionResolver indexNameExpressionResolver,
                                      Set<XPackFeatureSet> featureSets) {
-        super(settings, XPackInfoAction.NAME, threadPool, transportService, actionFilters, indexNameExpressionResolver,
+        super(settings, XPackUsageAction.NAME, threadPool, transportService, actionFilters, indexNameExpressionResolver,
                 XPackUsageRequest::new);
         this.featureSets = featureSets;
     }

From dacc22f57a28d4248e1a4bb55cf412fe9ec2e7b8 Mon Sep 17 00:00:00 2001
From: Nik Everett <nik9000@gmail.com>
Date: Mon, 6 Jun 2016 10:43:14 -0400
Subject: [PATCH 04/22] Handle core's block_until_refresh

s/request.setRefresh/request.setRefreshPolicy/

setRefresh is still supported on the builder for backwards
compatibility but not on the request itself.

Original commit: elastic/x-pack-elasticsearch@8763e2e65f9aa883a71df8132fb0bb43f357df80
---
 .../elasticsearch/shield/authc/esnative/NativeUsersStore.java  | 3 ++-
 .../org/elasticsearch/shield/authz/store/NativeRolesStore.java | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeUsersStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeUsersStore.java
index 9b40c45a5a6..64655339f68 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeUsersStore.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeUsersStore.java
@@ -23,6 +23,7 @@ import org.elasticsearch.action.search.ClearScrollResponse;
 import org.elasticsearch.action.search.SearchRequest;
 import org.elasticsearch.action.search.SearchResponse;
 import org.elasticsearch.action.search.SearchScrollRequest;
+import org.elasticsearch.action.support.WriteRequest.RefreshPolicy;
 import org.elasticsearch.action.update.UpdateResponse;
 import org.elasticsearch.client.Client;
 import org.elasticsearch.cluster.ClusterChangedEvent;
@@ -470,7 +471,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
             DeleteRequest request = client.prepareDelete(ShieldTemplateService.SECURITY_INDEX_NAME,
                     USER_DOC_TYPE, deleteUserRequest.username()).request();
             request.indicesOptions().ignoreUnavailable();
-            request.refresh(deleteUserRequest.refresh());
+            request.setRefreshPolicy(deleteUserRequest.refresh() ? RefreshPolicy.IMMEDIATE : RefreshPolicy.WAIT_UNTIL);
             client.delete(request, new ActionListener<DeleteResponse>() {
                 @Override
                 public void onResponse(DeleteResponse deleteResponse) {
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/NativeRolesStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/NativeRolesStore.java
index afb7d220080..5d02cd7a60f 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/NativeRolesStore.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/NativeRolesStore.java
@@ -18,6 +18,7 @@ import org.elasticsearch.action.search.ClearScrollResponse;
 import org.elasticsearch.action.search.SearchRequest;
 import org.elasticsearch.action.search.SearchResponse;
 import org.elasticsearch.action.search.SearchScrollRequest;
+import org.elasticsearch.action.support.WriteRequest.RefreshPolicy;
 import org.elasticsearch.client.Client;
 import org.elasticsearch.cluster.ClusterChangedEvent;
 import org.elasticsearch.cluster.ClusterState;
@@ -269,7 +270,7 @@ public class NativeRolesStore extends AbstractComponent implements RolesStore, C
         try {
             DeleteRequest request = client.prepareDelete(ShieldTemplateService.SECURITY_INDEX_NAME,
                     ROLE_DOC_TYPE, deleteRoleRequest.name()).request();
-            request.refresh(deleteRoleRequest.refresh());
+            request.setRefreshPolicy(deleteRoleRequest.refresh() ? RefreshPolicy.IMMEDIATE : RefreshPolicy.WAIT_UNTIL);
             client.delete(request, new ActionListener<DeleteResponse>() {
                 @Override
                 public void onResponse(DeleteResponse deleteResponse) {

From 576a543a2811e276d3a39bac1cfd5a7aafc086d0 Mon Sep 17 00:00:00 2001
From: Jason Tedor <jason@tedor.me>
Date: Mon, 6 Jun 2016 22:09:58 -0400
Subject: [PATCH 05/22] Register watcher thread pool

This commit register the watcher thread pool in the thread pool module
in core, and also makes the necessary changes to reflect a refactoring
that took place in core.

Relates elastic/elasticsearch#2397

Original commit: elastic/x-pack-elasticsearch@be298a7578f6eeb9731bd27aaa5afceb94ffcdfc
---
 .../messy/tests/GroovyScriptConditionIT.java  |  3 +-
 .../messy/tests/ScriptConditionSearchIT.java  |  3 +-
 .../messy/tests/ScriptConditionTests.java     |  3 +-
 .../TransportMonitoringBulkActionTests.java   |  3 +-
 .../marvel/cleaner/CleanerServiceTests.java   |  3 +-
 .../shield/audit/AuditTrailModuleTests.java   |  3 +-
 .../index/IndexAuditTrailMutedTests.java      |  3 +-
 .../audit/index/IndexAuditTrailTests.java     |  3 +-
 .../IndexAuditTrailUpdateMappingTests.java    |  3 +-
 .../ActiveDirectoryRealmTests.java            |  3 +-
 .../authc/file/FileUserPasswdStoreTests.java  |  3 +-
 .../authc/file/FileUserRolesStoreTests.java   |  5 +-
 .../shield/authc/ldap/LdapRealmTests.java     |  3 +-
 .../authc/support/DnRoleMapperTests.java      |  3 +-
 .../authz/store/FileRolesStoreTests.java      |  3 +-
 .../crypto/InternalCryptoServiceTests.java    |  3 +-
 .../shield/ssl/SSLConfigurationTests.java     | 17 ++---
 .../SelfReschedulingRunnableTests.java        |  5 +-
 .../org/elasticsearch/xpack/XPackPlugin.java  |  8 +++
 .../elasticsearch/xpack/watcher/Watcher.java  | 28 ++++++---
 .../execution/InternalWatchExecutor.java      | 21 +------
 .../xpack/watcher/history/HistoryModule.java  |  3 -
 .../support/ThreadPoolSettingsBuilder.java    | 62 -------------------
 .../script/ScriptConditionSearchTests.java    |  3 +-
 .../script/ScriptConditionTests.java          |  3 +-
 .../script/ScriptTransformTests.java          |  3 +-
 26 files changed, 80 insertions(+), 123 deletions(-)
 delete mode 100644 elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/support/ThreadPoolSettingsBuilder.java

diff --git a/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/GroovyScriptConditionIT.java b/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/GroovyScriptConditionIT.java
index f286832382e..bd751eed42f 100644
--- a/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/GroovyScriptConditionIT.java
+++ b/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/GroovyScriptConditionIT.java
@@ -11,6 +11,7 @@ import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.script.groovy.GroovyPlugin;
 import org.elasticsearch.search.aggregations.AggregationBuilders;
 import org.elasticsearch.search.aggregations.bucket.histogram.Histogram;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.xpack.watcher.condition.script.ExecutableScriptCondition;
 import org.elasticsearch.xpack.watcher.condition.script.ScriptCondition;
@@ -49,7 +50,7 @@ public class GroovyScriptConditionIT extends AbstractWatcherIntegrationTestCase
 
     @BeforeClass
     public static void startThreadPool() {
-        THREAD_POOL = new ThreadPool(GroovyScriptConditionIT.class.getSimpleName());
+        THREAD_POOL = new TestThreadPool(GroovyScriptConditionIT.class.getSimpleName());
     }
 
     @Before
diff --git a/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/ScriptConditionSearchIT.java b/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/ScriptConditionSearchIT.java
index 042de64dfb3..d467b68a68c 100644
--- a/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/ScriptConditionSearchIT.java
+++ b/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/ScriptConditionSearchIT.java
@@ -18,6 +18,7 @@ import org.elasticsearch.search.aggregations.bucket.histogram.Histogram;
 import org.elasticsearch.search.internal.InternalSearchHit;
 import org.elasticsearch.search.internal.InternalSearchHits;
 import org.elasticsearch.search.internal.InternalSearchResponse;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.xpack.watcher.condition.script.ExecutableScriptCondition;
 import org.elasticsearch.xpack.watcher.condition.script.ScriptCondition;
@@ -50,7 +51,7 @@ public class ScriptConditionSearchIT extends AbstractWatcherIntegrationTestCase
 
     @Before
     public void init() throws Exception {
-        tp = new ThreadPool(ThreadPool.Names.SAME);
+        tp = new TestThreadPool(ThreadPool.Names.SAME);
         scriptService = MessyTestUtils.getScriptServiceProxy(tp);
     }
 
diff --git a/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/ScriptConditionTests.java b/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/ScriptConditionTests.java
index 500d35e70da..9c3679edc47 100644
--- a/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/ScriptConditionTests.java
+++ b/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/ScriptConditionTests.java
@@ -17,6 +17,7 @@ import org.elasticsearch.script.GeneralScriptException;
 import org.elasticsearch.script.ScriptService.ScriptType;
 import org.elasticsearch.search.internal.InternalSearchResponse;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.xpack.watcher.condition.Condition;
 import org.elasticsearch.xpack.watcher.condition.script.ExecutableScriptCondition;
@@ -49,7 +50,7 @@ public class ScriptConditionTests extends ESTestCase {
     
     @Before
     public void init() {
-        tp = new ThreadPool(ThreadPool.Names.SAME);
+        tp = new TestThreadPool(ThreadPool.Names.SAME);
     }
 
     @After
diff --git a/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/action/TransportMonitoringBulkActionTests.java b/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/action/TransportMonitoringBulkActionTests.java
index f9876038b73..d37e19023c3 100644
--- a/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/action/TransportMonitoringBulkActionTests.java
+++ b/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/action/TransportMonitoringBulkActionTests.java
@@ -30,6 +30,7 @@ import org.elasticsearch.marvel.agent.exporter.Exporters;
 import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.test.transport.CapturingTransport;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.TransportService;
 import org.junit.After;
@@ -74,7 +75,7 @@ public class TransportMonitoringBulkActionTests extends ESTestCase {
 
     @BeforeClass
     public static void beforeClass() {
-        threadPool = new ThreadPool(TransportMonitoringBulkActionTests.class.getSimpleName());
+        threadPool = new TestThreadPool(TransportMonitoringBulkActionTests.class.getSimpleName());
     }
 
     @AfterClass
diff --git a/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/cleaner/CleanerServiceTests.java b/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/cleaner/CleanerServiceTests.java
index 97b3e7da384..769ee62f4a3 100644
--- a/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/cleaner/CleanerServiceTests.java
+++ b/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/cleaner/CleanerServiceTests.java
@@ -11,6 +11,7 @@ import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.marvel.MonitoringSettings;
 import org.elasticsearch.marvel.MonitoringLicensee;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
@@ -40,7 +41,7 @@ public class CleanerServiceTests extends ESTestCase {
     @Before
     public void start() {
         clusterSettings = new ClusterSettings(Settings.EMPTY, Collections.singleton(MonitoringSettings.HISTORY_DURATION));
-        threadPool = new ThreadPool("CleanerServiceTests");
+        threadPool = new TestThreadPool("CleanerServiceTests");
     }
 
     @After
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/AuditTrailModuleTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/AuditTrailModuleTests.java
index 13581354c22..46bb410fca3 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/AuditTrailModuleTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/AuditTrailModuleTests.java
@@ -17,6 +17,7 @@ import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.indices.breaker.CircuitBreakerModule;
 import org.elasticsearch.shield.audit.logfile.LoggingAuditTrail;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.threadpool.ThreadPoolModule;
 import org.elasticsearch.transport.Transport;
@@ -55,7 +56,7 @@ public class AuditTrailModuleTests extends ESTestCase {
                 .put(AuditTrailModule.ENABLED_SETTING.getKey(), true)
                 .put("client.type", "node")
                 .build();
-        ThreadPool pool = new ThreadPool("testLogFile");
+        ThreadPool pool = new TestThreadPool("testLogFile");
         try {
             SettingsModule settingsModule = new SettingsModule(settings);
             settingsModule.registerSetting(AuditTrailModule.ENABLED_SETTING);
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailMutedTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailMutedTests.java
index a91bc3729b5..5e76ebd3921 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailMutedTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailMutedTests.java
@@ -25,6 +25,7 @@ import org.elasticsearch.shield.transport.filter.ShieldIpFilterRule;
 import org.elasticsearch.shield.user.SystemUser;
 import org.elasticsearch.shield.user.User;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.Transport;
 import org.elasticsearch.transport.TransportMessage;
@@ -58,7 +59,7 @@ public class IndexAuditTrailMutedTests extends ESTestCase {
         when(transport.boundAddress()).thenReturn(new BoundTransportAddress(new TransportAddress[] { DummyTransportAddress.INSTANCE },
                         DummyTransportAddress.INSTANCE));
 
-        threadPool = new ThreadPool("index audit trail tests");
+        threadPool = new TestThreadPool("index audit trail tests");
         transportClient = TransportClient.builder().settings(Settings.EMPTY).build();
         clientCalled = new AtomicBoolean(false);
         client = new InternalClient(transportClient) {
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java
index be3a74d833f..066ee7b773e 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java
@@ -43,6 +43,7 @@ import org.elasticsearch.test.ESIntegTestCase;
 import org.elasticsearch.test.InternalTestCluster;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.test.ShieldSettingsSource;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.Transport;
 import org.elasticsearch.transport.TransportInfo;
@@ -260,7 +261,7 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase {
         BoundTransportAddress boundTransportAddress = new BoundTransportAddress(new TransportAddress[]{DummyTransportAddress.INSTANCE},
                 DummyTransportAddress.INSTANCE);
         when(transport.boundAddress()).thenReturn(boundTransportAddress);
-        threadPool = new ThreadPool("index audit trail tests");
+        threadPool = new TestThreadPool("index audit trail tests");
         enqueuedMessage = new SetOnce<>();
         auditor = new IndexAuditTrail(settings, transport, Providers.of(internalClient()), threadPool, mock(ClusterService.class)) {
             @Override
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailUpdateMappingTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailUpdateMappingTests.java
index e87b7026fba..11b567456f0 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailUpdateMappingTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailUpdateMappingTests.java
@@ -14,6 +14,7 @@ import org.elasticsearch.common.transport.DummyTransportAddress;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.test.rest.FakeRestRequest;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.Transport;
 import org.junit.After;
@@ -39,7 +40,7 @@ public class IndexAuditTrailUpdateMappingTests extends ShieldIntegTestCase {
 
     @Before
     public void setup() {
-        threadPool = new ThreadPool("index audit trail update mapping tests");
+        threadPool = new TestThreadPool("index audit trail update mapping tests");
     }
 
     public void testMappingIsUpdated() throws Exception {
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryRealmTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryRealmTests.java
index 547807fc2cd..68b4186dd46 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryRealmTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryRealmTests.java
@@ -22,6 +22,7 @@ import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.authc.support.SecuredStringTests;
 import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.junit.After;
@@ -92,7 +93,7 @@ public class ActiveDirectoryRealmTests extends ESTestCase {
             directoryServer.startListening();
             directoryServers[i] = directoryServer;
         }
-        threadPool = new ThreadPool("active directory realm tests");
+        threadPool = new TestThreadPool("active directory realm tests");
         resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool);
         globalSettings = Settings.builder().put("path.home", createTempDir()).build();
     }
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserPasswdStoreTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserPasswdStoreTests.java
index 72c261e0c08..cb4735eec51 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserPasswdStoreTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserPasswdStoreTests.java
@@ -16,6 +16,7 @@ import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.RefreshListener;
 import org.elasticsearch.shield.authc.support.SecuredStringTests;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.junit.After;
@@ -62,7 +63,7 @@ public class FileUserPasswdStoreTests extends ESTestCase {
                 .put("path.home", createTempDir())
                 .build();
         env = new Environment(settings);
-        threadPool = new ThreadPool("test");
+        threadPool = new TestThreadPool("test");
     }
 
     @After
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserRolesStoreTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserRolesStoreTests.java
index e74569c7eb0..09dfd3133e7 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserRolesStoreTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserRolesStoreTests.java
@@ -15,6 +15,7 @@ import org.elasticsearch.shield.audit.logfile.CapturingLogger;
 import org.elasticsearch.shield.authc.RealmConfig;
 import org.elasticsearch.shield.authc.support.RefreshListener;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.XPackPlugin;
@@ -63,7 +64,7 @@ public class FileUserRolesStoreTests extends ESTestCase {
                 .put("path.home", createTempDir())
                 .build();
         env = new Environment(settings);
-        threadPool = new ThreadPool("test");
+        threadPool = new TestThreadPool("test");
     }
 
     @After
@@ -224,7 +225,7 @@ public class FileUserRolesStoreTests extends ESTestCase {
     public void testParseFileEmptyRolesDoesNotCauseNPE() throws Exception {
         ThreadPool threadPool = null;
         try {
-            threadPool = new ThreadPool("test");
+            threadPool = new TestThreadPool("test");
             Path usersRoles = writeUsersRoles("role1:admin");
 
             Settings settings = Settings.builder()
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/LdapRealmTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/LdapRealmTests.java
index 7ab06210a42..4be76a5c787 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/LdapRealmTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/LdapRealmTests.java
@@ -15,6 +15,7 @@ import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.authc.support.SecuredStringTests;
 import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
 import org.elasticsearch.shield.user.User;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.junit.After;
@@ -49,7 +50,7 @@ public class LdapRealmTests extends LdapTestCase {
 
     @Before
     public void init() throws Exception {
-        threadPool = new ThreadPool("ldap realm tests");
+        threadPool = new TestThreadPool("ldap realm tests");
         resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool);
         globalSettings = Settings.builder().put("path.home", createTempDir()).build();
     }
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/support/DnRoleMapperTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/support/DnRoleMapperTests.java
index 3dd07e2e15c..2ae0276059b 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/support/DnRoleMapperTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/support/DnRoleMapperTests.java
@@ -13,6 +13,7 @@ import org.elasticsearch.shield.authc.RealmConfig;
 import org.elasticsearch.shield.authc.activedirectory.ActiveDirectoryRealm;
 import org.elasticsearch.shield.authc.ldap.LdapRealm;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.junit.After;
@@ -69,7 +70,7 @@ public class DnRoleMapperTests extends ESTestCase {
                 .put("path.home", createTempDir())
                 .build();
         env = new Environment(settings);
-        threadPool = new ThreadPool("test");
+        threadPool = new TestThreadPool("test");
     }
 
     @After
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java
index 6dc6bbabd26..0a0ccfd206c 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java
@@ -17,6 +17,7 @@ import org.elasticsearch.shield.authz.permission.RunAsPermission;
 import org.elasticsearch.shield.authz.privilege.ClusterPrivilege;
 import org.elasticsearch.shield.authz.privilege.IndexPrivilege;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.XPackPlugin;
@@ -257,7 +258,7 @@ public class FileRolesStoreTests extends ESTestCase {
                     .build();
 
             Environment env = new Environment(settings);
-            threadPool = new ThreadPool("test");
+            threadPool = new TestThreadPool("test");
             watcherService = new ResourceWatcherService(settings, threadPool);
             final CountDownLatch latch = new CountDownLatch(1);
             FileRolesStore store = new FileRolesStore(settings, env, watcherService, new RefreshListener() {
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/crypto/InternalCryptoServiceTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/crypto/InternalCryptoServiceTests.java
index d97d5fcf095..ef6d5cc9404 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/crypto/InternalCryptoServiceTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/crypto/InternalCryptoServiceTests.java
@@ -10,6 +10,7 @@ import org.elasticsearch.common.io.Streams;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.junit.After;
@@ -53,7 +54,7 @@ public class InternalCryptoServiceTests extends ESTestCase {
                 .put("path.home", createTempDir())
                 .build();
         env = new Environment(settings);
-        threadPool = new ThreadPool("test");
+        threadPool = new TestThreadPool("test");
         watcherService = new ResourceWatcherService(settings, threadPool);
         watcherService.start();
     }
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/SSLConfigurationTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/SSLConfigurationTests.java
index f356e916728..9d0f4a76807 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/SSLConfigurationTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/SSLConfigurationTests.java
@@ -15,6 +15,7 @@ import org.elasticsearch.shield.ssl.SSLConfiguration.Custom;
 import org.elasticsearch.shield.ssl.SSLConfiguration.Global;
 import org.elasticsearch.shield.ssl.TrustConfig.Reloadable.Listener;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 
@@ -321,7 +322,7 @@ public class SSLConfigurationTests extends ESTestCase {
         AtomicReference<Exception> exceptionRef = new AtomicReference<>();
         Listener listener = createRefreshListener(latch, exceptionRef);
 
-        ThreadPool threadPool = new ThreadPool("reload");
+        ThreadPool threadPool = new TestThreadPool("reload");
         try {
             ResourceWatcherService resourceWatcherService =
                     new ResourceWatcherService(Settings.builder().put("resource.reload.interval.high", "1s").build(), threadPool).start();
@@ -384,7 +385,7 @@ public class SSLConfigurationTests extends ESTestCase {
         AtomicReference<Exception> exceptionRef = new AtomicReference<>();
         Listener listener = createRefreshListener(latch, exceptionRef);
 
-        ThreadPool threadPool = new ThreadPool("reload pem");
+        ThreadPool threadPool = new TestThreadPool("reload pem");
         try {
             ResourceWatcherService resourceWatcherService =
                     new ResourceWatcherService(Settings.builder().put("resource.reload.interval.high", "1s").build(), threadPool).start();
@@ -460,7 +461,7 @@ public class SSLConfigurationTests extends ESTestCase {
         AtomicReference<Exception> exceptionRef = new AtomicReference<>();
         Listener listener = createRefreshListener(latch, exceptionRef);
 
-        ThreadPool threadPool = new ThreadPool("reload");
+        ThreadPool threadPool = new TestThreadPool("reload");
         try {
             ResourceWatcherService resourceWatcherService =
                     new ResourceWatcherService(Settings.builder().put("resource.reload.interval.high", "1s").build(), threadPool).start();
@@ -506,7 +507,7 @@ public class SSLConfigurationTests extends ESTestCase {
         AtomicReference<Exception> exceptionRef = new AtomicReference<>();
         Listener listener = createRefreshListener(latch, exceptionRef);
 
-        ThreadPool threadPool = new ThreadPool("reload");
+        ThreadPool threadPool = new TestThreadPool("reload");
         try {
             ResourceWatcherService resourceWatcherService =
                     new ResourceWatcherService(Settings.builder().put("resource.reload.interval.high", "1s").build(), threadPool).start();
@@ -554,7 +555,7 @@ public class SSLConfigurationTests extends ESTestCase {
         AtomicReference<Exception> exceptionRef = new AtomicReference<>();
         Listener listener = createRefreshListener(latch, exceptionRef);
 
-        ThreadPool threadPool = new ThreadPool("reload");
+        ThreadPool threadPool = new TestThreadPool("reload");
         try {
             ResourceWatcherService resourceWatcherService =
                     new ResourceWatcherService(Settings.builder().put("resource.reload.interval.high", "1s").build(), threadPool).start();
@@ -603,7 +604,7 @@ public class SSLConfigurationTests extends ESTestCase {
         AtomicReference<Exception> exceptionRef = new AtomicReference<>();
         Listener listener = createRefreshListener(latch, exceptionRef);
 
-        ThreadPool threadPool = new ThreadPool("reload pem");
+        ThreadPool threadPool = new TestThreadPool("reload pem");
         try {
             ResourceWatcherService resourceWatcherService =
                     new ResourceWatcherService(Settings.builder().put("resource.reload.interval.high", "1s").build(), threadPool).start();
@@ -654,7 +655,7 @@ public class SSLConfigurationTests extends ESTestCase {
         AtomicReference<Exception> exceptionRef = new AtomicReference<>();
         Listener listener = createRefreshListener(latch, exceptionRef);
 
-        ThreadPool threadPool = new ThreadPool("reload");
+        ThreadPool threadPool = new TestThreadPool("reload");
         try {
             ResourceWatcherService resourceWatcherService =
                     new ResourceWatcherService(Settings.builder().put("resource.reload.interval.high", "1s").build(), threadPool).start();
@@ -693,7 +694,7 @@ public class SSLConfigurationTests extends ESTestCase {
         AtomicReference<Exception> exceptionRef = new AtomicReference<>();
         Listener listener = createRefreshListener(latch, exceptionRef);
 
-        ThreadPool threadPool = new ThreadPool("reload");
+        ThreadPool threadPool = new TestThreadPool("reload");
         try {
             ResourceWatcherService resourceWatcherService =
                     new ResourceWatcherService(Settings.builder().put("resource.reload.interval.high", "1s").build(), threadPool).start();
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/support/SelfReschedulingRunnableTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/support/SelfReschedulingRunnableTests.java
index 04bb5e1f73e..d3d7cd21553 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/support/SelfReschedulingRunnableTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/support/SelfReschedulingRunnableTests.java
@@ -10,6 +10,7 @@ import org.elasticsearch.common.logging.ESLogger;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.util.concurrent.AbstractRunnable;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.threadpool.ThreadPool.Names;
 
@@ -189,7 +190,7 @@ public class SelfReschedulingRunnableTests extends ESTestCase {
     }
 
     public void testStopPreventsRunning() throws Exception {
-        final ThreadPool threadPool = new ThreadPool("test-stop-self-schedule");
+        final ThreadPool threadPool = new TestThreadPool("test-stop-self-schedule");
         final AtomicInteger failureCounter = new AtomicInteger(0);
         final AtomicInteger runCounter = new AtomicInteger(0);
         final AbstractRunnable runnable = new AbstractRunnable() {
@@ -232,7 +233,7 @@ public class SelfReschedulingRunnableTests extends ESTestCase {
     }
 
     public void testStopPreventsRescheduling() throws Exception {
-        final ThreadPool threadPool = new ThreadPool("test-stop-self-schedule");
+        final ThreadPool threadPool = new TestThreadPool("test-stop-self-schedule");
         final CountDownLatch threadRunningLatch = new CountDownLatch(randomIntBetween(1, 16));
         final CountDownLatch stopCalledLatch = new CountDownLatch(1);
         final AbstractRunnable runnable = new AbstractRunnable() {
diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
index b519da5d489..a47a847104b 100644
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
@@ -26,6 +26,8 @@ import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.script.ScriptModule;
 import org.elasticsearch.shield.Security;
 import org.elasticsearch.shield.authc.AuthenticationModule;
+import org.elasticsearch.threadpool.ExecutorBuilder;
+import org.elasticsearch.threadpool.ThreadPoolModule;
 import org.elasticsearch.xpack.action.TransportXPackInfoAction;
 import org.elasticsearch.xpack.action.TransportXPackUsageAction;
 import org.elasticsearch.xpack.action.XPackInfoAction;
@@ -51,6 +53,7 @@ import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.List;
 
 public class XPackPlugin extends Plugin {
 
@@ -201,6 +204,11 @@ public class XPackPlugin extends Plugin {
         licensing.onModule(module);
     }
 
+    @Override
+    public List<ExecutorBuilder<?>> getExecutorBuilders(final Settings settings) {
+        return watcher.getExecutorBuilders(settings);
+    }
+
     public void onModule(NetworkModule module) {
         if (!transportClientMode) {
             module.registerRestHandler(RestXPackInfoAction.class);
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java
index 3852826defd..2f8b1e1ce2f 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java
@@ -20,13 +20,18 @@ import org.elasticsearch.common.regex.Regex;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
+import org.elasticsearch.common.util.concurrent.EsExecutors;
 import org.elasticsearch.script.ScriptModule;
+import org.elasticsearch.threadpool.ExecutorBuilder;
+import org.elasticsearch.threadpool.FixedExecutorBuilder;
+import org.elasticsearch.threadpool.ThreadPoolModule;
 import org.elasticsearch.xpack.XPackPlugin;
 import org.elasticsearch.xpack.common.init.LazyInitializationModule;
 import org.elasticsearch.xpack.watcher.actions.WatcherActionModule;
 import org.elasticsearch.xpack.watcher.client.WatcherClientModule;
 import org.elasticsearch.xpack.watcher.condition.ConditionModule;
 import org.elasticsearch.xpack.watcher.execution.ExecutionModule;
+import org.elasticsearch.xpack.watcher.execution.InternalWatchExecutor;
 import org.elasticsearch.xpack.watcher.history.HistoryModule;
 import org.elasticsearch.xpack.watcher.history.HistoryStore;
 import org.elasticsearch.xpack.watcher.input.InputModule;
@@ -132,14 +137,7 @@ public class Watcher {
     }
 
     public Settings additionalSettings() {
-        if (enabled == false || transportClient) {
-            return Settings.EMPTY;
-        }
-        Settings additionalSettings = Settings.builder()
-                .put(HistoryModule.additionalSettings(settings))
-                .build();
-
-        return additionalSettings;
+        return Settings.EMPTY;
     }
 
     public void onModule(ScriptModule module) {
@@ -171,6 +169,20 @@ public class Watcher {
         module.registerSetting(Setting.simpleString("xpack.watcher.start_immediately", Setting.Property.NodeScope));
     }
 
+    public List<ExecutorBuilder<?>> getExecutorBuilders(final Settings settings) {
+        if (XPackPlugin.featureEnabled(settings, Watcher.NAME, true)) {
+            final FixedExecutorBuilder builder =
+                    new FixedExecutorBuilder(
+                            settings,
+                            InternalWatchExecutor.THREAD_POOL_NAME,
+                            5 * EsExecutors.boundedNumberOfProcessors(settings),
+                            1000,
+                            "xpack.watcher.thread_pool");
+            return Collections.singletonList(builder);
+        }
+        return Collections.emptyList();
+    }
+
     public void onModule(NetworkModule module) {
         if (enabled && transportClient == false) {
             module.registerRestHandler(RestPutWatchAction.class);
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/InternalWatchExecutor.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/InternalWatchExecutor.java
index 4d270496c08..668bdc53d6b 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/InternalWatchExecutor.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/execution/InternalWatchExecutor.java
@@ -6,37 +6,17 @@
 package org.elasticsearch.xpack.watcher.execution;
 
 import org.elasticsearch.common.inject.Inject;
-import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.util.concurrent.EsExecutors;
 import org.elasticsearch.common.util.concurrent.EsThreadPoolExecutor;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.xpack.watcher.Watcher;
-import org.elasticsearch.xpack.watcher.support.ThreadPoolSettingsBuilder;
 
 import java.util.concurrent.BlockingQueue;
 import java.util.stream.Stream;
 
-/**
- *
- */
 public class InternalWatchExecutor implements WatchExecutor {
 
     public static final String THREAD_POOL_NAME = Watcher.NAME;
 
-    public static Settings additionalSettings(Settings nodeSettings) {
-        Settings settings = nodeSettings.getAsSettings("threadpool." + THREAD_POOL_NAME);
-        if (!settings.names().isEmpty()) {
-            // the TP is already configured in the node settings
-            // no need for additional settings
-            return Settings.EMPTY;
-        }
-        int availableProcessors = EsExecutors.boundedNumberOfProcessors(nodeSettings);
-        return new ThreadPoolSettingsBuilder.Fixed(THREAD_POOL_NAME)
-                .size(5 * availableProcessors)
-                .queueSize(1000)
-                .build();
-    }
-
     private final ThreadPool threadPool;
 
     @Inject
@@ -67,4 +47,5 @@ public class InternalWatchExecutor implements WatchExecutor {
     private EsThreadPoolExecutor executor() {
         return (EsThreadPoolExecutor) threadPool.executor(THREAD_POOL_NAME);
     }
+
 }
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/history/HistoryModule.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/history/HistoryModule.java
index e9e65252e7d..3c325c0f0e0 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/history/HistoryModule.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/history/HistoryModule.java
@@ -21,7 +21,4 @@ public class HistoryModule extends AbstractModule {
         bind(HistoryStore.class).asEagerSingleton();
     }
 
-    public static Settings additionalSettings(Settings nodeSettings) {
-        return InternalWatchExecutor.additionalSettings(nodeSettings);
-    }
 }
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/support/ThreadPoolSettingsBuilder.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/support/ThreadPoolSettingsBuilder.java
deleted file mode 100644
index b477be19c25..00000000000
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/support/ThreadPoolSettingsBuilder.java
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-package org.elasticsearch.xpack.watcher.support;
-
-import org.elasticsearch.common.settings.Settings;
-
-/**
- *
- */
-public abstract class ThreadPoolSettingsBuilder<B extends ThreadPoolSettingsBuilder> {
-
-    public static Same same(String name) {
-        return new Same(name);
-    }
-
-    protected final String name;
-    private final Settings.Builder builder = Settings.builder();
-
-    protected ThreadPoolSettingsBuilder(String name, String type) {
-        this.name = name;
-        put("type", type);
-    }
-
-    public Settings build() {
-        return builder.build();
-    }
-
-    protected B put(String setting, Object value) {
-        builder.put("threadpool." + name + "." + setting, value);
-        return (B) this;
-    }
-
-    protected B put(String setting, int value) {
-        builder.put("threadpool." + name + "." + setting, value);
-        return (B) this;
-    }
-
-    public static class Same extends ThreadPoolSettingsBuilder<Same> {
-        public Same(String name) {
-            super(name, "same");
-        }
-    }
-
-    public static class Fixed extends ThreadPoolSettingsBuilder<Fixed> {
-
-        public Fixed(String name) {
-            super(name, "fixed");
-        }
-
-        public Fixed size(int size) {
-            return put("size", size);
-        }
-
-        public Fixed queueSize(int queueSize) {
-            return put("queue_size", queueSize);
-        }
-    }
-
-}
diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/condition/script/ScriptConditionSearchTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/condition/script/ScriptConditionSearchTests.java
index a8fc5743f6c..f814c67f1f9 100644
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/condition/script/ScriptConditionSearchTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/condition/script/ScriptConditionSearchTests.java
@@ -17,6 +17,7 @@ import org.elasticsearch.search.aggregations.bucket.histogram.Histogram;
 import org.elasticsearch.search.internal.InternalSearchHit;
 import org.elasticsearch.search.internal.InternalSearchHits;
 import org.elasticsearch.search.internal.InternalSearchResponse;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.xpack.watcher.execution.WatchExecutionContext;
 import org.elasticsearch.xpack.watcher.support.Script;
@@ -40,7 +41,7 @@ public class ScriptConditionSearchTests extends AbstractWatcherIntegrationTestCa
 
     @Before
     public void init() throws Exception {
-        tp = new ThreadPool(ThreadPool.Names.SAME);
+        tp = new TestThreadPool(ThreadPool.Names.SAME);
         scriptService = WatcherTestUtils.getScriptServiceProxy(tp);
     }
 
diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/condition/script/ScriptConditionTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/condition/script/ScriptConditionTests.java
index c24b79efd5e..b495fe3f3cc 100644
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/condition/script/ScriptConditionTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/condition/script/ScriptConditionTests.java
@@ -18,6 +18,7 @@ import org.elasticsearch.script.GeneralScriptException;
 import org.elasticsearch.script.ScriptService.ScriptType;
 import org.elasticsearch.search.internal.InternalSearchResponse;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.xpack.watcher.condition.Condition;
 import org.elasticsearch.xpack.watcher.execution.WatchExecutionContext;
@@ -48,7 +49,7 @@ public class ScriptConditionTests extends ESTestCase {
 
     @Before
     public void init() {
-        tp = new ThreadPool(ThreadPool.Names.SAME);
+        tp = new TestThreadPool(ThreadPool.Names.SAME);
     }
 
     @After
diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/transform/script/ScriptTransformTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/transform/script/ScriptTransformTests.java
index 910ee7a8341..6e971535e16 100644
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/transform/script/ScriptTransformTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/transform/script/ScriptTransformTests.java
@@ -15,6 +15,7 @@ import org.elasticsearch.script.ExecutableScript;
 import org.elasticsearch.script.GeneralScriptException;
 import org.elasticsearch.script.ScriptService.ScriptType;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.xpack.watcher.execution.WatchExecutionContext;
 import org.elasticsearch.xpack.watcher.support.Script;
@@ -53,7 +54,7 @@ public class ScriptTransformTests extends ESTestCase {
 
     @Before
     public void init() {
-        tp = new ThreadPool(ThreadPool.Names.SAME);
+        tp = new TestThreadPool(ThreadPool.Names.SAME);
     }
 
     @After

From 41ea6ee51500b3cfba9e89ec4db670ae208269b7 Mon Sep 17 00:00:00 2001
From: Boaz Leskes <b.leskes@gmail.com>
Date: Tue, 7 Jun 2016 14:37:02 +0200
Subject: [PATCH 06/22] AwaitFix ActiveDirectoryGroupsResolverTests

Original commit: elastic/x-pack-elasticsearch@00f10522126a7fade8afc9f6e671be8a049c7edd
---
 .../activedirectory/ActiveDirectoryGroupsResolverTests.java     | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryGroupsResolverTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryGroupsResolverTests.java
index a8545833124..09df0fc35cb 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryGroupsResolverTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryGroupsResolverTests.java
@@ -6,6 +6,7 @@
 package org.elasticsearch.shield.authc.activedirectory;
 
 import com.unboundid.ldap.sdk.Filter;
+import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.shield.authc.ldap.GroupsResolverTestCase;
@@ -22,6 +23,7 @@ import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.is;
 
 @Network
+@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/2440")
 public class ActiveDirectoryGroupsResolverTests extends GroupsResolverTestCase {
 
     public static final String BRUCE_BANNER_DN = "cn=Bruce Banner,CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";

From 370406bdc0079e4cdab8522c62fd9041b7ee269b Mon Sep 17 00:00:00 2001
From: jaymode <jay.modi@elasticsearch.com>
Date: Tue, 7 Jun 2016 08:56:42 -0400
Subject: [PATCH 07/22] test: update active directory certificate

This change removes the old active directory certificate and replaces it with the AD
CA certificate that is valid until 2029 instead of needing to be changed yearly.

Closes elastic/elasticsearch#2440

Original commit: elastic/x-pack-elasticsearch@2f05bdfd015ef86ae7b8d9111b56cc60bb69d588
---
 .../ActiveDirectoryGroupsResolverTests.java   |   2 -
 .../test/ShieldSettingsSource.java            |   2 +-
 .../shield/authc/ldap/support/ldaptrust.jks   | Bin 2810 -> 2111 bytes
 .../ssl/certs/simple/active-directory-ca.crt  |  23 +++++++++++
 .../transport/ssl/certs/simple/activedir.crt  |  38 ------------------
 .../certs/simple/testnode-no-subjaltname.jks  | Bin 6983 -> 6284 bytes
 .../transport/ssl/certs/simple/testnode.jks   | Bin 7104 -> 6405 bytes
 7 files changed, 24 insertions(+), 41 deletions(-)
 create mode 100644 elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/active-directory-ca.crt
 delete mode 100644 elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/activedir.crt

diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryGroupsResolverTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryGroupsResolverTests.java
index 09df0fc35cb..a8545833124 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryGroupsResolverTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryGroupsResolverTests.java
@@ -6,7 +6,6 @@
 package org.elasticsearch.shield.authc.activedirectory;
 
 import com.unboundid.ldap.sdk.Filter;
-import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.shield.authc.ldap.GroupsResolverTestCase;
@@ -23,7 +22,6 @@ import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.is;
 
 @Network
-@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/2440")
 public class ActiveDirectoryGroupsResolverTests extends GroupsResolverTestCase {
 
     public static final String BRUCE_BANNER_DN = "cn=Bruce Banner,CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com";
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldSettingsSource.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldSettingsSource.java
index 6e148315bda..f438116cd7c 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldSettingsSource.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldSettingsSource.java
@@ -217,7 +217,7 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
             return getSSLSettingsForPEMFiles("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.pem", "testnode",
                     Collections.singletonList("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.crt"),
                     Arrays.asList("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode-client-profile.crt",
-                            "/org/elasticsearch/shield/transport/ssl/certs/simple/activedir.crt",
+                            "/org/elasticsearch/shield/transport/ssl/certs/simple/active-directory-ca.crt",
                             "/org/elasticsearch/shield/transport/ssl/certs/simple/testclient.crt",
                             "/org/elasticsearch/shield/transport/ssl/certs/simple/openldap.crt",
                             "/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.crt"),
diff --git a/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/authc/ldap/support/ldaptrust.jks b/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/authc/ldap/support/ldaptrust.jks
index 37f8edfe8449702c16a813bab61626f335acc5b1..2b8287d88f094742e02557fbdf85d9d70447c637 100644
GIT binary patch
delta 741
zcmV<B0vi4L6~7R$Km;#UD&caz00mesH842<00Y}Ff&<quf&#yw0|Eg80uWdYxUEvV
z7K%WC;olM}KUR}+1e6;zFgP+dF*Y(XG%{Kj4Kg_}I5IaeHZw9bGFp>?1c8$R0U&>~
zO=iH!`dDle`a&W@Wvj2n#|!s8O^o<We@V5gEK6T)y+BTR{qQ_7j*z3%OcK$%cI*E0
zt`W+~eoJc{lH0Kn@v^BcBe<!>R?IRGol|7lcfqZMzd8@PJ}=9|{H3@1#QW(7Sb{-w
zgSw0APX{B6qbf}4xO>(_<fN|-O!|MH_;`<}N{WRRq3LyPsW(25;Es~*zQREZY%Kgl
z+{N|Ax>D`f#JIcOlU<Wc15Ri<C03NlRB1{`$sd3~r_`01u93$st!^G3<o~=Y$yoNA
zOiUcpur#$26H5Qxu~4_rY-Ie`hIaRgMcf2T5T89a=AMBszLP$}sy8BMUz>jep#lQ|
z00E;>Fi$WG1_M<c4+I1Q0s)3F4+aBO9TNco{{#gv0|5d5FdYU1RUHll76cT53L8S5
zNmFE;rwnFB)0C<^H^U<^5C#b=1_1;Cf;SZb1OoyA05A;(2`Yw2hW8Bt0Sg5H1A+ko
z0AOukS3R)|OiLnFZ0N>h@YjC=Ku8x)Y8-kB2rjlUs@w#lZ!RgFP?Nw;F?2B%$Wf+x
z$x^4^w%vHaxu~jC`&h%n{DyJ1>(X?qhYlC@S2@QKE#t5qP{F@uyT>>IO9wS59&}8*
z^zO@C24Gk=?;4!mgurPmb_m<>h|yQ2H&fy-6xztFXrH);KZzDY;3<D$o}6&<(5!*V
z+?zi_Q?QNY97<G5S?Y_rW--q4UkB3Pb6T{BJioWzAVwV3rO8gWH{I8On{iiHrq&Vb
z$h%Wc)|F(EcSl33F10Be#E|bWl*_H3V$voQ@TE}2*wcK6`+&fO`EGd|*!(>}D7|(q
XM<f*?3?R+|aRYq+#L5Nw9IC)~*IPmA

delta 1566
zcmdll@Jn=q1B;R0?At8+7+53pObsj<7}%y6G_g%GXkx8ez|6$R#3by^z`(%#Uwq!x
z9gQNqKsJy!IiF=psHuUup_!qDv5~1klsK=U8IWrV<r-K3xh8DPp)Ab8x~@5i#U+`^
z!KsNw$r+9*A*sbBdWk7|B_KK#B3BHS(@W0Joy^FnSij<ZVgiGZaF}bU<+Jzal%F5U
zU&=FSxxA^~_c=~+3c~GWCuUlGQ+xjLguFz2|F8OMt~HAJ7q%^&-afB;TU4ha?;ca<
z7kyhLP9*&Ae|6p~MkI=Puk&y1qjiiya<NaYvDdNu?UKCydUK<yXq{e)vg_7{<8L-P
zN7}l~J9|g=%trS5H^-_uXIz&uys_&-q4U|@sTUV2Mh4to+8@g2#1zi-TJ^Lk-}Z*b
zvu#Vi&xlTtTaqcCzHn0dj5C`fn3b6gWySj+?J1q<e!*9qhck|cPb)lHO5t6S{>QIH
zug%&lnNuaN-3(>_raw8#r1}K+58WvjCv817|5d)gj3sjN$6MZYpQtx-W@2V!U|ih9
z>}$}(>}jCS#;MK5$imoUF2cm3B&WdO!jR99%aF*B$&kn33}ojqlrR(l=^P+TWhgR`
z1qQvWDvOwb2pb1bCo3yEGZUP}Xut=O=4WL5&%(mY#Ja$sf{jzF&7<u*FC!;EOSVCM
zCQt<jM1+}%iHV^BiO&M&bF*<Kw0SV5GP5vh86a_VkvUAr999E%HdbvuW+rw6F1X?B
z29Y4A2(knj1T2t;`Lf<zl5v3$i-1+IMQGteYnRpQa`+$CN!B)zmXsi&z{euSBGPyy
zD05k6S$R>Co(G3$m*b_5<yr>vAgh&GBn-qFL>jrIo#uK5r_5Q-ljb)09~(z~<7bex
zJWJzigT@yIjZYUeK3dRtzpe33PD)~dmA<~dv!88Zimt1VV{nM4bFiypkh6!Qi>|Yy
z4p0J1k_QPpy99u!fYPL#%w$y~1Mk#IAQ_xmRF;{XS`3ncv+F_1^YhX&(@TpIOEUBG
zbX=T)_JK%H#sSeNc?To_%s%$XsYNB3X_?81C8<HFW%)oFsMja6xWqmwu{hN}KPf9U
zxx^Wm>xylYgM3_o5=EIwr65HC`I&ho2938N>7<^Oosp5H@ti^9X@kZSu(V^q)YiD0
zm;i9}1cw7LKE>|Qdcr<+bVm3Ui|^o)K)*SbmSp4?WtLPL@WPWiBR4Apa}y&YL;t0;
zJ4`1(yjzpoqcZXSNfWl~J(m>gRor`TuG`?RqknmtDEArNoq`wB)3$vnGOr01IV#9y
z7Wn1aVFzV}^!?@uz58kmR%gWRS?`g+BVcB~g+tz3^Wx_%4SBOg7r$L=wsw}cxAbJg
zoyj4Nmro|P@$S4U>giy-rZ0eloln7A|JF99ealvxm&SCP8Q$v3sbKk(ku#ffNBzD@
zZOs{lp&ugl|C<=hd*=J|l`lTBEnapb_rPtI<EPIzPW&hG?6R{_+shlg?dw<_)vqep
zt32>3ek`;9Nbgei2APgn-JZ=2O<EPgt@~|vPIA7v_u|d7cB*DBbKbxHzFb|~fAfRM
jyUjCF+*YiWxy*7#(OYHhKI0kfn+umz?ao})!RQPC;io2m

diff --git a/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/active-directory-ca.crt b/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/active-directory-ca.crt
new file mode 100644
index 00000000000..453d1361ce4
--- /dev/null
+++ b/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/active-directory-ca.crt
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID1zCCAr+gAwIBAgIQWA24rVK7FopAgOHfEio/VjANBgkqhkiG9w0BAQsFADB+
+MRMwEQYKCZImiZPyLGQBGRYDY29tMR0wGwYKCZImiZPyLGQBGRYNZWxhc3RpY3Nl
+YXJjaDEUMBIGCgmSJomT8ixkARkWBHRlc3QxEjAQBgoJkiaJk/IsZAEZFgJhZDEe
+MBwGA1UEAxMVYWQtRUxBU1RJQ1NFQVJDSEFELUNBMB4XDTE0MDgyNzE2MjI0MloX
+DTI5MDgyNzE2MzI0MlowfjETMBEGCgmSJomT8ixkARkWA2NvbTEdMBsGCgmSJomT
+8ixkARkWDWVsYXN0aWNzZWFyY2gxFDASBgoJkiaJk/IsZAEZFgR0ZXN0MRIwEAYK
+CZImiZPyLGQBGRYCYWQxHjAcBgNVBAMTFWFkLUVMQVNUSUNTRUFSQ0hBRC1DQTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALNNZsDJ+lhsE/pCIkNlq6/F
+xwv3PU2M+E1/SbWrLEtfbb1ATnn98DwxjpCj00wS0bt26/7zrhHKyX5LaxyS27ER
+8bKpLSO4qcVWzDIQnVNk2XfBrYS/Og+6Pi/Lw/ylt/vE++kHWIJBc4O6i+pPByOM
+oypM6bh71kTkpK8OTPqf+HiPp0qKhRah6XVtqTc+kOCOku2+wkELbCz8RNzF9ca6
+Uu3YxLi73pNdk0wDTmg6JVaUyVRpSkjJH4BAp9SVma6Rxy6tbh4e5P+8K8lY9ptM
+TBzTsDS1EhNK/92xULfQbGT814Z294pF3ARMEJ89N+aegS++kz7CqjciZ1+bA6EC
+AwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
+FIEKG0KdSVNknKcMZkbTlKo7N8MjMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3
+DQEBCwUAA4IBAQBgbWBXPbEMTEsiVWzoxmTw1wJASBdPahx6CggutjGq3ASjby4p
+nVCTwE4xdDEVyFGmeslSp9+23XjBuaiqVPtYw8P8hnG269J0q4cOF/VXOccRLeOw
+HVDBv2a7xzgBSwc1KB50TLv07stcBmBYNu8anN6EwGksdgjb8IjRV6U3U+IvFNrI
+rGifuIc/iRZD4Clhnpxw8tCsgcrcmz9CU7CN5RxKVEpZ6ou6ZjHO8l8H0t9zWrSI
+PL+33iBGHNWlyU63N93XgJtxV1em1hHryLtTTtaVZJJ3R0OrLrUpG8SQ7zCUy62f
+YtImFPClUMXY03yH+4DAhflueRvY/D1AKL12
+-----END CERTIFICATE-----
diff --git a/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/activedir.crt b/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/activedir.crt
deleted file mode 100644
index 49a4416a2cf..00000000000
--- a/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/activedir.crt
+++ /dev/null
@@ -1,38 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIGkjCCBXqgAwIBAgITSwAAAAP/F57VuIEUDQAAAAAAAzANBgkqhkiG9w0BAQsF
-ADB+MRMwEQYKCZImiZPyLGQBGRYDY29tMR0wGwYKCZImiZPyLGQBGRYNZWxhc3Rp
-Y3NlYXJjaDEUMBIGCgmSJomT8ixkARkWBHRlc3QxEjAQBgoJkiaJk/IsZAEZFgJh
-ZDEeMBwGA1UEAxMVYWQtRUxBU1RJQ1NFQVJDSEFELUNBMB4XDTE1MDcxNjE4MzI1
-MFoXDTE2MDcxNTE4MzI1MFowODE2MDQGA1UEAxMtRWxhc3RpY1NlYXJjaEFkVGVz
-dC5hZC50ZXN0LmVsYXN0aWNzZWFyY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAqO9hYAASE1ZFdTnm784j58JvpQySpx81LvecQl4gE4d2yJk6
-9ibn8cgfGF+P+n/WRXwhb9C2oZeHnou2WokhDbw1Q+iOtRjIYP+P6s9KXBRaA71D
-+yvFfgFSHl3k1gd+BP2KGdfrs4ElFX4uZCNFtYDH7LFDWT1Ens3cHcyxB+zGewmY
-1xox2LrQcUPNu2XRoSFZUNulj1UOQgJXAuslyzUOt4Djmz1195hbYB6kaR9noZJn
-mMyzWAMjAzEdF4/ivHWZR9BNFwwJXgwOKldbGiDuYi/x9XLrNoY5A2UZ1tlVB/Yv
-k1o0e8gL+C2U0ZK1yp/qbxCYpB4fx4Tui8gyQwIDAQABo4IDTTCCA0kwLwYJKwYB
-BAGCNxQCBCIeIABEAG8AbQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwAZQByMB0GA1Ud
-JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAweAYJKoZI
-hvcNAQkPBGswaTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCG
-SAFlAwQBKjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAH
-BgUrDgMCBzAKBggqhkiG9w0DBzBZBgNVHREEUjBQoB8GCSsGAQQBgjcZAaASBBA6
-UzhVceE7RKuubA/hfhl9gi1FbGFzdGljU2VhcmNoQWRUZXN0LmFkLnRlc3QuZWxh
-c3RpY3NlYXJjaC5jb20wHQYDVR0OBBYEFIHEUmmmaXZ3cmIuSAgVikHSiKcqMB8G
-A1UdIwQYMBaAFIEKG0KdSVNknKcMZkbTlKo7N8MjMIHzBgNVHR8EgeswgegwgeWg
-geKggd+GgdxsZGFwOi8vL0NOPWFkLUVMQVNUSUNTRUFSQ0hBRC1DQSxDTj1FbGFz
-dGljU2VhcmNoQWRUZXN0LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNl
-cyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWFkLERDPXRlc3QsREM9
-ZWxhc3RpY3NlYXJjaCxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9i
-YXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHbBggrBgEFBQcB
-AQSBzjCByzCByAYIKwYBBQUHMAKGgbtsZGFwOi8vL0NOPWFkLUVMQVNUSUNTRUFS
-Q0hBRC1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vy
-dmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZCxEQz10ZXN0LERDPWVsYXN0aWNz
-ZWFyY2gsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0
-aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqGSIb3DQEBCwUAA4IBAQCP0mbcAsnw7qxt
-jCSR38k0BteM0iEkR43ZrrBPLC/TlhULzC25EdFnZrb0cjd8UxTFEQo2UfTmw0Aj
-IGe/N2CNvnwwq2hevK9IYAwQNj+0CB9LKdHztIBumxWj7a02rZpLSxuTMbljVEHT
-yWGGDbndFUlAM6yOUAgHDiBLL9q2Ar6mqzd1XIs2MdqKbHgE8mhsmwm4vpKGg2hx
-VfBYv/6RUw3M9+ep6PEGo6bYbcDbBMfLz4GR/hTm00MyhunYDYeuBUEn1SA/JOBK
-c+Mcv8SNpQeAHIhdLYyzgIIqeBOFvz25kkPZvdHZzT4lNkSc7+v3pycrT7Pgk7s3
-aGRGqK0c
------END CERTIFICATE-----
diff --git a/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/testnode-no-subjaltname.jks b/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/testnode-no-subjaltname.jks
index 81f947afcc149ed23d452ac182283f813d1d2543..ec482775bd055647acc6297c5368a74ad8388c70 100644
GIT binary patch
delta 701
zcmV;u0z&=AHjFW_V+;jVD%ZJPlOYos5fE4nxUEvV7K%WC;olM}KUR~K44V`(GBh$;
z7Y#BwFgP+dF*Y+YG%{L~qzr+Q7$ASMO=iH!`dDle`a&W@Wvj2n#|!s8O^o<We@V5g
zEK6T)y+BTR{qQ_7j*z3%OcK$%cI*E0t`W+~eoJc{lH0Kn@v^BcBe<!>R?IRGol|7l
zcfqZMzd8@PJ}=9|{H3@1#QW(7Sb{-wgSw0APX{B6qbf}4xO>(_<fN|-O!|MH_;`<}
zN{WRRq3LyPsW(25;Es~*zQREZY%Kgl+{N|Ax>D`f#JIcOlU<Wc15Ri<C03NlRB1{`
z$sd3~r_`01u93$st!^G3<o~=Y$yoNAOiUcpur#$26H5Qxu~4_rY-Ie`hIaRgMcf2T
z5T89a=AMBszLP$}sy8BMUz;-np#lQ|00E;>Fi$WG1_M<c4+I1Q0s)3F4+aBO9TNco
z{{#gv0|5d5FdYU1RUHll76g;A4;FtA1_>($0R#bpHx&T{0|Eg6FbxI?Duzgg_YDC7
z3k3iJf&l>lU~OPmJ+TZ-OCnWl=*DF5*8)ID7f)&&dI|_GwlS*Q1fy>*DV<Q0z)mrA
zF%`&Brh3Uzr{A{Sc)_`-s#N<}!^8ZBaklHybgPFB7xh;;#}O^#upLmrzh-~C$2b8?
z2Q?@jbWFSS?#o;TU|2Tq8l2vQz-cUY2;1<8(O0E6Q{pca+Q_VEpSXuVi55fPDPf+R
zaPrWsfy&&QKSEQmjpZClR7zRui@Ihp&hlRe(%*Ahw1_;vx85K|9Mz@CPPaGR*MOUG
zS68Oi5$njiQ%=^EWRiDBL#rn)wJ96Kknb>*%dMYc(k2w}rBKD#(|m{ffWU?MZh0Hn
j{5?P@y>_z+6DkN4gTOsLL$l^x<9KtAB3rU1C-Pi+zqvPK

delta 1579
zcmeA%JZ`ojna9X0Bu<^3fi*(U)WDK~fo+;W6Wb(%Cf2G2%uI|-Ov2s_3=B-7w=M>-
zL^XW_vVpwGlXzzPnV6cGM~U+qni^ObnH!pcxds-7W(Fo~%%LpI!n&?GiNz(E$-$|K
zMadbCDIuxFC3=Y|dL<w_6(Uy*meWhl&z*dbSFwKP3bjusHvih%dh}sI@b@FtrYTA#
z%Ql)W@-$g7eVRpbyEuoUFx&37gtG|?t^fGU|NQjlvCvroFQ?z#tz_TnbVlph!4p{?
zk2RMnc_=KMV&pdU>AV+C`}jMeuddhebh@*??Dt=tB~2=ZYdUYTW!5ZJQDs=Qc3Pc{
zfN%iA>ZnD+KJ}m8=dPXgcS&26l(EpH@PAKF`8;a5&$eZ^^^HSCZ?9iVy<d6fwA159
zwy(Sc3k`oPPA`Al;5JM8<+&+N(+#iBXlXdwAa;KGm9u_9bE=j;%RiNMZrz)dtR(f2
zwv~*vD@)&JPmdDOtFZW3RN5$LHR0@*;9ZFhEQuG@Ch<yfADPGWrhXYe6Eh<N<KiY}
zUxOxQPXm26PHi?u7RDxX5hfNTIRyq6hJ1!xhD3%;hCBvmAUlttgrNvX=Kx_ULy>_j
zFz97fS;P!P*f@YXSy|bcncyr&13r*6KO^IR78YhE)&&L?Y@Awc9&O)w89Dh`vJL7p
zfhss4BFs!oObiW3d=@aDn~gJ}&4V$OnT1iy0EwfE%wa<2uo|$lv1;=%GqD?R!3}4J
zxRj4Yj78-C(*Ls$)<_HGEUVAZG<iPXaMA8F9tQFtrz*2Z7>G59G;&Eh&GigUnX{ZH
z&F%7(Ro3Q*l?@s{gH*_~G`==yd|}Y|bV1{z1&#OH8t>$!Bo<id>+3uF*(Rpwy81W<
zhj=;%yE+CrdpNr2Iy>qBC9ot-pm4pdvr7O-I-oQuCo@^q$iO?b5=aK87L{ctrxt^x
zklD`pd1;yHrA3J)nfZA-F3v#vKqM%EgJ_gA4iW$+bNl4fqLR$C%;dz9)S%R|d>{?f
z>yuerVxN>)Uz}>6pOlrFT;dGO9>uoFK|U@(nWD_3Qjn^E{LH)(gT~vi2xVksX*_4p
zc-o-x1Wd?)sjYE0F#+J{2@VHTkJeMyr;g4DzXE-S?m4(5&})vRB^mie^_eA=29cm>
z6=VrA2v{HwPyUjO3xrq%tb#2<3m;m$tX`MH|FBN7wu!VN#()=|+!?u98JL?G85!b#
zF0oF@&ndh*Q|^I4eMUUv|I5LPPscl!FDgr0y2J46*T42ARezKpx%Dw$l41Y*DdcZV
z$At~majF4()}|*p82O7ST<+==m>tC4;80~7)Ejd7$DJhOgvAasCLW2oIcbsNrn?JV
zzc?MZTO%kjt*+vDV~NevhqpBKS%0W;?A+{I@G3y-{{J?kKdQG?l0Vk7eTlx!t{?L^
z{PT*%pHH^TH@nata&pe6U;EO8TvtU|{<(4><rVXS^MUQHUk=wR|F2JWzHx8Kog0Bm
zKI*I&bDR_TR@yvymy+S(DyO9T@!KaIlV;DUSza?|^1HgP>2qQmgdTcd(|9M5o3N^;
x=y9WXv3Z(RyEdpiXW#;*+2qZU0`eRpa_S~d*H}xRJ?Wq1zQ(9;T1?;$ApnSkJ=y>O

diff --git a/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks b/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks
index 39955d91a2ed2cbf5d9c97330a4ade007f502e47..f034f5b005a43c7c8d2508fa55fe2f6f88417b8e 100644
GIT binary patch
delta 761
zcmV<V0tWrSH-$2=*#j?CD%AQ&00mesH842<00Y}Ff&<quf&#yw0|Eg80uWdYxUEvV
z7K%WC;olM}KUR|q1e6;zFgP+dF*Y(XG%{Kj4Kg_}I5IaeHZw9bGFp=w1c8%+3m|{9
zO=iH!`dDle`a&W@Wvj2n#|!s8O^o<We@V5gEK6T)y+BTR{qQ_7j*z3%OcK$%cI*E0
zt`W+~eoJc{lH0Kn@v^BcBe<!>R?IRGol|7lcfqZMzd8@PJ}=9|{H3@1#QW(7Sb{-w
zgSw0APX{B6qbf}4xO>(_<fN|-O!|MH_;`<}N{WRRq3LyPsW(25;Es~*zQREZY%Kgl
z+{N|Ax>D`f#JIcOlU<Wc15Ri<C03NlRB1{`$sd3~r_`01u93$st!^G3<o~=Y$yoNA
zOiUcpur#$26H5Qxu~4_rY-Ie`hIaRgMcf2T5T89a=AMBszLP$}sy8BMUz>jep#lQ|
z00E;>Fi$WG1_M<c4+I1Q0s)3F4+aBO9TNco{{#gv0|5d5FdYU1RUHll76cT53L8S5
zNmFE;rwnFB)0C<^H^U<^5C#b=1_1;Cf;SZb1OoyA05A;(2`Yw2hW8Bt0Sg5H1A+ko
z0AOukS3R)|OiLnFZ0N>h@YjC=Ku8x)Y8-kB2rjlUs@w#lZ!RgFP?Nw;F?2B%$Wf+x
z$x^4^w%vHaxu~jC`&h%n{DyJ1>(X?qhYlC@S2@QKE#t5qP{F@uyT>>IO9wS59&}8*
z^zO@C24Gk=?;4!mgurPmb_m<>h|yQ2H&fy-6xztFXrH);KZzDY;3<D$o}6&<(5!*V
z+?zi_Q?QNY97<G5S?Y_rW--q4UkB3Pb6T{BJioWzAVwV3rO8gWH{I8On{iiHrq&Vb
z$h%Wc)|F(EcSl33F10Be#E|bWl*_H3V$voQ@TE}2*wcK6`+&fO`EGd|*!(>}D7|(7
r000623Up<2bYpC3Wp1;M3LX&@vAzRV>9`2(%no+Y5lvoSR(apVnmb8A

delta 1559
zcmZoQI$*xxCbN;>9Igi$46G4)rUsS_3~bX3n%E{8G_h7KU}j=uViNXdU|?YWFFx<;
zjz$q)AREY=%)v4x)YQP-(9F=n*vQl%N}Siw49GQwat$niToX3tP!?ukUDuq%;*!kd
z;MByT<P67@kksN5y~Gr~5)hpVkt+tv=_TjqPCTtxzv6vj0)vonm}{x!v-jtepC8I!
z$}?%Xys6&zIZkm3!tG@zW?Fqyd;al+yhMEeulj4QHH!Hcwk@3AKCgRQRHq{E9#iKR
zeOo0?B>eAxb>1sRB#L>j^Kb2=b&NrBu}`kC*RlNVlDz(UbEB$gonDHv>(++jZ#Ftd
z+Pcg;dq?)nM)vwQ$ErDJT$eJuvFk#i^V!|07Z)l<2HalSAIj&%6wdTo^|UG9_J+r^
zZA-t;h)$4Ok}03Qa8mk=Gn*rrm6;7?#rq%aDV^zl!B?DzGmeK(D?D0C;a!sc$FD`N
z&Dt!PQzft63}yeOKRL>z`ULk6-6<C*Z9O&rRldNCC35n|Ti$h_s5f$EVrFDuT-?O$
zYtY2(X`s)>sm;d7!q{Xk!o;E^r@-LCkk63IkjRk9kjLN*WalxIFcbml93V_(C^C=*
zhP<pQi<p538wXG)D=RxQ6P(3pzz34%XJq`(!otkNy1<}<jZ>@5qwPB{BPTygwn2R+
zPz47>gqewniJ<|B&jRLivvDT0c`&9jvoLBIAaQh&IZVhLRs(i6R&73JCUyfZxZ&&u
zkszlCvIH3fERcu!vff;hae)wvfK{+XXyHR^m(}ZX_#f6u);5urk|3eL$0Eie(s(2&
zb6I9tc~O#{2Zv~v<E4(}S_bkUtCd+K48$5l8o8vM=6VLF%vsKp=2m}s$|`H~!^#GY
zpFv9GSsGs(G`=use7d0V(SpYNZH;$wQW6WS^!4?f{cICcbX|QMgF`%>gIyhioIM;}
zbe$b_fD%|zJxJKuB>+SPlqTh5CaW45c&AnZ$>7wYvdrYvVvtmDJrc(`KQApay|gH?
zBr`ux$Hf_FABY6y9T1I@eLw=h9AuxIT2zvmmYJMbk{Xm+mJg(XdVMmBOYD;pi&O3M
zld@8iOPqljuh=#@$j1dJQIwff3Q`o1pP5%;P~UhPmRJ}WSsKq7G@dqSJOL9jU}|gJ
zO-ukddV<3NpHH!SG>&+mIyxi#ip6(uNub{xOG`5Hi!w_pCvRXAsqep(c8BTYhj(jo
zdsHUgKWV~tz2}mmihJ+PbsPM3^e;~n<vydkQ}AMX+O{u6<~6}0M+Lde0>3;v?4YcW
zzTZ5dcVCUc>WsKO>pc>91kCKWaL9XWUi`eJA#b+m;<szf*3R<wmY!_5GdaZZ^2x+D
z-ko<vJsphK^aXIR^C@`i-`ZBsv~SsJ^U|1ZGs9b5ITb9QGIC~f?$|e}tvRDG^h3n{
ze-ndw&wPKr^2JBC#mjEw9=OeN{Pg+8iT^~NU3NBVdwGMmeI2W#`c(ycl?PtMk7f2B
z>0Qd+Akz`6+q1c$NvlG*b-(S-NzOO-Uc7nMPSwn1&imKjm#b_0Z+<X&w|Pd2+X|+&
hGMkUE>k5i&ed_P9miy+`y8l=D)@(SMx~o*19RRE?DhL1o


From 294fabb817a565283840d376a56ac02406265060 Mon Sep 17 00:00:00 2001
From: markharwood <markharwood@gmail.com>
Date: Wed, 1 Jun 2016 12:08:06 +0100
Subject: [PATCH 08/22] Graph refactored package name to new xpack convention
 as per issue 2383

Original commit: elastic/x-pack-elasticsearch@ae798f64e87310f1c81c368c250e8e8b26ea6db1
---
 .../{ => xpack}/graph/Graph.java              |  8 ++---
 .../{ => xpack}/graph/GraphFeatureSet.java    |  2 +-
 .../{ => xpack}/graph/GraphLicensee.java      |  2 +-
 .../{ => xpack}/graph/GraphModule.java        |  2 +-
 .../{ => xpack}/graph/action/Connection.java  |  4 +--
 .../graph/action/GraphExploreAction.java      |  2 +-
 .../graph/action/GraphExploreRequest.java     |  2 +-
 .../action/GraphExploreRequestBuilder.java    |  2 +-
 .../graph/action/GraphExploreResponse.java    |  6 ++--
 .../{ => xpack}/graph/action/Hop.java         |  2 +-
 .../action/TransportGraphExploreAction.java   | 10 +++----
 .../{ => xpack}/graph/action/Vertex.java      |  2 +-
 .../graph/action/VertexRequest.java           |  4 +--
 .../graph/rest/action/RestGraphAction.java    | 29 ++++++++++---------
 .../graph/GraphFeatureSetTests.java           |  4 ++-
 .../graph/license/LicenseTests.java           |  4 +--
 .../{ => xpack}/graph/test/GraphTests.java    | 16 +++++-----
 .../AbstractLicensesIntegrationTestCase.java  |  2 +-
 .../xpack/TribeTransportTestCase.java         |  2 +-
 .../transport/KnownActionsTests.java          |  2 +-
 .../org/elasticsearch/xpack/XPackPlugin.java  |  2 +-
 21 files changed, 56 insertions(+), 53 deletions(-)
 rename elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/{ => xpack}/graph/Graph.java (90%)
 rename elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/{ => xpack}/graph/GraphFeatureSet.java (97%)
 rename elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/{ => xpack}/graph/GraphLicensee.java (98%)
 rename elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/{ => xpack}/graph/GraphModule.java (96%)
 rename elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/{ => xpack}/graph/action/Connection.java (97%)
 rename elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/{ => xpack}/graph/action/GraphExploreAction.java (95%)
 rename elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/{ => xpack}/graph/action/GraphExploreRequest.java (99%)
 rename elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/{ => xpack}/graph/action/GraphExploreRequestBuilder.java (99%)
 rename elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/{ => xpack}/graph/action/GraphExploreResponse.java (97%)
 rename elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/{ => xpack}/graph/action/Hop.java (99%)
 rename elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/{ => xpack}/graph/action/TransportGraphExploreAction.java (99%)
 rename elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/{ => xpack}/graph/action/Vertex.java (99%)
 rename elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/{ => xpack}/graph/action/VertexRequest.java (97%)
 rename elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/{ => xpack}/graph/rest/action/RestGraphAction.java (97%)
 rename elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/{ => xpack}/graph/GraphFeatureSetTests.java (93%)
 rename elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/{ => xpack}/graph/license/LicenseTests.java (98%)
 rename elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/{ => xpack}/graph/test/GraphTests.java (97%)

diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/Graph.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/Graph.java
similarity index 90%
rename from elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/Graph.java
rename to elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/Graph.java
index 4b9a338fe4b..9c435dba74f 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/Graph.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/Graph.java
@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph;
+package org.elasticsearch.xpack.graph;
 
 import org.elasticsearch.action.ActionModule;
 import org.elasticsearch.common.component.LifecycleComponent;
@@ -12,11 +12,11 @@ import org.elasticsearch.common.network.NetworkModule;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
-import org.elasticsearch.graph.action.GraphExploreAction;
-import org.elasticsearch.graph.action.TransportGraphExploreAction;
-import org.elasticsearch.graph.rest.action.RestGraphAction;
 import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.xpack.XPackPlugin;
+import org.elasticsearch.xpack.graph.action.GraphExploreAction;
+import org.elasticsearch.xpack.graph.action.TransportGraphExploreAction;
+import org.elasticsearch.xpack.graph.rest.action.RestGraphAction;
 
 import java.util.Collection;
 import java.util.Collections;
diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/GraphFeatureSet.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/GraphFeatureSet.java
similarity index 97%
rename from elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/GraphFeatureSet.java
rename to elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/GraphFeatureSet.java
index 008a6942e11..2cba904304c 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/GraphFeatureSet.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/GraphFeatureSet.java
@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph;
+package org.elasticsearch.xpack.graph;
 
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.inject.Inject;
diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/GraphLicensee.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/GraphLicensee.java
similarity index 98%
rename from elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/GraphLicensee.java
rename to elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/GraphLicensee.java
index 4aaec502c59..01bf5f8e536 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/GraphLicensee.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/GraphLicensee.java
@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph;
+package org.elasticsearch.xpack.graph;
 
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.inject.Inject;
diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/GraphModule.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/GraphModule.java
similarity index 96%
rename from elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/GraphModule.java
rename to elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/GraphModule.java
index eaf145e5e9c..f4108bcd90a 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/GraphModule.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/GraphModule.java
@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph;
+package org.elasticsearch.xpack.graph;
 
 import org.elasticsearch.common.inject.AbstractModule;
 import org.elasticsearch.common.inject.util.Providers;
diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/Connection.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/Connection.java
similarity index 97%
rename from elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/Connection.java
rename to elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/Connection.java
index 0b3d44ab287..02d07f882e5 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/Connection.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/Connection.java
@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import com.carrotsearch.hppc.ObjectIntHashMap;
 
@@ -11,7 +11,7 @@ import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.common.xcontent.ToXContent.Params;
-import org.elasticsearch.graph.action.Vertex.VertexId;
+import org.elasticsearch.xpack.graph.action.Vertex.VertexId;
 
 import java.io.IOException;
 import java.util.Map;
diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/GraphExploreAction.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreAction.java
similarity index 95%
rename from elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/GraphExploreAction.java
rename to elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreAction.java
index 1d3537c80e6..9375a95d92f 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/GraphExploreAction.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreAction.java
@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import org.elasticsearch.action.Action;
 import org.elasticsearch.client.ElasticsearchClient;
diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/GraphExploreRequest.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreRequest.java
similarity index 99%
rename from elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/GraphExploreRequest.java
rename to elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreRequest.java
index 69f7f16de7c..8500bbb52fc 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/GraphExploreRequest.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreRequest.java
@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import org.elasticsearch.action.ActionRequest;
 import org.elasticsearch.action.ActionRequestValidationException;
diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/GraphExploreRequestBuilder.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreRequestBuilder.java
similarity index 99%
rename from elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/GraphExploreRequestBuilder.java
rename to elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreRequestBuilder.java
index 9177a12b02d..55e4942d1c7 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/GraphExploreRequestBuilder.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreRequestBuilder.java
@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import org.elasticsearch.action.ActionRequestBuilder;
 import org.elasticsearch.action.support.IndicesOptions;
diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/GraphExploreResponse.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreResponse.java
similarity index 97%
rename from elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/GraphExploreResponse.java
rename to elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreResponse.java
index 24dfe28a119..2869871a67d 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/GraphExploreResponse.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreResponse.java
@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import com.carrotsearch.hppc.ObjectIntHashMap;
 
@@ -15,8 +15,8 @@ import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.xcontent.ToXContent;
 import org.elasticsearch.common.xcontent.XContentBuilder;
-import org.elasticsearch.graph.action.Connection.ConnectionId;
-import org.elasticsearch.graph.action.Vertex.VertexId;
+import org.elasticsearch.xpack.graph.action.Connection.ConnectionId;
+import org.elasticsearch.xpack.graph.action.Vertex.VertexId;
 
 import java.io.IOException;
 import java.util.Collection;
diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/Hop.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/Hop.java
similarity index 99%
rename from elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/Hop.java
rename to elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/Hop.java
index 3ae01c472c4..83bd6f09f1d 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/Hop.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/Hop.java
@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import org.elasticsearch.action.ActionRequestValidationException;
 import org.elasticsearch.action.ValidateActions;
diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/TransportGraphExploreAction.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/TransportGraphExploreAction.java
similarity index 99%
rename from elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/TransportGraphExploreAction.java
rename to elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/TransportGraphExploreAction.java
index 5323002ea62..ec4d045ce10 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/TransportGraphExploreAction.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/TransportGraphExploreAction.java
@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import org.apache.lucene.search.BooleanQuery;
 import org.apache.lucene.util.PriorityQueue;
@@ -21,10 +21,6 @@ import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.util.CollectionUtils;
-import org.elasticsearch.graph.action.Connection.ConnectionId;
-import org.elasticsearch.graph.action.GraphExploreRequest.TermBoost;
-import org.elasticsearch.graph.action.Vertex.VertexId;
-import org.elasticsearch.graph.GraphLicensee;
 import org.elasticsearch.index.query.BoolQueryBuilder;
 import org.elasticsearch.index.query.QueryBuilders;
 import org.elasticsearch.license.plugin.core.LicenseUtils;
@@ -41,6 +37,10 @@ import org.elasticsearch.search.aggregations.bucket.terms.support.IncludeExclude
 import org.elasticsearch.search.builder.SearchSourceBuilder;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.TransportService;
+import org.elasticsearch.xpack.graph.GraphLicensee;
+import org.elasticsearch.xpack.graph.action.Connection.ConnectionId;
+import org.elasticsearch.xpack.graph.action.GraphExploreRequest.TermBoost;
+import org.elasticsearch.xpack.graph.action.Vertex.VertexId;
 
 import java.util.ArrayList;
 import java.util.HashMap;
diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/Vertex.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/Vertex.java
similarity index 99%
rename from elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/Vertex.java
rename to elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/Vertex.java
index 002483223a8..24f75bed1c9 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/Vertex.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/Vertex.java
@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/VertexRequest.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/VertexRequest.java
similarity index 97%
rename from elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/VertexRequest.java
rename to elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/VertexRequest.java
index 78e09152eca..140c4071b2a 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/VertexRequest.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/VertexRequest.java
@@ -3,11 +3,11 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
-import org.elasticsearch.graph.action.GraphExploreRequest.TermBoost;
+import org.elasticsearch.xpack.graph.action.GraphExploreRequest.TermBoost;
 
 import java.io.IOException;
 import java.util.HashMap;
diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/rest/action/RestGraphAction.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/rest/action/RestGraphAction.java
similarity index 97%
rename from elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/rest/action/RestGraphAction.java
rename to elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/rest/action/RestGraphAction.java
index 6e5a9582af4..518229fecab 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/rest/action/RestGraphAction.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/rest/action/RestGraphAction.java
@@ -3,7 +3,16 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.rest.action;
+package org.elasticsearch.xpack.graph.rest.action;
+
+import static org.elasticsearch.rest.RestRequest.Method.GET;
+import static org.elasticsearch.rest.RestRequest.Method.POST;
+import static org.elasticsearch.xpack.graph.action.GraphExploreAction.INSTANCE;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
 
 import org.elasticsearch.ElasticsearchParseException;
 import org.elasticsearch.action.support.IndicesOptions;
@@ -16,11 +25,6 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.xcontent.XContentFactory;
 import org.elasticsearch.common.xcontent.XContentParser;
-import org.elasticsearch.graph.action.GraphExploreRequest;
-import org.elasticsearch.graph.action.GraphExploreRequest.TermBoost;
-import org.elasticsearch.graph.action.GraphExploreResponse;
-import org.elasticsearch.graph.action.Hop;
-import org.elasticsearch.graph.action.VertexRequest;
 import org.elasticsearch.index.query.QueryParseContext;
 import org.elasticsearch.indices.query.IndicesQueriesRegistry;
 import org.elasticsearch.rest.BaseRestHandler;
@@ -29,15 +33,12 @@ import org.elasticsearch.rest.RestController;
 import org.elasticsearch.rest.RestRequest;
 import org.elasticsearch.rest.action.support.RestActions;
 import org.elasticsearch.rest.action.support.RestToXContentListener;
+import org.elasticsearch.xpack.graph.action.GraphExploreRequest;
+import org.elasticsearch.xpack.graph.action.GraphExploreResponse;
+import org.elasticsearch.xpack.graph.action.Hop;
+import org.elasticsearch.xpack.graph.action.VertexRequest;
+import org.elasticsearch.xpack.graph.action.GraphExploreRequest.TermBoost;
 
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-
-import static org.elasticsearch.graph.action.GraphExploreAction.INSTANCE;
-import static org.elasticsearch.rest.RestRequest.Method.GET;
-import static org.elasticsearch.rest.RestRequest.Method.POST;
 
 /**
  * @see GraphExploreRequest
diff --git a/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/graph/GraphFeatureSetTests.java b/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/GraphFeatureSetTests.java
similarity index 93%
rename from elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/graph/GraphFeatureSetTests.java
rename to elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/GraphFeatureSetTests.java
index 6e87584d976..56d3b949bbe 100644
--- a/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/graph/GraphFeatureSetTests.java
+++ b/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/GraphFeatureSetTests.java
@@ -3,11 +3,13 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph;
+package org.elasticsearch.xpack.graph;
 
 import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.xpack.graph.GraphFeatureSet;
+import org.elasticsearch.xpack.graph.GraphLicensee;
 import org.junit.Before;
 
 import static org.hamcrest.core.Is.is;
diff --git a/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/graph/license/LicenseTests.java b/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/license/LicenseTests.java
similarity index 98%
rename from elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/graph/license/LicenseTests.java
rename to elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/license/LicenseTests.java
index c27a43b495c..0ad59d8bc56 100644
--- a/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/graph/license/LicenseTests.java
+++ b/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/license/LicenseTests.java
@@ -3,12 +3,12 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.license;
+package org.elasticsearch.xpack.graph.license;
 
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.graph.GraphLicensee;
 import org.elasticsearch.license.core.License.OperationMode;
 import org.elasticsearch.license.plugin.core.AbstractLicenseeTestCase;
+import org.elasticsearch.xpack.graph.GraphLicensee;
 
 import static org.hamcrest.Matchers.is;
 
diff --git a/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/graph/test/GraphTests.java b/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/test/GraphTests.java
similarity index 97%
rename from elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/graph/test/GraphTests.java
rename to elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/test/GraphTests.java
index c4fd6576c07..9fe576c8dc5 100644
--- a/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/graph/test/GraphTests.java
+++ b/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/test/GraphTests.java
@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.test;
+package org.elasticsearch.xpack.graph.test;
 
 import org.apache.lucene.search.BooleanQuery;
 import org.elasticsearch.action.ActionRequestValidationException;
@@ -11,13 +11,6 @@ import org.elasticsearch.action.search.ShardSearchFailure;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.Settings.Builder;
 import org.elasticsearch.common.unit.TimeValue;
-import org.elasticsearch.graph.action.GraphExploreAction;
-import org.elasticsearch.graph.action.GraphExploreRequest;
-import org.elasticsearch.graph.action.GraphExploreRequestBuilder;
-import org.elasticsearch.graph.action.GraphExploreResponse;
-import org.elasticsearch.graph.action.Hop;
-import org.elasticsearch.graph.action.Vertex;
-import org.elasticsearch.graph.action.VertexRequest;
 import org.elasticsearch.index.query.QueryBuilders;
 import org.elasticsearch.index.query.ScriptQueryBuilder;
 import org.elasticsearch.marvel.Monitoring;
@@ -32,6 +25,13 @@ import org.elasticsearch.shield.Security;
 import org.elasticsearch.test.ESSingleNodeTestCase;
 import org.elasticsearch.xpack.watcher.Watcher;
 import org.elasticsearch.xpack.XPackPlugin;
+import org.elasticsearch.xpack.graph.action.GraphExploreAction;
+import org.elasticsearch.xpack.graph.action.GraphExploreRequest;
+import org.elasticsearch.xpack.graph.action.GraphExploreRequestBuilder;
+import org.elasticsearch.xpack.graph.action.GraphExploreResponse;
+import org.elasticsearch.xpack.graph.action.Hop;
+import org.elasticsearch.xpack.graph.action.Vertex;
+import org.elasticsearch.xpack.graph.action.VertexRequest;
 
 import java.util.Collection;
 import java.util.Map;
diff --git a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/AbstractLicensesIntegrationTestCase.java b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/AbstractLicensesIntegrationTestCase.java
index b4c8abb20c2..6b5134d2caa 100644
--- a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/AbstractLicensesIntegrationTestCase.java
+++ b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/AbstractLicensesIntegrationTestCase.java
@@ -12,7 +12,6 @@ import org.elasticsearch.cluster.metadata.MetaData;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
-import org.elasticsearch.graph.Graph;
 import org.elasticsearch.license.core.License;
 import org.elasticsearch.license.plugin.action.put.PutLicenseAction;
 import org.elasticsearch.license.plugin.action.put.PutLicenseRequestBuilder;
@@ -31,6 +30,7 @@ import org.elasticsearch.test.ESIntegTestCase;
 import org.elasticsearch.test.InternalTestCluster;
 import org.elasticsearch.xpack.watcher.Watcher;
 import org.elasticsearch.xpack.XPackPlugin;
+import org.elasticsearch.xpack.graph.Graph;
 
 import java.util.ArrayList;
 import java.util.Collection;
diff --git a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/xpack/TribeTransportTestCase.java b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/xpack/TribeTransportTestCase.java
index 0ba61a72e1e..6e48dece27e 100644
--- a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/xpack/TribeTransportTestCase.java
+++ b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/xpack/TribeTransportTestCase.java
@@ -20,7 +20,6 @@ import org.elasticsearch.common.network.NetworkModule;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.discovery.zen.ping.unicast.UnicastZenPing;
-import org.elasticsearch.graph.Graph;
 import org.elasticsearch.marvel.Monitoring;
 import org.elasticsearch.node.Node;
 import org.elasticsearch.plugins.Plugin;
@@ -31,6 +30,7 @@ import org.elasticsearch.test.ESIntegTestCase.Scope;
 import org.elasticsearch.test.InternalTestCluster;
 import org.elasticsearch.test.NodeConfigurationSource;
 import org.elasticsearch.test.TestCluster;
+import org.elasticsearch.xpack.graph.Graph;
 import org.elasticsearch.xpack.watcher.Watcher;
 
 import java.util.ArrayList;
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/transport/KnownActionsTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/transport/KnownActionsTests.java
index 4f994db7f90..5153754b62b 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/transport/KnownActionsTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/transport/KnownActionsTests.java
@@ -9,12 +9,12 @@ import org.apache.lucene.util.IOUtils;
 import org.elasticsearch.action.Action;
 import org.elasticsearch.common.io.PathUtils;
 import org.elasticsearch.common.io.Streams;
-import org.elasticsearch.graph.Graph;
 import org.elasticsearch.license.plugin.Licensing;
 import org.elasticsearch.shield.action.ShieldActionModule;
 import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.xpack.XPackPlugin;
+import org.elasticsearch.xpack.graph.Graph;
 import org.junit.BeforeClass;
 
 import java.io.IOException;
diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
index a47a847104b..456f8db3598 100644
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
@@ -18,7 +18,6 @@ import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.env.Environment;
-import org.elasticsearch.graph.Graph;
 import org.elasticsearch.index.IndexModule;
 import org.elasticsearch.license.plugin.Licensing;
 import org.elasticsearch.marvel.Monitoring;
@@ -38,6 +37,7 @@ import org.elasticsearch.xpack.common.init.LazyInitializationService;
 import org.elasticsearch.xpack.common.secret.SecretModule;
 import org.elasticsearch.xpack.extensions.XPackExtension;
 import org.elasticsearch.xpack.extensions.XPackExtensionsService;
+import org.elasticsearch.xpack.graph.Graph;
 import org.elasticsearch.xpack.notification.Notification;
 import org.elasticsearch.xpack.notification.email.Account;
 import org.elasticsearch.xpack.notification.email.support.BodyPartSource;

From a334ea57fc02c0a3133e78372c22d8ee1f554bd1 Mon Sep 17 00:00:00 2001
From: Nik Everett <nik9000@gmail.com>
Date: Mon, 6 Jun 2016 13:04:19 -0400
Subject: [PATCH 09/22] Replace setRefresh with setRefreshPolicy

setRefresh is being removed from core.

Original commit: elastic/x-pack-elasticsearch@b865d06c6da863ca52389dad11e6f04b60c3785c
---
 .../agent/resolver/shards/ShardsTests.java    |  3 +-
 .../shield/action/role/PutRoleRequest.java    | 29 +++++++++++------
 .../action/role/PutRoleRequestBuilder.java    |  9 ++----
 .../action/user/ChangePasswordRequest.java    | 25 +++++++++++----
 .../user/ChangePasswordRequestBuilder.java    | 12 +++----
 .../shield/action/user/PutUserRequest.java    | 29 +++++++++++------
 .../action/user/PutUserRequestBuilder.java    | 11 +++----
 .../authc/esnative/NativeUsersStore.java      | 19 ++++++------
 .../shield/authz/store/NativeRolesStore.java  |  2 +-
 .../rest/action/role/RestPutRoleAction.java   |  4 +--
 .../action/user/RestChangePasswordAction.java |  2 +-
 .../rest/action/user/RestPutUserAction.java   |  2 +-
 .../integration/ClearRolesCacheTests.java     | 15 ++++-----
 .../DateMathExpressionIntegTests.java         |  7 +++--
 .../DocumentAndFieldLevelSecurityTests.java   |  9 +++---
 .../DocumentLevelSecurityTests.java           | 31 ++++++++++---------
 .../FieldLevelSecurityRandomTests.java        |  3 +-
 .../integration/FieldLevelSecurityTests.java  | 25 ++++++++-------
 ...onsWithAliasesWildcardsAndRegexsTests.java |  3 +-
 .../integration/KibanaUserRoleIntegTests.java |  3 +-
 .../integration/ShieldClearScrollTests.java   |  3 +-
 .../authc/esnative/NativeRealmIntegTests.java |  7 +++--
 .../input/chain/ChainIntegrationTests.java    |  3 +-
 .../input/http/HttpInputIntegrationTests.java |  3 +-
 .../test/integration/BootStrapTests.java      |  9 +++---
 25 files changed, 153 insertions(+), 115 deletions(-)

diff --git a/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/resolver/shards/ShardsTests.java b/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/resolver/shards/ShardsTests.java
index 970e714fd49..9c5a2ab8447 100644
--- a/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/resolver/shards/ShardsTests.java
+++ b/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/resolver/shards/ShardsTests.java
@@ -25,6 +25,7 @@ import org.junit.After;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.greaterThan;
@@ -58,7 +59,7 @@ public class ShardsTests extends MarvelIntegTestCase {
     public void testShards() throws Exception {
         logger.debug("--> creating some indices so that shards collector reports data");
         for (int i = 0; i < randomIntBetween(1, 5); i++) {
-            client().prepareIndex(INDEX_PREFIX + i, "foo").setRefresh(true).setSource("field1", "value1").get();
+            client().prepareIndex(INDEX_PREFIX + i, "foo").setRefreshPolicy(IMMEDIATE).setSource("field1", "value1").get();
         }
 
         securedFlush();
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/role/PutRoleRequest.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/role/PutRoleRequest.java
index b7a59d83d3d..05f45513aee 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/role/PutRoleRequest.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/role/PutRoleRequest.java
@@ -7,6 +7,8 @@ package org.elasticsearch.shield.action.role;
 
 import org.elasticsearch.action.ActionRequest;
 import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.action.support.WriteRequest;
+import org.elasticsearch.action.support.WriteRequest.RefreshPolicy;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.bytes.BytesReference;
@@ -24,13 +26,13 @@ import static org.elasticsearch.action.ValidateActions.addValidationError;
 /**
  * Request object for adding a role to the shield index
  */
-public class PutRoleRequest extends ActionRequest<PutRoleRequest> {
+public class PutRoleRequest extends ActionRequest<PutRoleRequest> implements WriteRequest<PutRoleRequest> {
 
     private String name;
     private String[] clusterPrivileges = Strings.EMPTY_ARRAY;
     private List<RoleDescriptor.IndicesPrivileges> indicesPrivileges = new ArrayList<>();
     private String[] runAs = Strings.EMPTY_ARRAY;
-    private boolean refresh = true;
+    private RefreshPolicy refreshPolicy = RefreshPolicy.IMMEDIATE;
     
     public PutRoleRequest() {
     }
@@ -69,8 +71,19 @@ public class PutRoleRequest extends ActionRequest<PutRoleRequest> {
         this.runAs = usernames;
     }
 
-    public void refresh(boolean refresh) {
-        this.refresh = refresh;
+    @Override
+    public PutRoleRequest setRefreshPolicy(RefreshPolicy refreshPolicy) {
+        this.refreshPolicy = refreshPolicy;
+        return this;
+    }
+
+    /**
+     * Should this request trigger a refresh ({@linkplain RefreshPolicy#IMMEDIATE}, the default), wait for a refresh (
+     * {@linkplain RefreshPolicy#WAIT_UNTIL}), or proceed ignore refreshes entirely ({@linkplain RefreshPolicy#NONE}).
+     */
+    @Override
+    public WriteRequest.RefreshPolicy getRefreshPolicy() {
+        return refreshPolicy;
     }
 
     public String name() {
@@ -89,10 +102,6 @@ public class PutRoleRequest extends ActionRequest<PutRoleRequest> {
         return runAs;
     }
 
-    public boolean refresh() {
-        return refresh;
-    }
-
     @Override
     public void readFrom(StreamInput in) throws IOException {
         super.readFrom(in);
@@ -104,7 +113,7 @@ public class PutRoleRequest extends ActionRequest<PutRoleRequest> {
             indicesPrivileges.add(RoleDescriptor.IndicesPrivileges.createFrom(in));
         }
         runAs = in.readStringArray();
-        refresh = in.readBoolean();
+        refreshPolicy = RefreshPolicy.readFrom(in);
     }
 
     @Override
@@ -117,7 +126,7 @@ public class PutRoleRequest extends ActionRequest<PutRoleRequest> {
             index.writeTo(out);
         }
         out.writeStringArray(runAs);
-        out.writeBoolean(refresh);
+        refreshPolicy.writeTo(out);
     }
 
     RoleDescriptor roleDescriptor() {
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/role/PutRoleRequestBuilder.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/role/PutRoleRequestBuilder.java
index 8674f5ed205..8b63fc32de4 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/role/PutRoleRequestBuilder.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/role/PutRoleRequestBuilder.java
@@ -6,6 +6,7 @@
 package org.elasticsearch.shield.action.role;
 
 import org.elasticsearch.action.ActionRequestBuilder;
+import org.elasticsearch.action.support.WriteRequestBuilder;
 import org.elasticsearch.client.ElasticsearchClient;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.bytes.BytesReference;
@@ -14,7 +15,8 @@ import org.elasticsearch.shield.authz.RoleDescriptor;
 /**
  * Builder for requests to add a role to the administrative index
  */
-public class PutRoleRequestBuilder extends ActionRequestBuilder<PutRoleRequest, PutRoleResponse, PutRoleRequestBuilder> {
+public class PutRoleRequestBuilder extends ActionRequestBuilder<PutRoleRequest, PutRoleResponse, PutRoleRequestBuilder>
+        implements WriteRequestBuilder<PutRoleRequestBuilder> {
 
     public PutRoleRequestBuilder(ElasticsearchClient client) {
         this(client, PutRoleAction.INSTANCE);
@@ -54,9 +56,4 @@ public class PutRoleRequestBuilder extends ActionRequestBuilder<PutRoleRequest,
         request.addIndex(indices, privileges, fields, query);
         return this;
     }
-
-    public PutRoleRequestBuilder refresh(boolean refresh) {
-        request.refresh(refresh);
-        return this;
-    }
 }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/ChangePasswordRequest.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/ChangePasswordRequest.java
index 50263bbfe24..5ceef12fca1 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/ChangePasswordRequest.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/ChangePasswordRequest.java
@@ -7,6 +7,8 @@ package org.elasticsearch.shield.action.user;
 
 import org.elasticsearch.action.ActionRequest;
 import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.action.support.WriteRequest;
+import org.elasticsearch.action.support.WriteRequest.RefreshPolicy;
 import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
@@ -17,12 +19,14 @@ import java.io.IOException;
 import static org.elasticsearch.action.ValidateActions.addValidationError;
 
 /**
+ * Request to change a user's password.
  */
-public class ChangePasswordRequest extends ActionRequest<ChangePasswordRequest> implements UserRequest {
+public class ChangePasswordRequest extends ActionRequest<ChangePasswordRequest>
+        implements UserRequest, WriteRequest<ChangePasswordRequest> {
 
     private String username;
     private char[] passwordHash;
-    private boolean refresh = true;
+    private RefreshPolicy refreshPolicy = RefreshPolicy.IMMEDIATE;
 
     @Override
     public ActionRequestValidationException validate() {
@@ -52,12 +56,19 @@ public class ChangePasswordRequest extends ActionRequest<ChangePasswordRequest>
         this.passwordHash = passwordHash;
     }
 
-    public boolean refresh() {
-        return refresh;
+    /**
+     * Should this request trigger a refresh ({@linkplain RefreshPolicy#IMMEDIATE}, the default), wait for a refresh (
+     * {@linkplain RefreshPolicy#WAIT_UNTIL}), or proceed ignore refreshes entirely ({@linkplain RefreshPolicy#NONE}).
+     */
+    @Override
+    public RefreshPolicy getRefreshPolicy() {
+        return refreshPolicy;
     }
 
-    public void refresh(boolean refresh) {
-        this.refresh = refresh;
+    @Override
+    public ChangePasswordRequest setRefreshPolicy(RefreshPolicy refreshPolicy) {
+        this.refreshPolicy = refreshPolicy;
+        return this;
     }
 
     @Override
@@ -70,6 +81,7 @@ public class ChangePasswordRequest extends ActionRequest<ChangePasswordRequest>
         super.readFrom(in);
         username = in.readString();
         passwordHash = CharArrays.utf8BytesToChars(in.readBytesReference().array());
+        refreshPolicy = RefreshPolicy.readFrom(in);
     }
 
     @Override
@@ -77,5 +89,6 @@ public class ChangePasswordRequest extends ActionRequest<ChangePasswordRequest>
         super.writeTo(out);
         out.writeString(username);
         out.writeBytesReference(new BytesArray(CharArrays.toUtf8Bytes(passwordHash)));
+        refreshPolicy.writeTo(out);
     }
 }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/ChangePasswordRequestBuilder.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/ChangePasswordRequestBuilder.java
index 994f2901eea..7177f1b56eb 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/ChangePasswordRequestBuilder.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/ChangePasswordRequestBuilder.java
@@ -7,25 +7,28 @@ package org.elasticsearch.shield.action.user;
 
 import org.elasticsearch.ElasticsearchParseException;
 import org.elasticsearch.action.ActionRequestBuilder;
+import org.elasticsearch.action.support.WriteRequestBuilder;
 import org.elasticsearch.client.ElasticsearchClient;
 import org.elasticsearch.common.ParseFieldMatcher;
 import org.elasticsearch.common.ValidationException;
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.xcontent.XContentHelper;
 import org.elasticsearch.common.xcontent.XContentParser;
-import org.elasticsearch.shield.user.User;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.support.Validation;
+import org.elasticsearch.shield.user.User;
 import org.elasticsearch.xpack.common.xcontent.XContentUtils;
 
 import java.io.IOException;
 import java.util.Arrays;
 
 /**
+ * Request to change a user's password.
  */
 public class ChangePasswordRequestBuilder
-        extends ActionRequestBuilder<ChangePasswordRequest, ChangePasswordResponse, ChangePasswordRequestBuilder> {
+        extends ActionRequestBuilder<ChangePasswordRequest, ChangePasswordResponse, ChangePasswordRequestBuilder>
+        implements WriteRequestBuilder<ChangePasswordRequestBuilder> {
 
     public ChangePasswordRequestBuilder(ElasticsearchClient client) {
         this(client, ChangePasswordAction.INSTANCE);
@@ -81,9 +84,4 @@ public class ChangePasswordRequestBuilder
         }
         return this;
     }
-
-    public ChangePasswordRequestBuilder refresh(boolean refresh) {
-        request.refresh(refresh);
-        return this;
-    }
 }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/PutUserRequest.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/PutUserRequest.java
index ce9fa89a747..bcf4891f882 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/PutUserRequest.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/PutUserRequest.java
@@ -7,6 +7,8 @@ package org.elasticsearch.shield.action.user;
 
 import org.elasticsearch.action.ActionRequest;
 import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.action.support.WriteRequest;
+import org.elasticsearch.action.support.WriteRequest.RefreshPolicy;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.bytes.BytesReference;
@@ -22,7 +24,7 @@ import static org.elasticsearch.action.ValidateActions.addValidationError;
 /**
  * Request object to put a native user.
  */
-public class PutUserRequest extends ActionRequest<PutUserRequest> implements UserRequest {
+public class PutUserRequest extends ActionRequest<PutUserRequest> implements UserRequest, WriteRequest<PutUserRequest> {
 
     private String username;
     private String[] roles;
@@ -30,7 +32,7 @@ public class PutUserRequest extends ActionRequest<PutUserRequest> implements Use
     private String email;
     private Map<String, Object> metadata;
     private char[] passwordHash;
-    private boolean refresh = true;
+    private RefreshPolicy refreshPolicy = RefreshPolicy.IMMEDIATE;
 
     public PutUserRequest() {
     }
@@ -72,8 +74,19 @@ public class PutUserRequest extends ActionRequest<PutUserRequest> implements Use
         this.passwordHash = passwordHash;
     }
 
-    public void refresh(boolean refresh) {
-        this.refresh = refresh;
+    /**
+     * Should this request trigger a refresh ({@linkplain RefreshPolicy#IMMEDIATE}, the default), wait for a refresh (
+     * {@linkplain RefreshPolicy#WAIT_UNTIL}), or proceed ignore refreshes entirely ({@linkplain RefreshPolicy#NONE}).
+     */
+    @Override
+    public RefreshPolicy getRefreshPolicy() {
+        return refreshPolicy;
+    }
+
+    @Override
+    public PutUserRequest setRefreshPolicy(RefreshPolicy refreshPolicy) {
+        this.refreshPolicy = refreshPolicy;
+        return this;
     }
 
     public String username() {
@@ -101,10 +114,6 @@ public class PutUserRequest extends ActionRequest<PutUserRequest> implements Use
         return passwordHash;
     }
 
-    public boolean refresh() {
-        return refresh;
-    }
-
     @Override
     public String[] usernames() {
         return new String[] { username };
@@ -124,7 +133,7 @@ public class PutUserRequest extends ActionRequest<PutUserRequest> implements Use
         fullName = in.readOptionalString();
         email = in.readOptionalString();
         metadata = in.readBoolean() ? in.readMap() : null;
-        refresh = in.readBoolean();
+        refreshPolicy = RefreshPolicy.readFrom(in);
     }
 
     @Override
@@ -147,6 +156,6 @@ public class PutUserRequest extends ActionRequest<PutUserRequest> implements Use
             out.writeBoolean(true);
             out.writeMap(metadata);
         }
-        out.writeBoolean(refresh);
+        refreshPolicy.writeTo(out);
     }
 }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/PutUserRequestBuilder.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/PutUserRequestBuilder.java
index 11f061c2d9b..3a5bf7b54d4 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/PutUserRequestBuilder.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/PutUserRequestBuilder.java
@@ -7,6 +7,7 @@ package org.elasticsearch.shield.action.user;
 
 import org.elasticsearch.ElasticsearchParseException;
 import org.elasticsearch.action.ActionRequestBuilder;
+import org.elasticsearch.action.support.WriteRequestBuilder;
 import org.elasticsearch.client.ElasticsearchClient;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.ParseFieldMatcher;
@@ -15,17 +16,18 @@ import org.elasticsearch.common.ValidationException;
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.xcontent.XContentHelper;
 import org.elasticsearch.common.xcontent.XContentParser;
-import org.elasticsearch.shield.user.User;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.support.Validation;
+import org.elasticsearch.shield.user.User;
 import org.elasticsearch.xpack.common.xcontent.XContentUtils;
 
 import java.io.IOException;
 import java.util.Arrays;
 import java.util.Map;
 
-public class PutUserRequestBuilder extends ActionRequestBuilder<PutUserRequest, PutUserResponse, PutUserRequestBuilder> {
+public class PutUserRequestBuilder extends ActionRequestBuilder<PutUserRequest, PutUserResponse, PutUserRequestBuilder>
+        implements WriteRequestBuilder<PutUserRequestBuilder> {
 
     private final Hasher hasher = Hasher.BCRYPT;
 
@@ -77,11 +79,6 @@ public class PutUserRequestBuilder extends ActionRequestBuilder<PutUserRequest,
         return this;
     }
 
-    public PutUserRequestBuilder refresh(boolean refresh) {
-        request.refresh(refresh);
-        return this;
-    }
-
     public PutUserRequestBuilder source(String username, BytesReference source) throws IOException {
         username(username);
         try (XContentParser parser = XContentHelper.createParser(source)) {
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeUsersStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeUsersStore.java
index 64655339f68..ce56350aed9 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeUsersStore.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeUsersStore.java
@@ -9,6 +9,7 @@ import com.carrotsearch.hppc.ObjectHashSet;
 import com.carrotsearch.hppc.ObjectLongHashMap;
 import com.carrotsearch.hppc.ObjectLongMap;
 import com.carrotsearch.hppc.cursors.ObjectCursor;
+
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.ExceptionsHelper;
 import org.elasticsearch.action.ActionListener;
@@ -50,9 +51,6 @@ import org.elasticsearch.index.query.QueryBuilders;
 import org.elasticsearch.search.SearchHit;
 import org.elasticsearch.shield.InternalClient;
 import org.elasticsearch.shield.ShieldTemplateService;
-import org.elasticsearch.shield.user.SystemUser;
-import org.elasticsearch.shield.user.User;
-import org.elasticsearch.shield.user.User.Fields;
 import org.elasticsearch.shield.action.realm.ClearRealmCacheRequest;
 import org.elasticsearch.shield.action.realm.ClearRealmCacheResponse;
 import org.elasticsearch.shield.action.user.ChangePasswordRequest;
@@ -62,6 +60,9 @@ import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.client.SecurityClient;
 import org.elasticsearch.shield.support.SelfReschedulingRunnable;
+import org.elasticsearch.shield.user.SystemUser;
+import org.elasticsearch.shield.user.User;
+import org.elasticsearch.shield.user.User.Fields;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.threadpool.ThreadPool.Names;
 
@@ -325,7 +326,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
 
         client.prepareUpdate(ShieldTemplateService.SECURITY_INDEX_NAME, docType, username)
                 .setDoc(Fields.PASSWORD.getPreferredName(), String.valueOf(request.passwordHash()))
-                .setRefresh(request.refresh())
+                .setRefreshPolicy(request.getRefreshPolicy())
                 .execute(new ActionListener<UpdateResponse>() {
                     @Override
                     public void onResponse(UpdateResponse updateResponse) {
@@ -346,7 +347,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
                         }
 
                         if (docType.equals(RESERVED_USER_DOC_TYPE)) {
-                            createReservedUser(username, request.passwordHash(), request.refresh(), listener);
+                            createReservedUser(username, request.passwordHash(), request.getRefreshPolicy(), listener);
                         } else {
                             logger.debug("failed to change password for user [{}]", cause, request.username());
                             ValidationException validationException = new ValidationException();
@@ -357,10 +358,10 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
                 });
     }
 
-    private void createReservedUser(String username, char[] passwordHash, boolean refresh, ActionListener<Void> listener) {
+    private void createReservedUser(String username, char[] passwordHash, RefreshPolicy refresh, ActionListener<Void> listener) {
         client.prepareIndex(ShieldTemplateService.SECURITY_INDEX_NAME, RESERVED_USER_DOC_TYPE, username)
                 .setSource(Fields.PASSWORD.getPreferredName(), String.valueOf(passwordHash))
-                .setRefresh(refresh)
+                .setRefreshPolicy(refresh)
                 .execute(new ActionListener<IndexResponse>() {
                     @Override
                     public void onResponse(IndexResponse indexResponse) {
@@ -401,7 +402,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
                         User.Fields.FULL_NAME.getPreferredName(), putUserRequest.fullName(),
                         User.Fields.EMAIL.getPreferredName(), putUserRequest.email(),
                         User.Fields.METADATA.getPreferredName(), putUserRequest.metadata())
-                .setRefresh(putUserRequest.refresh())
+                .setRefreshPolicy(putUserRequest.getRefreshPolicy())
                 .execute(new ActionListener<UpdateResponse>() {
                     @Override
                     public void onResponse(UpdateResponse updateResponse) {
@@ -441,7 +442,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
                         User.Fields.FULL_NAME.getPreferredName(), putUserRequest.fullName(),
                         User.Fields.EMAIL.getPreferredName(), putUserRequest.email(),
                         User.Fields.METADATA.getPreferredName(), putUserRequest.metadata())
-                .setRefresh(putUserRequest.refresh())
+                .setRefreshPolicy(putUserRequest.getRefreshPolicy())
                 .execute(new ActionListener<IndexResponse>() {
                     @Override
                     public void onResponse(IndexResponse indexResponse) {
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/NativeRolesStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/NativeRolesStore.java
index 5d02cd7a60f..46bfb0c3c71 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/NativeRolesStore.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/NativeRolesStore.java
@@ -300,7 +300,7 @@ public class NativeRolesStore extends AbstractComponent implements RolesStore, C
         try {
             client.prepareIndex(ShieldTemplateService.SECURITY_INDEX_NAME, ROLE_DOC_TYPE, role.getName())
                     .setSource(role.toXContent(jsonBuilder(), ToXContent.EMPTY_PARAMS))
-                    .setRefresh(request.refresh())
+                    .setRefreshPolicy(request.getRefreshPolicy())
                     .execute(new ActionListener<IndexResponse>() {
                         @Override
                         public void onResponse(IndexResponse indexResponse) {
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestPutRoleAction.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestPutRoleAction.java
index 20334f56efc..d1a1a6c227d 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestPutRoleAction.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestPutRoleAction.java
@@ -36,9 +36,7 @@ public class RestPutRoleAction extends BaseRestHandler {
     @Override
     protected void handleRequest(RestRequest request, final RestChannel channel, Client client) throws Exception {
         PutRoleRequestBuilder requestBuilder = new SecurityClient(client).preparePutRole(request.param("name"), request.content());
-        if (request.hasParam("refresh")) {
-            requestBuilder.refresh(request.paramAsBoolean("refresh", true));
-        }
+        requestBuilder.setRefreshPolicy(request.param("refresh"));
         requestBuilder.execute(new RestBuilderListener<PutRoleResponse>(channel) {
             @Override
             public RestResponse buildResponse(PutRoleResponse putRoleResponse, XContentBuilder builder) throws Exception {
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestChangePasswordAction.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestChangePasswordAction.java
index 9be684b4598..ce31c587e24 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestChangePasswordAction.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestChangePasswordAction.java
@@ -47,7 +47,7 @@ public class RestChangePasswordAction extends BaseRestHandler {
         }
 
         new SecurityClient(client).prepareChangePassword(username, request.content())
-                .refresh(request.paramAsBoolean("refresh", true))
+                .setRefreshPolicy(request.param("refresh"))
                 .execute(new RestBuilderListener<ChangePasswordResponse>(channel) {
                     @Override
                     public RestResponse buildResponse(ChangePasswordResponse changePasswordResponse, XContentBuilder builder) throws
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestPutUserAction.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestPutUserAction.java
index 863a960d47e..261495f4ac1 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestPutUserAction.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestPutUserAction.java
@@ -37,7 +37,7 @@ public class RestPutUserAction extends BaseRestHandler {
     protected void handleRequest(RestRequest request, final RestChannel channel, Client client) throws Exception {
         PutUserRequestBuilder requestBuilder = new SecurityClient(client).preparePutUser(request.param("username"), request.content());
         if (request.hasParam("refresh")) {
-            requestBuilder.refresh(request.paramAsBoolean("refresh", true));
+            requestBuilder.setRefreshPolicy(request.param("refresh"));
         }
         requestBuilder.execute(new RestBuilderListener<PutUserResponse>(channel) {
             @Override
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRolesCacheTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRolesCacheTests.java
index a2cda298e38..c2790d94f18 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRolesCacheTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRolesCacheTests.java
@@ -13,10 +13,9 @@ import org.elasticsearch.common.network.NetworkModule;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.rest.RestStatus;
-import org.elasticsearch.shield.action.role.PutRoleResponse;
-import org.elasticsearch.shield.action.role.GetRolesResponse;
 import org.elasticsearch.shield.ShieldTemplateService;
-import org.elasticsearch.shield.authc.esnative.NativeRealm;
+import org.elasticsearch.shield.action.role.GetRolesResponse;
+import org.elasticsearch.shield.action.role.PutRoleResponse;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
 import org.elasticsearch.shield.authz.RoleDescriptor;
@@ -31,10 +30,13 @@ import org.junit.BeforeClass;
 import java.util.Arrays;
 import java.util.List;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.NONE;
 import static org.hamcrest.Matchers.arrayWithSize;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.notNullValue;
 
+
 /**
  * Test for the Shield clear roles API that changes the polling aspect of shield to only run once an hour in order to
  * test the cache clearing APIs.
@@ -91,13 +93,12 @@ public class ClearRolesCacheTests extends NativeRealmIntegTestCase {
         int modifiedRolesCount = randomIntBetween(1, roles.length);
         List<String> toModify = randomSubsetOf(modifiedRolesCount, roles);
         logger.debug("--> modifying roles {} to have run_as", toModify);
-        final boolean refresh = randomBoolean();
         for (String role : toModify) {
             PutRoleResponse response = securityClient.preparePutRole(role)
                     .cluster("none")
                     .addIndices(new String[] { "*" }, new String[] { "ALL" }, null, null)
                     .runAs(role)
-                    .refresh(refresh)
+                    .setRefreshPolicy(randomBoolean() ? IMMEDIATE : NONE)
                     .get();
             assertThat(response.isCreated(), is(false));
             logger.debug("--> updated role [{}] with run_as", role);
@@ -115,7 +116,7 @@ public class ClearRolesCacheTests extends NativeRealmIntegTestCase {
             UpdateResponse response = internalClient().prepareUpdate().setId(role).setIndex(ShieldTemplateService.SECURITY_INDEX_NAME)
                     .setType(NativeRolesStore.ROLE_DOC_TYPE)
                     .setDoc("run_as", new String[] { role })
-                    .setRefresh(refresh)
+                    .setRefreshPolicy(refresh ? IMMEDIATE : NONE)
                     .get();
             assertThat(response.isCreated(), is(false));
             logger.debug("--> updated role [{}] with run_as", role);
@@ -158,7 +159,7 @@ public class ClearRolesCacheTests extends NativeRealmIntegTestCase {
         final boolean refresh = randomBoolean();
         DeleteResponse response = internalClient()
                 .prepareDelete(ShieldTemplateService.SECURITY_INDEX_NAME, NativeRolesStore.ROLE_DOC_TYPE, role)
-                .setRefresh(refresh)
+                .setRefreshPolicy(refresh ? IMMEDIATE : NONE)
                 .get();
         assertThat(response.isFound(), is(true));
 
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DateMathExpressionIntegTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DateMathExpressionIntegTests.java
index 5b626b3c2f8..36f8ff1083a 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DateMathExpressionIntegTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DateMathExpressionIntegTests.java
@@ -23,6 +23,8 @@ import org.elasticsearch.test.ShieldIntegTestCase;
 
 import java.util.Collections;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.NONE;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.is;
@@ -64,7 +66,8 @@ public class DateMathExpressionIntegTests extends ShieldIntegTestCase {
             CreateIndexResponse response = client.admin().indices().prepareCreate(expression).get();
             assertThat(response.isAcknowledged(), is(true));
         }
-        IndexResponse response = client.prepareIndex(expression, "type").setSource("foo", "bar").setRefresh(refeshOnOperation).get();
+        IndexResponse response = client.prepareIndex(expression, "type").setSource("foo", "bar")
+                .setRefreshPolicy(refeshOnOperation ? IMMEDIATE : NONE).get();
 
         assertThat(response.isCreated(), is(true));
         assertThat(response.getIndex(), containsString(expectedIndexName));
@@ -84,7 +87,7 @@ public class DateMathExpressionIntegTests extends ShieldIntegTestCase {
 
         UpdateResponse updateResponse = client.prepareUpdate(expression, "type", response.getId())
                 .setDoc("new", "field")
-                .setRefresh(refeshOnOperation)
+                .setRefreshPolicy(refeshOnOperation ? IMMEDIATE : NONE)
                 .get();
         assertThat(updateResponse.isCreated(), is(false));
 
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java
index 716b58652e8..8869367b79f 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java
@@ -17,6 +17,7 @@ import org.elasticsearch.xpack.XPackPlugin;
 
 import java.util.Collections;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
@@ -94,10 +95,10 @@ public class DocumentAndFieldLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "2").setSource("field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         SearchResponse response = client().filterWithHeader(
@@ -133,10 +134,10 @@ public class DocumentAndFieldLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "2").setSource("field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // Both users have the same role query, but user3 has access to field2 and not field1, which should result in zero hits:
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java
index f99bfef4aff..f2fd3632f5a 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java
@@ -33,6 +33,7 @@ import org.elasticsearch.xpack.XPackPlugin;
 
 import java.util.Collections;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.index.query.QueryBuilders.hasChildQuery;
 import static org.elasticsearch.index.query.QueryBuilders.hasParentQuery;
 import static org.elasticsearch.index.query.QueryBuilders.matchAllQuery;
@@ -108,13 +109,13 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text", "field3", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "2").setSource("field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "3").setSource("field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         SearchResponse response = client()
@@ -289,13 +290,13 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
                                 "field3", "type=text,term_vector=with_positions_offsets_payloads")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "2").setSource("field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "3").setSource("field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         boolean realtime = randomBoolean();
@@ -354,13 +355,13 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
                                 "field3", "type=text,term_vector=with_positions_offsets_payloads")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "2").setSource("field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "3").setSource("field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         boolean realtime = randomBoolean();
@@ -419,13 +420,13 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text,fielddata=true", "field3", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "2").setSource("field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "3").setSource("field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         SearchResponse response = client().prepareSearch("test")
@@ -483,11 +484,11 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type2", "_parent", "type=type1", "field3", "type=text,fielddata=true")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type2", "2").setSource("field3", "value3")
                 .setParent("1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         SearchResponse response = client().prepareSearch("test")
@@ -705,7 +706,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
                 .addMapping("type", "field1", "type=text", "field2", "type=text")
         );
         client().prepareIndex("test", "type", "1").setSource("field1", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // With document level security enabled the update is not allowed:
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java
index fc14ae859a9..541bb73623f 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java
@@ -24,6 +24,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.index.query.QueryBuilders.matchQuery;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
@@ -141,7 +142,7 @@ public class FieldLevelSecurityRandomTests extends ShieldIntegTestCase {
         assertAcked(client().admin().indices().prepareCreate("test")
                         .addMapping("type1", (Object[])fieldMappers)
         );
-        client().prepareIndex("test", "type1", "1").setSource(doc).setRefresh(true).get();
+        client().prepareIndex("test", "type1", "1").setSource(doc).setRefreshPolicy(IMMEDIATE).get();
 
         for (String allowedField : allowedFields) {
             logger.info("Checking allowed field [{}]", allowedField);
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
index a887783b017..6de93265d9c 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
@@ -32,6 +32,7 @@ import org.elasticsearch.xpack.XPackPlugin;
 
 import java.util.Collections;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.index.query.QueryBuilders.constantScoreQuery;
 import static org.elasticsearch.index.query.QueryBuilders.hasChildQuery;
 import static org.elasticsearch.index.query.QueryBuilders.matchQuery;
@@ -136,7 +137,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text", "field3", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2", "field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // user1 has access to field1, so the query should match with the document:
@@ -488,7 +489,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text", "field3", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2", "field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // user1 is granted access to field1 only:
@@ -622,7 +623,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text", "field3", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2", "field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         int max = scaledRandomIntBetween(4, 32);
@@ -660,7 +661,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text", "field3", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         int max = scaledRandomIntBetween(4, 32);
@@ -702,7 +703,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                                 "field3", "type=text,store=true")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2", "field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // user1 is granted access to field1 only:
@@ -799,7 +800,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text", "field3", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2", "field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // user1 is granted access to field1 only:
@@ -873,7 +874,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
         );
 
         client().prepareIndex("test", "type1", "1").setSource("field1", 1d, "field2", 2d)
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // user1 is granted to use field1, so it is included in the sort_values
@@ -911,7 +912,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text,fielddata=true", "field2", "type=text,fielddata=true")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // user1 is authorized to use field1, so buckets are include for a term agg on field1
@@ -951,7 +952,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                                 "field3", "type=text,term_vector=with_positions_offsets_payloads")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2", "field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         boolean realtime = randomBoolean();
@@ -1035,7 +1036,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                                 "field3", "type=text,term_vector=with_positions_offsets_payloads")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2", "field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         boolean realtime = randomBoolean();
@@ -1155,7 +1156,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
         );
         client().prepareIndex("test", "type", "1")
                 .setSource("field1", "value1", "field2", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // With field level security enabled the update is not allowed:
@@ -1200,7 +1201,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // user6 has access to all fields, so the query should match with the document:
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java
index 916321f80ba..068b3f97ef4 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java
@@ -16,6 +16,7 @@ import org.elasticsearch.xpack.XPackPlugin;
 
 import java.util.Collections;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
@@ -72,7 +73,7 @@ public class IndicesPermissionsWithAliasesWildcardsAndRegexsTests extends Shield
                         .addAlias(new Alias("an_alias"))
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2",  "field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         GetResponse getResponse = client()
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/KibanaUserRoleIntegTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/KibanaUserRoleIntegTests.java
index bc76aadcc1e..372426e4751 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/KibanaUserRoleIntegTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/KibanaUserRoleIntegTests.java
@@ -25,6 +25,7 @@ import org.elasticsearch.test.ShieldIntegTestCase;
 import java.util.Locale;
 
 import static java.util.Collections.singletonMap;
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.hamcrest.Matchers.arrayContaining;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.greaterThan;
@@ -183,7 +184,7 @@ public class KibanaUserRoleIntegTests extends ShieldIntegTestCase {
                 .setIndex(index)
                 .setType("dashboard")
                 .setSource("foo", "bar")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         assertThat(response.isCreated(), is(true));
 
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ShieldClearScrollTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ShieldClearScrollTests.java
index 7c745794f1d..4d050ad6704 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ShieldClearScrollTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ShieldClearScrollTests.java
@@ -24,6 +24,7 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertThrows;
@@ -63,7 +64,7 @@ public class ShieldClearScrollTests extends ShieldIntegTestCase {
 
     @Before
     public void indexRandomDocuments() {
-        BulkRequestBuilder bulkRequestBuilder = client().prepareBulk().setRefresh(true);
+        BulkRequestBuilder bulkRequestBuilder = client().prepareBulk().setRefreshPolicy(IMMEDIATE);
         for (int i = 0; i < randomIntBetween(10, 50); i++) {
             bulkRequestBuilder.add(client().prepareIndex("index", "type", String.valueOf(i)).setSource("{ \"foo\" : \"bar\" }"));
         }
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/NativeRealmIntegTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/NativeRealmIntegTests.java
index 8ef07027eb1..f30b5b18f11 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/NativeRealmIntegTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/NativeRealmIntegTests.java
@@ -44,6 +44,7 @@ import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
 import static org.hamcrest.Matchers.arrayContaining;
 import static org.hamcrest.Matchers.containsString;
@@ -205,7 +206,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase {
         createIndex("idx");
         ensureGreen("idx");
         // Index a document with the default test user
-        client().prepareIndex("idx", "doc", "1").setSource("body", "foo").setRefresh(true).get();
+        client().prepareIndex("idx", "doc", "1").setSource("body", "foo").setRefreshPolicy(IMMEDIATE).get();
 
         String token = basicAuthHeaderValue("joe", new SecuredString("s3krit".toCharArray()));
         SearchResponse searchResp = client().filterWithHeader(Collections.singletonMap("Authorization", token)).prepareSearch("idx").get();
@@ -227,7 +228,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase {
         createIndex("idx");
         ensureGreen("idx");
         // Index a document with the default test user
-        client().prepareIndex("idx", "doc", "1").setSource("body", "foo").setRefresh(true).get();
+        client().prepareIndex("idx", "doc", "1").setSource("body", "foo").setRefreshPolicy(IMMEDIATE).get();
         String token = basicAuthHeaderValue("joe", new SecuredString("s3krit".toCharArray()));
         SearchResponse searchResp = client().filterWithHeader(Collections.singletonMap("Authorization", token)).prepareSearch("idx").get();
 
@@ -262,7 +263,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase {
         createIndex("idx");
         ensureGreen("idx");
         // Index a document with the default test user
-        client().prepareIndex("idx", "doc", "1").setSource("body", "foo").setRefresh(true).get();
+        client().prepareIndex("idx", "doc", "1").setSource("body", "foo").setRefreshPolicy(IMMEDIATE).get();
         String token = basicAuthHeaderValue("joe", new SecuredString("s3krit".toCharArray()));
         SearchResponse searchResp = client().filterWithHeader(Collections.singletonMap("Authorization", token)).prepareSearch("idx").get();
 
diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/input/chain/ChainIntegrationTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/input/chain/ChainIntegrationTests.java
index 77b2029dc44..a760116dd11 100644
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/input/chain/ChainIntegrationTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/input/chain/ChainIntegrationTests.java
@@ -17,6 +17,7 @@ import org.elasticsearch.xpack.watcher.test.AbstractWatcherIntegrationTestCase;
 import java.net.InetSocketAddress;
 import java.util.concurrent.TimeUnit;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertHitCount;
 import static org.elasticsearch.xpack.watcher.actions.ActionBuilders.indexAction;
@@ -42,7 +43,7 @@ public class ChainIntegrationTests extends AbstractWatcherIntegrationTestCase {
     public void testChainedInputsAreWorking() throws Exception {
         String index = "the-most-awesome-index-ever";
         createIndex(index);
-        client().prepareIndex(index, "type", "id").setSource("{}").setRefresh(true).get();
+        client().prepareIndex(index, "type", "id").setSource("{}").setRefreshPolicy(IMMEDIATE).get();
 
         InetSocketAddress address = internalCluster().httpAddresses()[0];
         HttpInput.Builder httpInputBuilder = httpInput(HttpRequestTemplate.builder(address.getHostString(), address.getPort())
diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/input/http/HttpInputIntegrationTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/input/http/HttpInputIntegrationTests.java
index 2ff6a291474..a22d6262be7 100644
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/input/http/HttpInputIntegrationTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/input/http/HttpInputIntegrationTests.java
@@ -24,6 +24,7 @@ import org.elasticsearch.xpack.watcher.trigger.schedule.IntervalSchedule;
 
 import java.net.InetSocketAddress;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
 import static org.elasticsearch.index.query.QueryBuilders.matchQuery;
 import static org.elasticsearch.index.query.QueryBuilders.termQuery;
@@ -49,7 +50,7 @@ public class HttpInputIntegrationTests extends AbstractWatcherIntegrationTestCas
     @TestLogging("watcher.support.http:TRACE")
     public void testHttpInput() throws Exception {
         createIndex("index");
-        client().prepareIndex("index", "type", "id").setSource("{}").setRefresh(true).get();
+        client().prepareIndex("index", "type", "id").setSource("{}").setRefreshPolicy(IMMEDIATE).get();
 
         InetSocketAddress address = internalCluster().httpAddresses()[0];
         watcherClient().preparePutWatch("_name")
diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BootStrapTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BootStrapTests.java
index 210e295db79..dcda61a5813 100644
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BootStrapTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/test/integration/BootStrapTests.java
@@ -32,6 +32,7 @@ import org.joda.time.DateTimeZone;
 
 import java.util.concurrent.TimeUnit;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
 import static org.elasticsearch.index.query.QueryBuilders.termQuery;
 import static org.elasticsearch.search.builder.SearchSourceBuilder.searchSource;
@@ -140,7 +141,7 @@ public class BootStrapTests extends AbstractWatcherIntegrationTestCase {
                         .endObject()
                         .endObject())
                 .setConsistencyLevel(WriteConsistencyLevel.ALL)
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // unknown condition:
@@ -158,7 +159,7 @@ public class BootStrapTests extends AbstractWatcherIntegrationTestCase {
                         .endObject()
                         .endObject())
                 .setConsistencyLevel(WriteConsistencyLevel.ALL)
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // unknown trigger:
@@ -176,7 +177,7 @@ public class BootStrapTests extends AbstractWatcherIntegrationTestCase {
                         .endObject()
                         .endObject())
                 .setConsistencyLevel(WriteConsistencyLevel.ALL)
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         stopWatcher();
@@ -200,7 +201,7 @@ public class BootStrapTests extends AbstractWatcherIntegrationTestCase {
                         .endObject()
                         .endObject())
                 .setConsistencyLevel(WriteConsistencyLevel.ALL)
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         stopWatcher();

From 8a03988c030d07673a10742a01995ebb7b5ff97a Mon Sep 17 00:00:00 2001
From: Adrien Grand <jpountz@gmail.com>
Date: Fri, 10 Jun 2016 18:57:09 +0200
Subject: [PATCH 10/22] Upgrade code for Lucene 6.1.

Original commit: elastic/x-pack-elasticsearch@282299cebea1c65a4db9c571c585fc4caf37b4bd
---
 .../ShieldIndexSearcherWrapperUnitTests.java           | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapperUnitTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapperUnitTests.java
index 15a9de93d97..e1f74b3f8de 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapperUnitTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapperUnitTests.java
@@ -468,6 +468,16 @@ public class ShieldIndexSearcherWrapperUnitTests extends ESTestCase {
         public Weight createWeight(IndexSearcher searcher, boolean needsScores) throws IOException {
             return new CreateScorerOnceWeight(query.createWeight(searcher, needsScores));
         }
+
+        @Override
+        public boolean equals(Object obj) {
+            return sameClassAs(obj) && query.equals(((CreateScorerOnceQuery) obj).query);
+        }
+
+        @Override
+        public int hashCode() {
+            return 31 * classHash() + query.hashCode();
+        }
     }
 
     public void doTestIndexSearcherWrapper(boolean sparse, boolean deletions) throws IOException {

From 2dd6cfae2b0bcb4c03594ab3e3fbe8c7fe100751 Mon Sep 17 00:00:00 2001
From: Nik Everett <nik9000@gmail.com>
Date: Fri, 10 Jun 2016 15:48:54 -0400
Subject: [PATCH 11/22] Handle core changing TimeValue to Writeable

Original commit: elastic/x-pack-elasticsearch@72e33d6e524ef19e53594670f19d06cbf32c833a
---
 .../xpack/graph/action/GraphExploreRequest.java             | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreRequest.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreRequest.java
index 8500bbb52fc..28e84646d5d 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreRequest.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreRequest.java
@@ -149,9 +149,7 @@ public class GraphExploreRequest extends ActionRequest<GraphExploreRequest> impl
         indicesOptions = IndicesOptions.readIndicesOptions(in);
         types = in.readStringArray();
         routing = in.readOptionalString();
-        if (in.readBoolean()) {
-            timeout = TimeValue.readTimeValue(in);
-        }
+        timeout = in.readOptionalWriteable(TimeValue::new);
         sampleSize = in.readInt();
         sampleDiversityField = in.readOptionalString();
         maxDocsPerDiversityValue = in.readInt();
@@ -177,7 +175,7 @@ public class GraphExploreRequest extends ActionRequest<GraphExploreRequest> impl
         indicesOptions.writeIndicesOptions(out);
         out.writeStringArray(types);
         out.writeOptionalString(routing);
-        out.writeOptionalStreamable(timeout);
+        out.writeOptionalWriteable(timeout);
 
         out.writeInt(sampleSize);
         out.writeOptionalString(sampleDiversityField);

From aa292561c03d3499208d57fbfb2d4bb0073423d7 Mon Sep 17 00:00:00 2001
From: jaymode <jay.modi@elasticsearch.com>
Date: Mon, 13 Jun 2016 09:30:22 -0400
Subject: [PATCH 12/22] test: remove AwaitsFix for field stats API test

This was fixed in core but the awaits fix was not removed here.

Original commit: elastic/x-pack-elasticsearch@357a797b5e2de9586c0c319adfd072e80936c8a2
---
 .../org/elasticsearch/integration/FieldLevelSecurityTests.java  | 2 --
 1 file changed, 2 deletions(-)

diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
index 6de93265d9c..d0032ff04fc 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
@@ -482,8 +482,6 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
         assertThat(response.getResponses()[0].getResponse().getSource().get("field2").toString(), equalTo("value2"));
     }
 
-    // norelease - we need to fix the issue so that only fields a user can see are returned
-    @AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/2120")
     public void testFieldStatsApi() throws Exception {
         assertAcked(client().admin().indices().prepareCreate("test")
                         .addMapping("type1", "field1", "type=text", "field2", "type=text", "field3", "type=text")

From acc692bf68ce4ced01c219156b9705e6c2f470e0 Mon Sep 17 00:00:00 2001
From: Alexander Reelsen <alexander@reelsen.net>
Date: Mon, 13 Jun 2016 15:07:33 +0200
Subject: [PATCH 13/22] Watcher: Putting a watch now stores its state correctly

The active state was not serialized in the PutWatchRequest leading to
to always setting it to active, when a different node than the master
node was hit with a put watch request.

Closes elastic/elasticsearch#2490

Original commit: elastic/x-pack-elasticsearch@060c0fa35f419390f2ba6af2fe503f80ef00e9b2
---
 .../actions/put/PutWatchRequest.java          |  2 ++
 .../put/PutWatchSerializationTests.java       | 34 +++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/transport/action/put/PutWatchSerializationTests.java

diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/transport/actions/put/PutWatchRequest.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/transport/actions/put/PutWatchRequest.java
index e1766038d82..38318c36715 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/transport/actions/put/PutWatchRequest.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/transport/actions/put/PutWatchRequest.java
@@ -114,6 +114,7 @@ public class PutWatchRequest extends MasterNodeRequest<PutWatchRequest> {
         super.readFrom(in);
         id = in.readString();
         source = in.readBytesReference();
+        active = in.readBoolean();
     }
 
     @Override
@@ -121,6 +122,7 @@ public class PutWatchRequest extends MasterNodeRequest<PutWatchRequest> {
         super.writeTo(out);
         out.writeString(id);
         out.writeBytesReference(source);
+        out.writeBoolean(active);
     }
 
 }
diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/transport/action/put/PutWatchSerializationTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/transport/action/put/PutWatchSerializationTests.java
new file mode 100644
index 00000000000..8747949947c
--- /dev/null
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/transport/action/put/PutWatchSerializationTests.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.watcher.transport.action.put;
+
+import org.elasticsearch.common.bytes.BytesArray;
+import org.elasticsearch.common.io.stream.BytesStreamOutput;
+import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.xpack.watcher.transport.actions.put.PutWatchRequest;
+
+import static org.hamcrest.Matchers.is;
+
+public class PutWatchSerializationTests extends ESTestCase {
+
+    // https://github.com/elastic/x-plugins/issues/2490
+    public void testPutWatchSerialization() throws Exception {
+        PutWatchRequest request = new PutWatchRequest();
+        request.setId(randomAsciiOfLength(10));
+        request.setActive(randomBoolean());
+        request.setSource(new BytesArray(randomAsciiOfLength(20)));
+
+        BytesStreamOutput streamOutput = new BytesStreamOutput();
+        request.writeTo(streamOutput);
+
+        PutWatchRequest readRequest = new PutWatchRequest();
+        readRequest.readFrom(streamOutput.bytes().streamInput());
+        assertThat(readRequest.isActive(), is(request.isActive()));
+        assertThat(readRequest.getId(), is(request.getId()));
+        assertThat(readRequest.getSource(), is(request.getSource()));
+    }
+
+}

From eb5248d1274e39e0216ee9f53ccc8ed0d04c83ac Mon Sep 17 00:00:00 2001
From: Martijn van Groningen <martijn.v.groningen@gmail.com>
Date: Mon, 13 Jun 2016 21:15:35 +0200
Subject: [PATCH 14/22] fix test compile error

Original commit: elastic/x-pack-elasticsearch@61c4a8eb9adeca319a51f2892a0558a01f1a0763
---
 .../org/elasticsearch/shield/VersionCompatibilityTests.java     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/VersionCompatibilityTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/VersionCompatibilityTests.java
index b7ddf644024..b9bffa980c5 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/VersionCompatibilityTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/VersionCompatibilityTests.java
@@ -37,6 +37,6 @@ public class VersionCompatibilityTests extends ESTestCase {
          *
          */
         assertThat("Remove workaround in LicenseService class when es core supports merging cluster level custom metadata",
-                   Version.CURRENT.equals(Version.V_5_0_0), is(true));
+                   Version.CURRENT.equals(Version.V_5_0_0_alpha4), is(true));
     }
 }

From 1ecebab0aa939ef741025238ea78039169c53126 Mon Sep 17 00:00:00 2001
From: Martijn van Groningen <martijn.v.groningen@gmail.com>
Date: Mon, 13 Jun 2016 15:44:55 +0200
Subject: [PATCH 15/22] security: Add `_field_names` field to the list of meta
 fields that are always allowed visible

The logic that filters `_field_names` field's terms is encapsulated in `FieldSubsetReader.java`,
but that doesn't kick in if `_field_names` is an allowed field.

Closes elastic/elasticsearch#2504

Original commit: elastic/x-pack-elasticsearch@d81ec9477a8804bb7aeed940a74d605bc271c3d7
---
 .../ShieldIndexSearcherWrapper.java           |  2 +
 .../integration/FieldLevelSecurityTests.java  | 69 +++++++++++++++++--
 .../ShieldIndexSearcherWrapperUnitTests.java  |  3 +-
 3 files changed, 69 insertions(+), 5 deletions(-)

diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapper.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapper.java
index f759543a3b6..fe55e5993c0 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapper.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapper.java
@@ -35,6 +35,7 @@ import org.elasticsearch.index.cache.bitset.BitsetFilterCache;
 import org.elasticsearch.index.engine.EngineException;
 import org.elasticsearch.index.mapper.DocumentMapper;
 import org.elasticsearch.index.mapper.MapperService;
+import org.elasticsearch.index.mapper.internal.FieldNamesFieldMapper;
 import org.elasticsearch.index.mapper.internal.ParentFieldMapper;
 import org.elasticsearch.index.query.ParsedQuery;
 import org.elasticsearch.index.query.QueryBuilder;
@@ -90,6 +91,7 @@ public class ShieldIndexSearcherWrapper extends IndexSearcherWrapper {
 
         Set<String> allowedMetaFields = new HashSet<>();
         allowedMetaFields.addAll(Arrays.asList(MapperService.getAllMetaFields()));
+        allowedMetaFields.add(FieldNamesFieldMapper.NAME); // TODO: add _field_names to MapperService#META_FIELDS?
         allowedMetaFields.add("_source"); // TODO: add _source to MapperService#META_FIELDS?
         allowedMetaFields.add("_version"); // TODO: add _version to MapperService#META_FIELDS?
         allowedMetaFields.remove("_all"); // The _all field contains actual data and we can't include that by default.
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
index d0032ff04fc..64c9a08bdbe 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
@@ -34,6 +34,7 @@ import java.util.Collections;
 
 import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.index.query.QueryBuilders.constantScoreQuery;
+import static org.elasticsearch.index.query.QueryBuilders.existsQuery;
 import static org.elasticsearch.index.query.QueryBuilders.hasChildQuery;
 import static org.elasticsearch.index.query.QueryBuilders.matchQuery;
 import static org.elasticsearch.index.query.QueryBuilders.termQuery;
@@ -881,28 +882,28 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                 .prepareSearch("test")
                 .addSort("field1", SortOrder.ASC)
                 .get();
-        assertThat((Long) response.getHits().getAt(0).sortValues()[0], equalTo(1L));
+        assertThat(response.getHits().getAt(0).sortValues()[0], equalTo(1L));
 
         // user2 is not granted to use field1, so the default missing sort value is included
         response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
                 .prepareSearch("test")
                 .addSort("field1", SortOrder.ASC)
                 .get();
-        assertThat((Long) response.getHits().getAt(0).sortValues()[0], equalTo(Long.MAX_VALUE));
+        assertThat(response.getHits().getAt(0).sortValues()[0], equalTo(Long.MAX_VALUE));
 
         // user1 is not granted to use field2, so the default missing sort value is included
         response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD)))
                 .prepareSearch("test")
                 .addSort("field2", SortOrder.ASC)
                 .get();
-        assertThat((Long) response.getHits().getAt(0).sortValues()[0], equalTo(Long.MAX_VALUE));
+        assertThat(response.getHits().getAt(0).sortValues()[0], equalTo(Long.MAX_VALUE));
 
         // user2 is granted to use field2, so it is included in the sort_values
         response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
                 .prepareSearch("test")
                 .addSort("field2", SortOrder.ASC)
                 .get();
-        assertThat((Long) response.getHits().getAt(0).sortValues()[0], equalTo(2L));
+        assertThat(response.getHits().getAt(0).sortValues()[0], equalTo(2L));
     }
 
     public void testAggs() throws Exception {
@@ -1223,4 +1224,64 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
         assertThat(response.getHits().getAt(0).sourceAsMap().get("field2").toString(), equalTo("value2"));
     }
 
+    public void testExistQuery() {
+        assertAcked(client().admin().indices().prepareCreate("test")
+                .addMapping("type1", "field1", "type=text", "field2", "type=text", "field3", "type=text")
+        );
+        client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2", "field3", "value3")
+                .setRefreshPolicy(IMMEDIATE)
+                .get();
+
+        // user1 has access to field1, so the query should match with the document:
+        SearchResponse response = client()
+                .filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD)))
+                .prepareSearch("test")
+                .setQuery(existsQuery("field1"))
+                .get();
+        assertHitCount(response, 1);
+        // user1 has no access to field2, so the query should not match with the document:
+        response = client()
+                .filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD)))
+                .prepareSearch("test")
+                .setQuery(existsQuery("field2"))
+                .get();
+        assertHitCount(response, 0);
+        // user2 has no access to field1, so the query should not match with the document:
+        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
+                .prepareSearch("test")
+                .setQuery(existsQuery("field1"))
+                .get();
+        assertHitCount(response, 0);
+        // user2 has access to field2, so the query should match with the document:
+        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
+                .prepareSearch("test")
+                .setQuery(existsQuery("field2"))
+                .get();
+        assertHitCount(response, 1);
+        // user3 has access to field1 and field2, so the query should match with the document:
+        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user3", USERS_PASSWD)))
+                .prepareSearch("test")
+                .setQuery(existsQuery("field1"))
+                .get();
+        assertHitCount(response, 1);
+        // user3 has access to field1 and field2, so the query should match with the document:
+        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user3", USERS_PASSWD)))
+                .prepareSearch("test")
+                .setQuery(existsQuery("field2"))
+                .get();
+        assertHitCount(response, 1);
+        // user4 has access to no fields, so the query should not match with the document:
+        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user4", USERS_PASSWD)))
+                .prepareSearch("test")
+                .setQuery(existsQuery("field1"))
+                .get();
+        assertHitCount(response, 0);
+        // user4 has access to no fields, so the query should not match with the document:
+        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user4", USERS_PASSWD)))
+                .prepareSearch("test")
+                .setQuery(existsQuery("field2"))
+                .get();
+        assertHitCount(response, 0);
+    }
+
 }
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapperUnitTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapperUnitTests.java
index e1f74b3f8de..23be1bd3856 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapperUnitTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapperUnitTests.java
@@ -133,7 +133,7 @@ public class ShieldIndexSearcherWrapperUnitTests extends ESTestCase {
 
         FieldSubsetReader.FieldSubsetDirectoryReader result =
                 (FieldSubsetReader.FieldSubsetDirectoryReader) shieldIndexSearcherWrapper.wrap(esIn);
-        assertThat(result.getFieldNames().size(), equalTo(11));
+        assertThat(result.getFieldNames().size(), equalTo(12));
         assertThat(result.getFieldNames().contains("_uid"), is(true));
         assertThat(result.getFieldNames().contains("_id"), is(true));
         assertThat(result.getFieldNames().contains("_version"), is(true));
@@ -145,6 +145,7 @@ public class ShieldIndexSearcherWrapperUnitTests extends ESTestCase {
         assertThat(result.getFieldNames().contains("_ttl"), is(true));
         assertThat(result.getFieldNames().contains("_size"), is(true));
         assertThat(result.getFieldNames().contains("_index"), is(true));
+        assertThat(result.getFieldNames().contains("_field_names"), is(true));
         // _all contains actual user data and therefor can't be included by default
         assertThat(result.getFieldNames().contains("_all"), is(false));
     }

From ce8ffab7f259f37588b476012462644016391ea1 Mon Sep 17 00:00:00 2001
From: Jim Ferenczi <jim.ferenczi@elastic.co>
Date: Thu, 2 Jun 2016 14:43:00 +0200
Subject: [PATCH 16/22] Add support for a policy file
 (x-pack-extension-security.policy) in an x-pack extension Fix
 elastic/elasticsearch#2094

Original commit: elastic/x-pack-elasticsearch@bc017064d03608a3d4edcfc454bfed597078ca66
---
 .../qa/shield-example-realm/build.gradle      |   1 +
 .../example/ExampleRealmExtension.java        |   8 +
 .../x-pack-extension-security.policy          |   3 +
 .../InstallXPackExtensionCommand.java         | 187 +++++++++++++++++-
 .../xpack/extensions/XPackExtensionInfo.java  |   1 +
 .../extensions/XPackExtensionPolicy.java      |  67 +++++++
 .../extensions/XPackExtensionSecurity.java    | 144 ++++++++++++++
 .../extensions/XPackExtensionsService.java    |  25 ++-
 .../plugin-metadata/plugin-security.policy    |   5 +
 .../InstallXPackExtensionCommandTests.java    |  12 +-
 .../XPackExtensionSecurityTests.java          |  59 ++++++
 .../complex-x-pack-extension-security.policy  |   5 +
 .../simple-x-pack-extension-security.policy   |   4 +
 ...nresolved-x-pack-extension-security.policy |   4 +
 14 files changed, 501 insertions(+), 24 deletions(-)
 create mode 100644 elasticsearch/qa/shield-example-realm/src/main/resources/x-pack-extension-security.policy
 create mode 100644 elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionPolicy.java
 create mode 100644 elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionSecurity.java
 create mode 100644 elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/extensions/XPackExtensionSecurityTests.java
 create mode 100644 elasticsearch/x-pack/src/test/resources/org/elasticsearch/xpack/extensions/security/complex-x-pack-extension-security.policy
 create mode 100644 elasticsearch/x-pack/src/test/resources/org/elasticsearch/xpack/extensions/security/simple-x-pack-extension-security.policy
 create mode 100644 elasticsearch/x-pack/src/test/resources/org/elasticsearch/xpack/extensions/security/unresolved-x-pack-extension-security.policy

diff --git a/elasticsearch/qa/shield-example-realm/build.gradle b/elasticsearch/qa/shield-example-realm/build.gradle
index f3367b8e542..f7081642bee 100644
--- a/elasticsearch/qa/shield-example-realm/build.gradle
+++ b/elasticsearch/qa/shield-example-realm/build.gradle
@@ -37,6 +37,7 @@ processResources {
 
 task buildZip(type:Zip, dependsOn: [jar]) {
   from 'build/resources/main/x-pack-extension-descriptor.properties'
+  from 'build/resources/main/x-pack-extension-security.policy'
   from project.jar
 }
 
diff --git a/elasticsearch/qa/shield-example-realm/src/main/java/org/elasticsearch/example/ExampleRealmExtension.java b/elasticsearch/qa/shield-example-realm/src/main/java/org/elasticsearch/example/ExampleRealmExtension.java
index 752e0a74b32..308ca7c382e 100644
--- a/elasticsearch/qa/shield-example-realm/src/main/java/org/elasticsearch/example/ExampleRealmExtension.java
+++ b/elasticsearch/qa/shield-example-realm/src/main/java/org/elasticsearch/example/ExampleRealmExtension.java
@@ -11,6 +11,9 @@ import org.elasticsearch.example.realm.CustomRealmFactory;
 import org.elasticsearch.shield.authc.AuthenticationModule;
 import org.elasticsearch.xpack.extensions.XPackExtension;
 
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
 public class ExampleRealmExtension extends XPackExtension {
     @Override
     public String name() {
@@ -25,5 +28,10 @@ public class ExampleRealmExtension extends XPackExtension {
     public void onModule(AuthenticationModule authenticationModule) {
         authenticationModule.addCustomRealm(CustomRealm.TYPE, CustomRealmFactory.class);
         authenticationModule.setAuthenticationFailureHandler(CustomAuthenticationFailureHandler.class);
+        // check that the extension's policy works.
+        AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
+            System.getSecurityManager().checkPrintJobAccess();
+            return null;
+        });
     }
 }
diff --git a/elasticsearch/qa/shield-example-realm/src/main/resources/x-pack-extension-security.policy b/elasticsearch/qa/shield-example-realm/src/main/resources/x-pack-extension-security.policy
new file mode 100644
index 00000000000..6d05deba55c
--- /dev/null
+++ b/elasticsearch/qa/shield-example-realm/src/main/resources/x-pack-extension-security.policy
@@ -0,0 +1,3 @@
+grant {
+  permission java.lang.RuntimePermission "queuePrintJob";
+};
\ No newline at end of file
diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommand.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommand.java
index cf161e65012..df5b59167ea 100644
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommand.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommand.java
@@ -8,6 +8,7 @@ package org.elasticsearch.xpack.extensions;
 import joptsimple.OptionSet;
 import joptsimple.OptionSpec;
 import org.apache.lucene.util.IOUtils;
+import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.bootstrap.JarHell;
 import org.elasticsearch.cli.ExitCodes;
 import org.elasticsearch.cli.SettingCommand;
@@ -26,13 +27,26 @@ import java.net.URLDecoder;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
-import java.util.ArrayList;
+
 import java.util.Arrays;
-import java.util.List;
 import java.util.Map;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Comparator;
+import java.util.Collections;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
 
+import java.security.Policy;
+import java.security.PermissionCollection;
+import java.security.Permission;
+import java.security.NoSuchAlgorithmException;
+import java.security.Permissions;
+import java.security.PrivilegedAction;
+import java.security.AccessController;
+import java.security.UnresolvedPermission;
+import java.security.URIParameter;
+
 import static org.elasticsearch.cli.Terminal.Verbosity.VERBOSE;
 import static org.elasticsearch.xpack.XPackPlugin.resolveXPackExtensionsFile;
 
@@ -49,18 +63,19 @@ import static org.elasticsearch.xpack.XPackPlugin.resolveXPackExtensionsFile;
  * <ul>
  *     <li>The property file exists and contains valid metadata. See {@link XPackExtensionInfo#readFromProperties(Path)}</li>
  *     <li>Jar hell does not exist, either between the extension's own jars or with the parent classloader (elasticsearch + x-pack)</li>
+ *     <li>If the extension contains extra security permissions, the policy file is validated</li>
  * </ul>
  */
-class InstallXPackExtensionCommand extends SettingCommand {
+final class InstallXPackExtensionCommand extends SettingCommand {
 
     private final OptionSpec<Void> batchOption;
     private final OptionSpec<String> arguments;
 
     InstallXPackExtensionCommand() {
-        super("Install a plugin");
+        super("Install an extension");
         this.batchOption = parser.acceptsAll(Arrays.asList("b", "batch"),
                 "Enable batch mode explicitly, automatic confirmation of security permission");
-        this.arguments = parser.nonOptions("plugin id");
+        this.arguments = parser.nonOptions("extension id");
     }
 
     @Override
@@ -86,7 +101,7 @@ class InstallXPackExtensionCommand extends SettingCommand {
 
         Path extensionZip = download(terminal, extensionId, env.tmpFile());
         Path extractedZip = unzip(extensionZip, resolveXPackExtensionsFile(env));
-        install(terminal, extractedZip, env);
+        install(terminal, extractedZip, env, isBatch);
     }
 
     /** Downloads the extension and returns the file it was downloaded to. */
@@ -133,13 +148,21 @@ class InstallXPackExtensionCommand extends SettingCommand {
     }
 
     /** Load information about the extension, and verify it can be installed with no errors. */
-    private XPackExtensionInfo verify(Terminal terminal, Path extensionRoot, Environment env) throws Exception {
+    private XPackExtensionInfo verify(Terminal terminal, Path extensionRoot, Environment env, boolean isBatch) throws Exception {
         // read and validate the extension descriptor
         XPackExtensionInfo info = XPackExtensionInfo.readFromProperties(extensionRoot);
         terminal.println(VERBOSE, info.toString());
 
         // check for jar hell before any copying
         jarHellCheck(extensionRoot);
+
+        // read optional security policy (extra permissions)
+        // if it exists, confirm or warn the user
+        Path policy = extensionRoot.resolve(XPackExtensionInfo.XPACK_EXTENSION_POLICY);
+        if (Files.exists(policy)) {
+            readPolicy(policy, terminal, env, isBatch);
+        }
+
         return info;
     }
 
@@ -165,11 +188,11 @@ class InstallXPackExtensionCommand extends SettingCommand {
     /**
      * Installs the extension from {@code tmpRoot} into the extensions dir.
      */
-    private void install(Terminal terminal, Path tmpRoot, Environment env) throws Exception {
+    private void install(Terminal terminal, Path tmpRoot, Environment env, boolean isBatch) throws Exception {
         List<Path> deleteOnFailure = new ArrayList<>();
         deleteOnFailure.add(tmpRoot);
         try {
-            XPackExtensionInfo info = verify(terminal, tmpRoot, env);
+            XPackExtensionInfo info = verify(terminal, tmpRoot, env, isBatch);
             final Path destination = resolveXPackExtensionsFile(env).resolve(info.getName());
             if (Files.exists(destination)) {
                 throw new UserError(ExitCodes.USAGE,
@@ -188,4 +211,150 @@ class InstallXPackExtensionCommand extends SettingCommand {
             throw installProblem;
         }
     }
+
+    /** Format permission type, name, and actions into a string */
+    static String formatPermission(Permission permission) {
+        StringBuilder sb = new StringBuilder();
+
+        String clazz = null;
+        if (permission instanceof UnresolvedPermission) {
+            clazz = ((UnresolvedPermission) permission).getUnresolvedType();
+        } else {
+            clazz = permission.getClass().getName();
+        }
+        sb.append(clazz);
+
+        String name = null;
+        if (permission instanceof UnresolvedPermission) {
+            name = ((UnresolvedPermission) permission).getUnresolvedName();
+        } else {
+            name = permission.getName();
+        }
+        if (name != null && name.length() > 0) {
+            sb.append(' ');
+            sb.append(name);
+        }
+
+        String actions = null;
+        if (permission instanceof UnresolvedPermission) {
+            actions = ((UnresolvedPermission) permission).getUnresolvedActions();
+        } else {
+            actions = permission.getActions();
+        }
+        if (actions != null && actions.length() > 0) {
+            sb.append(' ');
+            sb.append(actions);
+        }
+        return sb.toString();
+    }
+
+    /**
+     * Parses extension policy into a set of permissions
+     */
+    static PermissionCollection parsePermissions(Path file, Path tmpDir) throws IOException {
+        // create a zero byte file for "comparison"
+        // this is necessary because the default policy impl automatically grants two permissions:
+        // 1. permission to exitVM (which we ignore)
+        // 2. read permission to the code itself (e.g. jar file of the code)
+
+        Path emptyPolicyFile = Files.createTempFile(tmpDir, "empty", "tmp");
+        final Policy emptyPolicy;
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            sm.checkPermission(new SpecialPermission());
+        }
+        emptyPolicy =
+                AccessController.doPrivileged((PrivilegedAction<Policy>) () -> {
+                    try {
+                        return Policy.getInstance("JavaPolicy", new URIParameter(emptyPolicyFile.toUri()));
+                    } catch (NoSuchAlgorithmException e) {
+                        throw new RuntimeException(e);
+                    }
+                });
+        IOUtils.rm(emptyPolicyFile);
+
+        // parse the extension's policy file into a set of permissions
+        final Policy policy =
+                AccessController.doPrivileged((PrivilegedAction<Policy>) () -> {
+                            try {
+                                return Policy.getInstance("JavaPolicy", new URIParameter(file.toUri()));
+                            } catch (NoSuchAlgorithmException e) {
+                                throw new RuntimeException(e);
+                            }
+                });
+        PermissionCollection permissions = policy.getPermissions(XPackExtensionSecurity.class.getProtectionDomain());
+        // this method is supported with the specific implementation we use, but just check for safety.
+        if (permissions == Policy.UNSUPPORTED_EMPTY_COLLECTION) {
+            throw new UnsupportedOperationException("JavaPolicy implementation does not support retrieving permissions");
+        }
+        PermissionCollection actualPermissions = new Permissions();
+        for (Permission permission : Collections.list(permissions.elements())) {
+            if (!emptyPolicy.implies(XPackExtensionSecurity.class.getProtectionDomain(), permission)) {
+                actualPermissions.add(permission);
+            }
+        }
+        actualPermissions.setReadOnly();
+        return actualPermissions;
+    }
+
+
+    /**
+     * Reads extension policy, prints/confirms exceptions
+     */
+    static void readPolicy(Path file, Terminal terminal, Environment environment, boolean batch) throws IOException {
+        PermissionCollection permissions = parsePermissions(file, environment.tmpFile());
+        List<Permission> requested = Collections.list(permissions.elements());
+        if (requested.isEmpty()) {
+            terminal.println(Terminal.Verbosity.VERBOSE, "extension has a policy file with no additional permissions");
+            return;
+        }
+
+        // sort permissions in a reasonable order
+        Collections.sort(requested, new Comparator<Permission>() {
+            @Override
+            public int compare(Permission o1, Permission o2) {
+                int cmp = o1.getClass().getName().compareTo(o2.getClass().getName());
+                if (cmp == 0) {
+                    String name1 = o1.getName();
+                    String name2 = o2.getName();
+                    if (name1 == null) {
+                        name1 = "";
+                    }
+                    if (name2 == null) {
+                        name2 = "";
+                    }
+                    cmp = name1.compareTo(name2);
+                    if (cmp == 0) {
+                        String actions1 = o1.getActions();
+                        String actions2 = o2.getActions();
+                        if (actions1 == null) {
+                            actions1 = "";
+                        }
+                        if (actions2 == null) {
+                            actions2 = "";
+                        }
+                        cmp = actions1.compareTo(actions2);
+                    }
+                }
+                return cmp;
+            }
+        });
+
+        terminal.println(Terminal.Verbosity.NORMAL, "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+        terminal.println(Terminal.Verbosity.NORMAL, "@     WARNING: x-pack extension requires additional permissions     @");
+        terminal.println(Terminal.Verbosity.NORMAL, "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+        // print all permissions:
+        for (Permission permission : requested) {
+            terminal.println(Terminal.Verbosity.NORMAL, "* " + formatPermission(permission));
+        }
+        terminal.println(Terminal.Verbosity.NORMAL, "See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html");
+        terminal.println(Terminal.Verbosity.NORMAL, "for descriptions of what these permissions allow and the associated risks.");
+        if (!batch) {
+            terminal.println(Terminal.Verbosity.NORMAL, "");
+            String text = terminal.readText("Continue with installation? [y/N]");
+            if (!text.equalsIgnoreCase("y")) {
+                throw new RuntimeException("installation aborted by user");
+            }
+        }
+    }
 }
diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionInfo.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionInfo.java
index d705f8457ae..c2ea2a95316 100644
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionInfo.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionInfo.java
@@ -16,6 +16,7 @@ import java.util.Properties;
 
 public class XPackExtensionInfo {
     public static final String XPACK_EXTENSION_PROPERTIES = "x-pack-extension-descriptor.properties";
+    public static final String XPACK_EXTENSION_POLICY = "x-pack-extension-security.policy";
 
     private String name;
     private String description;
diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionPolicy.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionPolicy.java
new file mode 100644
index 00000000000..5ac71107340
--- /dev/null
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionPolicy.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.extensions;
+
+import org.elasticsearch.common.SuppressForbidden;
+
+import java.net.URL;
+import java.security.Policy;
+import java.security.ProtectionDomain;
+import java.security.CodeSource;
+import java.security.Permission;
+import java.security.SecurityPermission;
+import java.util.Map;
+
+final class XPackExtensionPolicy extends Policy {
+    static final Permission SET_POLICY_PERMISSION = new SecurityPermission("setPolicy");
+    static final Permission GET_POLICY_PERMISSION = new SecurityPermission("getPolicy");
+    static final Permission CREATE_POLICY_PERMISSION = new SecurityPermission("createPolicy.JavaPolicy");
+
+    // the base policy (es + plugins)
+    final Policy basePolicy;
+    // policy extensions
+    final Map<String, Policy> extensions;
+    // xpack code source location
+    final URL xpackURL;
+
+    /**
+     *
+     * @param basePolicy The base policy
+     * @param extensions Extra code source extension's policy
+     */
+    public XPackExtensionPolicy(Policy basePolicy, Map<String, Policy> extensions) {
+        this.basePolicy = basePolicy;
+        this.extensions = extensions;
+        xpackURL = XPackExtensionPolicy.class.getProtectionDomain().getCodeSource().getLocation();
+    }
+
+    private boolean isPolicyPermission(Permission permission) {
+        return GET_POLICY_PERMISSION.equals(permission) ||
+                CREATE_POLICY_PERMISSION.equals(permission) ||
+                SET_POLICY_PERMISSION.equals(permission);
+    }
+
+    @Override @SuppressForbidden(reason = "fast equals check is desired")
+    public boolean implies(ProtectionDomain domain, Permission permission) {
+        CodeSource codeSource = domain.getCodeSource();
+        if (codeSource != null && codeSource.getLocation() != null) {
+            if (codeSource.getLocation().equals(xpackURL) &&
+                    isPolicyPermission(permission)) {
+                // forbid to get, create and set java policy in xpack codesource
+                // it is only granted at startup in order to let xpack add the extensions policy
+                // and make this policy the default.
+                return false;
+            }
+            // check for an additional extension permission: extension policy is
+            // only consulted for its codesources.
+            Policy extension = extensions.get(codeSource.getLocation().getFile());
+            if (extension != null && extension.implies(domain, permission)) {
+                return true;
+            }
+        }
+        return basePolicy.implies(domain, permission);
+    }
+}
\ No newline at end of file
diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionSecurity.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionSecurity.java
new file mode 100644
index 00000000000..54f744b8551
--- /dev/null
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionSecurity.java
@@ -0,0 +1,144 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.extensions;
+
+import org.elasticsearch.SpecialPermission;
+import org.elasticsearch.common.SuppressForbidden;
+import org.elasticsearch.common.io.PathUtils;
+
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.nio.file.DirectoryStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Map;
+import java.util.HashMap;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.security.Policy;
+import java.security.PrivilegedAction;
+import java.security.AccessController;
+import java.security.URIParameter;
+import java.security.NoSuchAlgorithmException;
+
+final class XPackExtensionSecurity {
+    private XPackExtensionSecurity() {}
+
+    /**
+     * Initializes the XPackExtensionPolicy
+     * Can only happen once!
+     *
+     * @param extsDirectory the directory where the extensions are installed
+     */
+    static void configure(Path extsDirectory) throws IOException {
+        Map<String, Policy> map = getExtensionsPermissions(extsDirectory);
+        if (map.size() > 0) {
+            SecurityManager sm = System.getSecurityManager();
+            if (sm != null) {
+                sm.checkPermission(new SpecialPermission());
+            }
+            AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
+                Policy newPolicy = new XPackExtensionPolicy(Policy.getPolicy(), map);
+                Policy.setPolicy(newPolicy);
+                return null;
+            });
+        }
+    }
+
+    /**
+     * Sets properties (codebase URLs) for policy files.
+     * we look for matching extensions and set URLs to fit
+     */
+    @SuppressForbidden(reason = "proper use of URL")
+    static Map<String, Policy> getExtensionsPermissions(Path extsDirectory) throws IOException {
+        Map<String, Policy> map = new HashMap<>();
+        // collect up lists of extensions
+        List<Path> extensionPaths = new ArrayList<>();
+        if (Files.exists(extsDirectory)) {
+            try (DirectoryStream<Path> stream = Files.newDirectoryStream(extsDirectory)) {
+                for (Path extension : stream) {
+                    extensionPaths.add(extension);
+                }
+            }
+        }
+        // now process each one
+        for (Path extension : extensionPaths) {
+            Path policyFile = extension.resolve(XPackExtensionInfo.XPACK_EXTENSION_POLICY);
+            if (Files.exists(policyFile)) {
+                // first get a list of URLs for the extension's jars:
+                // we resolve symlinks so map is keyed on the normalize codebase name
+                List<URL> codebases = new ArrayList<>();
+                try (DirectoryStream<Path> jarStream = Files.newDirectoryStream(extension, "*.jar")) {
+                    for (Path jar : jarStream) {
+                        codebases.add(jar.toRealPath().toUri().toURL());
+                    }
+                }
+
+                // parse the extension's policy file into a set of permissions
+                Policy policy = readPolicy(policyFile.toUri().toURL(), codebases.toArray(new URL[codebases.size()]));
+
+                // consult this policy for each of the extension's jars:
+                for (URL url : codebases) {
+                    if (map.put(url.getFile(), policy) != null) {
+                        // just be paranoid ok?
+                        throw new IllegalStateException("per-extension permissions already granted for jar file: " + url);
+                    }
+                }
+            }
+        }
+
+        return Collections.unmodifiableMap(map);
+    }
+
+    /**
+     * Reads and returns the specified {@code policyFile}.
+     * <p>
+     * Resources (e.g. jar files and directories) listed in {@code codebases} location
+     * will be provided to the policy file via a system property of the short name:
+     * e.g. <code>${codebase.joda-convert-1.2.jar}</code> would map to full URL.
+     */
+    @SuppressForbidden(reason = "accesses fully qualified URLs to configure security")
+    static Policy readPolicy(URL policyFile, URL codebases[]) throws IOException {
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            sm.checkPermission(new SpecialPermission());
+        }
+        try {
+            try {
+                // set codebase properties
+                for (URL url : codebases) {
+                    String shortName = PathUtils.get(url.toURI()).getFileName().toString();
+
+                    AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
+                        System.setProperty("codebase." + shortName, url.toString());
+                        return null;
+                    });
+                }
+                URIParameter uri = new URIParameter(policyFile.toURI());
+                return AccessController.doPrivileged((PrivilegedAction<Policy>) () -> {
+                    try {
+                        return Policy.getInstance("JavaPolicy", uri);
+                    } catch (NoSuchAlgorithmException e) {
+                        throw new RuntimeException(e);
+                    }
+                });
+            } finally {
+                // clear codebase properties
+                for (URL url : codebases) {
+                    String shortName = PathUtils.get(url.toURI()).getFileName().toString();
+                    AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
+                        System.clearProperty("codebase." + shortName);
+                        return null;
+                    });
+                }
+            }
+        } catch (URISyntaxException e) {
+            throw new IllegalArgumentException("unable to parse policy file `" + policyFile + "`", e);
+        }
+    }
+}
\ No newline at end of file
diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionsService.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionsService.java
index 42ff95f39f3..e682343838c 100644
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionsService.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/extensions/XPackExtensionsService.java
@@ -20,10 +20,10 @@ import java.net.URLClassLoader;
 import java.nio.file.DirectoryStream;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.util.List;
-import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.List;
+import java.util.ArrayList;
 import java.util.Arrays;
 
 import static org.elasticsearch.common.io.FileSystemUtils.isAccessibleDirectory;
@@ -37,18 +37,25 @@ public class XPackExtensionsService {
     /**
      * We keep around a list of extensions
      */
-    private final List<Tuple<XPackExtensionInfo, XPackExtension> > extensions;
+    private final List<Tuple<XPackExtensionInfo, XPackExtension>> extensions;
 
     /**
      * Constructs a new XPackExtensionsService
-     * @param settings The settings of the system
-     * @param extsDirectory The directory extensions exist in, or null if extensions should not be loaded from the filesystem
+     *
+     * @param settings            The settings of the system
+     * @param extsDirectory       The directory extensions exist in, or null if extensions should not be loaded from the filesystem
      * @param classpathExtensions Extensions that exist in the classpath which should be loaded
      */
-    public XPackExtensionsService(Settings settings, Path extsDirectory, Collection<Class<? extends XPackExtension>> classpathExtensions) {
+    public XPackExtensionsService(Settings settings, Path extsDirectory,
+                                  Collection<Class<? extends XPackExtension>> classpathExtensions) {
+        try {
+            XPackExtensionSecurity.configure(extsDirectory);
+        } catch (Exception e) {
+            throw new IllegalStateException("Unable to configure extension policy", e);
+        }
+
         this.settings = settings;
         List<Tuple<XPackExtensionInfo, XPackExtension>> extensionsLoaded = new ArrayList<>();
-
         // first we load extensions that are on the classpath. this is for tests
         for (Class<? extends XPackExtension> extClass : classpathExtensions) {
             XPackExtension ext = loadExtension(extClass, settings);
@@ -123,7 +130,7 @@ public class XPackExtensionsService {
         return bundles;
     }
 
-    private List<Tuple<XPackExtensionInfo, XPackExtension> > loadBundles(List<Bundle> bundles) {
+    private List<Tuple<XPackExtensionInfo, XPackExtension>> loadBundles(List<Bundle> bundles) {
         List<Tuple<XPackExtensionInfo, XPackExtension>> exts = new ArrayList<>();
 
         for (Bundle bundle : bundles) {
@@ -183,4 +190,4 @@ public class XPackExtensionsService {
             throw new ElasticsearchException("Failed to load extension class [" + extClass.getName() + "]", e);
         }
     }
-}
+}
\ No newline at end of file
diff --git a/elasticsearch/x-pack/src/main/plugin-metadata/plugin-security.policy b/elasticsearch/x-pack/src/main/plugin-metadata/plugin-security.policy
index d3e821f4858..8ea29c8627b 100644
--- a/elasticsearch/x-pack/src/main/plugin-metadata/plugin-security.policy
+++ b/elasticsearch/x-pack/src/main/plugin-metadata/plugin-security.policy
@@ -16,4 +16,9 @@ grant {
 
   // bouncy castle
   permission java.security.SecurityPermission "putProviderProperty.BC";
+
+  // needed for x-pack security extension
+  permission java.security.SecurityPermission "createPolicy.JavaPolicy";
+  permission java.security.SecurityPermission "getPolicy";
+  permission java.security.SecurityPermission "setPolicy";
 };
diff --git a/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommandTests.java b/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommandTests.java
index fe04b60844f..04dd9951239 100644
--- a/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommandTests.java
+++ b/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/extensions/InstallXPackExtensionCommandTests.java
@@ -95,7 +95,7 @@ public class InstallXPackExtensionCommandTests extends ESTestCase {
         return terminal;
     }
 
-    void assertExtension(String name, Path original, Environment env) throws IOException {
+    void assertExtension(String name, Environment env) throws IOException {
         Path got = env.pluginsFile().resolve("x-pack").resolve("extensions").resolve(name);
         assertTrue("dir " + name + " exists", Files.exists(got));
         assertTrue("jar was copied", Files.exists(got.resolve("extension.jar")));
@@ -116,7 +116,7 @@ public class InstallXPackExtensionCommandTests extends ESTestCase {
         Path extDir = createTempDir();
         String extZip = createExtension("fake", extDir);
         installExtension(extZip, home);
-        assertExtension("fake", extDir, env);
+        assertExtension("fake", env);
     }
 
     public void testSpaceInUrl() throws Exception {
@@ -127,7 +127,7 @@ public class InstallXPackExtensionCommandTests extends ESTestCase {
             Files.copy(in, extZipWithSpaces, StandardCopyOption.REPLACE_EXISTING);
         }
         installExtension(extZipWithSpaces.toUri().toURL().toString(), home);
-        assertExtension("fake", extDir, env);
+        assertExtension("fake", env);
     }
 
     public void testMalformedUrlNotMaven() throws Exception {
@@ -155,8 +155,8 @@ public class InstallXPackExtensionCommandTests extends ESTestCase {
         Path extDir2 = createTempDir();
         String extZip2 = createExtension("fake2", extDir2);
         installExtension(extZip2, home);
-        assertExtension("fake1", extDir1, env);
-        assertExtension("fake2", extDir2, env);
+        assertExtension("fake1", env);
+        assertExtension("fake2", env);
     }
 
     public void testExistingExtension() throws Exception {
@@ -175,4 +175,4 @@ public class InstallXPackExtensionCommandTests extends ESTestCase {
         assertTrue(e.getMessage(), e.getMessage().contains("x-pack-extension-descriptor.properties"));
         assertInstallCleaned(env);
     }
-}
+}
\ No newline at end of file
diff --git a/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/extensions/XPackExtensionSecurityTests.java b/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/extensions/XPackExtensionSecurityTests.java
new file mode 100644
index 00000000000..d912376aae5
--- /dev/null
+++ b/elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/extensions/XPackExtensionSecurityTests.java
@@ -0,0 +1,59 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack.extensions;
+
+import org.elasticsearch.test.ESTestCase;
+
+import java.nio.file.Path;
+import java.security.Permission;
+import java.security.PermissionCollection;
+import java.security.Permissions;
+import java.util.Collections;
+import java.util.List;
+
+public class XPackExtensionSecurityTests extends ESTestCase {
+    /** Test that we can parse the set of permissions correctly for a simple policy */
+    public void testParsePermissions() throws Exception {
+        Path scratch = createTempDir();
+        Path testFile = this.getDataPath("security/simple-x-pack-extension-security.policy");
+        Permissions expected = new Permissions();
+        expected.add(new RuntimePermission("queuePrintJob"));
+        PermissionCollection actual = InstallXPackExtensionCommand.parsePermissions(testFile, scratch);
+        assertEquals(expected, actual);
+    }
+
+    /** Test that we can parse the set of permissions correctly for a complex policy */
+    public void testParseTwoPermissions() throws Exception {
+        Path scratch = createTempDir();
+        Path testFile = this.getDataPath("security/complex-x-pack-extension-security.policy");
+        Permissions expected = new Permissions();
+        expected.add(new RuntimePermission("getClassLoader"));
+        expected.add(new RuntimePermission("closeClassLoader"));
+        PermissionCollection actual = InstallXPackExtensionCommand.parsePermissions(testFile, scratch);
+        assertEquals(expected, actual);
+    }
+
+    /** Test that we can format some simple permissions properly */
+    public void testFormatSimplePermission() throws Exception {
+        assertEquals("java.lang.RuntimePermission queuePrintJob",
+                InstallXPackExtensionCommand.formatPermission(new RuntimePermission("queuePrintJob")));
+    }
+
+    /** Test that we can format an unresolved permission properly */
+    public void testFormatUnresolvedPermission() throws Exception {
+        Path scratch = createTempDir();
+        Path testFile = this.getDataPath("security/unresolved-x-pack-extension-security.policy");
+        PermissionCollection actual = InstallXPackExtensionCommand.parsePermissions(testFile, scratch);
+        List<Permission> permissions = Collections.list(actual.elements());
+        assertEquals(1, permissions.size());
+        assertEquals("org.fake.FakePermission fakeName", InstallXPackExtensionCommand.formatPermission(permissions.get(0)));
+    }
+
+    /** no guaranteed equals on these classes, we assert they contain the same set */
+    private void assertEquals(PermissionCollection expected, PermissionCollection actual) {
+        assertEquals(asSet(Collections.list(expected.elements())), asSet(Collections.list(actual.elements())));
+    }
+}
\ No newline at end of file
diff --git a/elasticsearch/x-pack/src/test/resources/org/elasticsearch/xpack/extensions/security/complex-x-pack-extension-security.policy b/elasticsearch/x-pack/src/test/resources/org/elasticsearch/xpack/extensions/security/complex-x-pack-extension-security.policy
new file mode 100644
index 00000000000..ab52084ffa1
--- /dev/null
+++ b/elasticsearch/x-pack/src/test/resources/org/elasticsearch/xpack/extensions/security/complex-x-pack-extension-security.policy
@@ -0,0 +1,5 @@
+grant {
+  // needed to cause problems
+  permission java.lang.RuntimePermission "getClassLoader";
+  permission java.lang.RuntimePermission "closeClassLoader";
+};
diff --git a/elasticsearch/x-pack/src/test/resources/org/elasticsearch/xpack/extensions/security/simple-x-pack-extension-security.policy b/elasticsearch/x-pack/src/test/resources/org/elasticsearch/xpack/extensions/security/simple-x-pack-extension-security.policy
new file mode 100644
index 00000000000..3da788e1196
--- /dev/null
+++ b/elasticsearch/x-pack/src/test/resources/org/elasticsearch/xpack/extensions/security/simple-x-pack-extension-security.policy
@@ -0,0 +1,4 @@
+grant {
+  // needed to waste paper
+  permission java.lang.RuntimePermission "queuePrintJob";
+};
diff --git a/elasticsearch/x-pack/src/test/resources/org/elasticsearch/xpack/extensions/security/unresolved-x-pack-extension-security.policy b/elasticsearch/x-pack/src/test/resources/org/elasticsearch/xpack/extensions/security/unresolved-x-pack-extension-security.policy
new file mode 100644
index 00000000000..ea785b0d5f6
--- /dev/null
+++ b/elasticsearch/x-pack/src/test/resources/org/elasticsearch/xpack/extensions/security/unresolved-x-pack-extension-security.policy
@@ -0,0 +1,4 @@
+grant {
+  // an unresolved permission
+  permission org.fake.FakePermission "fakeName";
+};

From 3c1218ac1ce8af7ef554c77cdf3828deab274f43 Mon Sep 17 00:00:00 2001
From: jaymode <jay.modi@elasticsearch.com>
Date: Thu, 9 Jun 2016 11:49:53 -0400
Subject: [PATCH 17/22] security: don't iterate over realms if authentication
 is not enabled

This changes the realms iterator call to alway return a empty iterator when we have a basic license
otherwise an exception would be thrown.

Closes elastic/elasticsearch#2474

Original commit: elastic/x-pack-elasticsearch@168cab9e1d1773803ecd02e9a27ada64247a127f
---
 .../org/elasticsearch/shield/authc/Realms.java   |  5 +++++
 .../shield/SecurityFeatureSetTests.java          |  7 +++++--
 .../InternalAuthenticationServiceTests.java      |  1 +
 .../elasticsearch/shield/authc/RealmsTests.java  | 16 ++++++++++++++++
 4 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java
index 0dcc995db5a..604110c6ddc 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java
@@ -6,6 +6,7 @@
 package org.elasticsearch.shield.authc;
 
 import org.elasticsearch.ElasticsearchException;
+import org.elasticsearch.common.collect.Iterators;
 import org.elasticsearch.common.component.AbstractLifecycleComponent;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Setting;
@@ -101,6 +102,10 @@ public class Realms extends AbstractLifecycleComponent<Realms> implements Iterab
 
     @Override
     public Iterator<Realm> iterator() {
+        if (shieldLicenseState.authenticationAndAuthorizationEnabled() == false) {
+            return Collections.emptyIterator();
+        }
+
         EnabledRealmType enabledRealmType = shieldLicenseState.enabledRealmType();
         switch (enabledRealmType) {
             case ALL:
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/SecurityFeatureSetTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/SecurityFeatureSetTests.java
index be1a6412f2e..0aaee2b15b3 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/SecurityFeatureSetTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/SecurityFeatureSetTests.java
@@ -15,6 +15,7 @@ import org.elasticsearch.xpack.watcher.support.xcontent.XContentSource;
 import org.junit.Before;
 
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -92,7 +93,7 @@ public class SecurityFeatureSetTests extends ESTestCase {
             realmUsage.put("key3", i % 2 == 0);
             when(realm.usageStats()).thenReturn(realmUsage);
         }
-        when(realms.iterator()).thenReturn(realmsList.iterator());
+        when(realms.iterator()).thenReturn(available ? realmsList.iterator() : Collections.<Realm>emptyIterator());
 
         SecurityFeatureSet featureSet = new SecurityFeatureSet(settings.build(), licenseState, realms, namedWriteableRegistry);
         XPackFeatureSet.Usage usage = featureSet.usage();
@@ -102,12 +103,14 @@ public class SecurityFeatureSetTests extends ESTestCase {
         assertThat(usage.available(), is(available));
         XContentSource source = new XContentSource(usage);
 
-        if (enabled) {
+        if (enabled && available) {
             for (int i = 0; i < 5; i++) {
                 assertThat(source.getValue("enabled_realms." + i + ".key1"), is("value" + i));
                 assertThat(source.getValue("enabled_realms." + i + ".key2"), is(i));
                 assertThat(source.getValue("enabled_realms." + i + ".key3"), is(i % 2 == 0));
             }
+        } else if (enabled) {
+            assertThat(source.getValue("enabled_realms"), is(notNullValue()));
         } else {
             assertThat(source.getValue("enabled_realms"), is(nullValue()));
         }
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java
index f0dcbaf5148..c21233e739e 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java
@@ -94,6 +94,7 @@ public class InternalAuthenticationServiceTests extends ESTestCase {
         Settings settings = Settings.builder().put("path.home", createTempDir()).build();
         SecurityLicenseState shieldLicenseState = mock(SecurityLicenseState.class);
         when(shieldLicenseState.enabledRealmType()).thenReturn(EnabledRealmType.ALL);
+        when(shieldLicenseState.authenticationAndAuthorizationEnabled()).thenReturn(true);
         realms = new Realms(Settings.EMPTY, new Environment(settings), Collections.<String, Realm.Factory>emptyMap(), shieldLicenseState,
                 mock(ReservedRealm.class)) {
 
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RealmsTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RealmsTests.java
index ee14210ff7d..426c9a13c23 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RealmsTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RealmsTests.java
@@ -52,6 +52,7 @@ public class RealmsTests extends ESTestCase {
         }
         shieldLicenseState = mock(SecurityLicenseState.class);
         reservedRealm = mock(ReservedRealm.class);
+        when(shieldLicenseState.authenticationAndAuthorizationEnabled()).thenReturn(true);
         when(shieldLicenseState.enabledRealmType()).thenReturn(EnabledRealmType.ALL);
     }
 
@@ -338,6 +339,21 @@ public class RealmsTests extends ESTestCase {
         assertThat(count, equalTo(orderToIndex.size()));
     }
 
+    public void testAuthcAuthzDisabled() {
+        Settings settings = Settings.builder()
+                .put("path.home", createTempDir())
+                .put("xpack.security.authc.realms.realm_1.type", FileRealm.TYPE)
+                .put("xpack.security.authc.realms.realm_1.order", 0)
+                .build();
+        Environment env = new Environment(settings);
+        Realms realms = new Realms(settings, env, factories, shieldLicenseState, reservedRealm).start();
+
+        assertThat(realms.iterator().hasNext(), is(true));
+
+        when(shieldLicenseState.authenticationAndAuthorizationEnabled()).thenReturn(false);
+        assertThat(realms.iterator().hasNext(), is(false));
+    }
+
     static class DummyRealm extends Realm {
 
         public DummyRealm(String type, RealmConfig config) {

From 1c170fb08104f356ff8a46eaf55caade6442e2a9 Mon Sep 17 00:00:00 2001
From: Nik Everett <nik9000@gmail.com>
Date: Tue, 14 Jun 2016 13:38:04 -0400
Subject: [PATCH 18/22] Make task/get known

Original commit: elastic/x-pack-elasticsearch@ce4bca4b86e4b9d56a151c429003e05e1be1854c
---
 .../src/test/resources/org/elasticsearch/transport/actions       | 1 +
 1 file changed, 1 insertion(+)

diff --git a/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/transport/actions b/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/transport/actions
index ebf3293e8cc..1952eec4478 100644
--- a/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/transport/actions
+++ b/elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/transport/actions
@@ -20,6 +20,7 @@ cluster:monitor/nodes/stats
 cluster:monitor/state
 cluster:monitor/stats
 cluster:monitor/task
+cluster:monitor/task/get
 cluster:monitor/tasks/lists
 cluster:monitor/xpack/watcher/stats
 indices:admin/aliases

From f8ba97c42fae762852472f4b33658dad50670d47 Mon Sep 17 00:00:00 2001
From: jaymode <jay.modi@elasticsearch.com>
Date: Wed, 15 Jun 2016 08:52:22 -0400
Subject: [PATCH 19/22] test: mute test until we can fix the field stats
 caching

Original commit: elastic/x-pack-elasticsearch@06ce7da477acf24a38c3f7a075c5600b5329b962
---
 .../org/elasticsearch/integration/FieldLevelSecurityTests.java   | 1 +
 1 file changed, 1 insertion(+)

diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
index 64c9a08bdbe..06a54d43277 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
@@ -483,6 +483,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
         assertThat(response.getResponses()[0].getResponse().getSource().get("field2").toString(), equalTo("value2"));
     }
 
+    @AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/2528")
     public void testFieldStatsApi() throws Exception {
         assertAcked(client().admin().indices().prepareCreate("test")
                         .addMapping("type1", "field1", "type=text", "field2", "type=text", "field3", "type=text")

From f92314ba0025250cbe5a23fda4c1bbf1c09ef7fe Mon Sep 17 00:00:00 2001
From: Nik Everett <nik9000@gmail.com>
Date: Wed, 15 Jun 2016 14:16:39 -0400
Subject: [PATCH 20/22] Disable field stats cache if field level security

Field level security poisons that cache.

Closes elastic/elasticsearch#2528

Original commit: elastic/x-pack-elasticsearch@12ca4a2ef44a8ab80621fbc6cdb3103a28fb9626
---
 .../shield/action/ShieldActionModule.java     |  2 ++
 ...cumentLevelSecurityRequestInterceptor.java | 16 +++++----
 .../FieldStatsRequestInterceptor.java         | 34 +++++++++++++++++++
 .../RealtimeRequestInterceptor.java           |  3 +-
 .../interceptor/SearchRequestInterceptor.java |  2 +-
 .../interceptor/UpdateRequestInterceptor.java |  2 +-
 .../integration/FieldLevelSecurityTests.java  |  1 -
 7 files changed, 49 insertions(+), 11 deletions(-)
 create mode 100644 elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/FieldStatsRequestInterceptor.java

diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/ShieldActionModule.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/ShieldActionModule.java
index 963f35e0ea4..d54ca1b89aa 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/ShieldActionModule.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/ShieldActionModule.java
@@ -9,6 +9,7 @@ import org.elasticsearch.common.inject.multibindings.Multibinder;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.shield.action.filter.ShieldActionFilter;
 import org.elasticsearch.shield.action.interceptor.BulkRequestInterceptor;
+import org.elasticsearch.shield.action.interceptor.FieldStatsRequestInterceptor;
 import org.elasticsearch.shield.action.interceptor.RealtimeRequestInterceptor;
 import org.elasticsearch.shield.action.interceptor.RequestInterceptor;
 import org.elasticsearch.shield.action.interceptor.SearchRequestInterceptor;
@@ -34,5 +35,6 @@ public class ShieldActionModule extends AbstractShieldModule.Node {
         multibinder.addBinding().to(SearchRequestInterceptor.class);
         multibinder.addBinding().to(UpdateRequestInterceptor.class);
         multibinder.addBinding().to(BulkRequestInterceptor.class);
+        multibinder.addBinding().to(FieldStatsRequestInterceptor.class);
     }
 }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java
index d8cdd452c93..b53faa521cf 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java
@@ -47,12 +47,14 @@ public abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request> e
             for (String index : indicesRequest.indices()) {
                 IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(index);
                 if (indexAccessControl != null) {
-                    boolean fls = indexAccessControl.getFields() != null;
-                    boolean dls = indexAccessControl.getQueries() != null;
-                    if (fls || dls) {
-                        logger.debug("intercepted request for index [{}] with field level or document level security enabled, " +
-                                "disabling features", index);
-                        disableFeatures(request);
+                    boolean fieldLevelSecurityEnabled = indexAccessControl.getFields() != null;
+                    boolean documentLevelSecurityEnabled = indexAccessControl.getQueries() != null;
+                    if (fieldLevelSecurityEnabled || documentLevelSecurityEnabled) {
+                        if (logger.isDebugEnabled()) {
+                            logger.debug("intercepted request for index [{}] with field level [{}] or document level [{}] security "
+                                    + "enabled, disabling features", index, fieldLevelSecurityEnabled, documentLevelSecurityEnabled);
+                        }
+                        disableFeatures(request, fieldLevelSecurityEnabled, documentLevelSecurityEnabled);
                         return;
                     }
                 }
@@ -62,6 +64,6 @@ public abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request> e
         }
     }
 
-    protected abstract void disableFeatures(Request request);
+    protected abstract void disableFeatures(Request request, boolean fieldLevelSecurityEnabled, boolean documentLevelSecurityEnabled);
 
 }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/FieldStatsRequestInterceptor.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/FieldStatsRequestInterceptor.java
new file mode 100644
index 00000000000..46edc92b18a
--- /dev/null
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/FieldStatsRequestInterceptor.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.shield.action.interceptor;
+
+import org.elasticsearch.action.fieldstats.FieldStatsRequest;
+import org.elasticsearch.common.inject.Inject;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.threadpool.ThreadPool;
+import org.elasticsearch.transport.TransportRequest;
+
+/**
+ * Intercepts requests to shards to field level stats and strips fields that the user is not allowed to access from the response.
+ */
+public class FieldStatsRequestInterceptor extends FieldAndDocumentLevelSecurityRequestInterceptor<FieldStatsRequest> {
+    @Inject
+    public FieldStatsRequestInterceptor(Settings settings, ThreadPool threadPool) {
+        super(settings, threadPool.getThreadContext());
+    }
+
+    @Override
+    public boolean supports(TransportRequest request) {
+        return request instanceof FieldStatsRequest;
+    }
+
+    @Override
+    protected void disableFeatures(FieldStatsRequest request, boolean fieldLevelSecurityEnabled, boolean documentLevelSecurityEnabled) {
+        if (fieldLevelSecurityEnabled) {
+            request.setUseCache(false);
+        }
+    }
+}
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/RealtimeRequestInterceptor.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/RealtimeRequestInterceptor.java
index df0ac5f1e44..7dca9937319 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/RealtimeRequestInterceptor.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/RealtimeRequestInterceptor.java
@@ -23,7 +23,8 @@ public class RealtimeRequestInterceptor extends FieldAndDocumentLevelSecurityReq
     }
 
     @Override
-    protected void disableFeatures(RealtimeRequest realtimeRequest) {
+    protected void disableFeatures(RealtimeRequest realtimeRequest, boolean fieldLevelSecurityEnabled,
+            boolean documentLevelSecurityEnabled) {
         realtimeRequest.realtime(false);
     }
 
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/SearchRequestInterceptor.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/SearchRequestInterceptor.java
index 51afa39f1c0..168ce041885 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/SearchRequestInterceptor.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/SearchRequestInterceptor.java
@@ -22,7 +22,7 @@ public class SearchRequestInterceptor extends FieldAndDocumentLevelSecurityReque
     }
 
     @Override
-    public void disableFeatures(SearchRequest request) {
+    public void disableFeatures(SearchRequest request, boolean fieldLevelSecurityEnabled, boolean documentLevelSecurityEnabled) {
         request.requestCache(false);
     }
 
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/UpdateRequestInterceptor.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/UpdateRequestInterceptor.java
index 88a7cf424ba..1800265b666 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/UpdateRequestInterceptor.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/UpdateRequestInterceptor.java
@@ -28,7 +28,7 @@ public class UpdateRequestInterceptor extends FieldAndDocumentLevelSecurityReque
     }
 
     @Override
-    protected void disableFeatures(UpdateRequest updateRequest) {
+    protected void disableFeatures(UpdateRequest updateRequest, boolean fieldLevelSecurityEnabled, boolean documentLevelSecurityEnabled) {
         throw new ElasticsearchSecurityException("Can't execute an update request if field or document level security is enabled",
                 RestStatus.BAD_REQUEST);
     }
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
index 06a54d43277..64c9a08bdbe 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
@@ -483,7 +483,6 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
         assertThat(response.getResponses()[0].getResponse().getSource().get("field2").toString(), equalTo("value2"));
     }
 
-    @AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/2528")
     public void testFieldStatsApi() throws Exception {
         assertAcked(client().admin().indices().prepareCreate("test")
                         .addMapping("type1", "field1", "type=text", "field2", "type=text", "field3", "type=text")

From 36ad326483bed89178a30e80909a4d844066ed1a Mon Sep 17 00:00:00 2001
From: Simon Willnauer <simon.willnauer@elasticsearch.com>
Date: Thu, 16 Jun 2016 09:35:16 +0200
Subject: [PATCH 21/22] Simplify ScriptModule and script registration
 elastic/elasticsearchelastic/elasticsearch#18903 (elastic/elasticsearch#2535)

follow up PR for elastic/elasticsearchelastic/elasticsearch#18903

Original commit: elastic/x-pack-elasticsearch@d6ab3ab1413d30a48167cc60a940b818160b33c2
---
 .../messy/tests/MessyTestUtils.java              | 14 +++-----------
 .../smoketest/WatcherTemplateTests.java          |  8 ++------
 .../xpack/graph/test/GraphTests.java             | 15 ++++++++++++---
 .../org/elasticsearch/xpack/XPackPlugin.java     | 10 +++++++---
 .../org/elasticsearch/xpack/watcher/Watcher.java |  3 ---
 .../script/MockMustacheScriptEngine.java         | 14 +++++++++-----
 .../elasticsearch/script/SleepScriptEngine.java  | 16 ++++++++++------
 .../xpack/watcher/test/WatcherTestUtils.java     |  2 +-
 8 files changed, 44 insertions(+), 38 deletions(-)

diff --git a/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/MessyTestUtils.java b/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/MessyTestUtils.java
index c4bbc2186b9..dee4d8ae66b 100644
--- a/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/MessyTestUtils.java
+++ b/elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/MessyTestUtils.java
@@ -14,7 +14,6 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.script.ScriptContextRegistry;
 import org.elasticsearch.script.ScriptEngineRegistry;
-import org.elasticsearch.script.ScriptEngineService;
 import org.elasticsearch.script.ScriptService;
 import org.elasticsearch.script.ScriptSettings;
 import org.elasticsearch.script.groovy.GroovyScriptEngineService;
@@ -25,8 +24,7 @@ import org.junit.Ignore;
 import org.mockito.Mockito;
 
 import java.util.Arrays;
-import java.util.HashSet;
-import java.util.Set;
+import java.util.Collections;
 
 @Ignore // not a test.
 @SuppressForbidden(reason = "gradle is broken and tries to run me as a test")
@@ -38,19 +36,13 @@ public final class MessyTestUtils {
                 .put("path.home", LuceneTestCase.createTempDir())
                 .build();
         GroovyScriptEngineService groovyScriptEngineService = new GroovyScriptEngineService(settings);
-        Set<ScriptEngineService> engineServiceSet = new HashSet<>();
-        engineServiceSet.add(groovyScriptEngineService);
-        ScriptEngineRegistry scriptEngineRegistry = new ScriptEngineRegistry(
-                Arrays.asList(
-                        new ScriptEngineRegistry.ScriptEngineRegistration(GroovyScriptEngineService.class, GroovyScriptEngineService.NAME)
-                )
-        );
+        ScriptEngineRegistry scriptEngineRegistry = new ScriptEngineRegistry(Collections.singleton(groovyScriptEngineService));
         ScriptContextRegistry scriptContextRegistry = new ScriptContextRegistry(Arrays.asList(ScriptServiceProxy.INSTANCE));
 
         ClusterService clusterService = Mockito.mock(ClusterService.class);
         Mockito.when(clusterService.state()).thenReturn(ClusterState.builder(new ClusterName("_name")).build());
         ScriptSettings scriptSettings = new ScriptSettings(scriptEngineRegistry, scriptContextRegistry);
-        return  ScriptServiceProxy.of(new ScriptService(settings, new Environment(settings), engineServiceSet,
+        return  ScriptServiceProxy.of(new ScriptService(settings, new Environment(settings),
                 new ResourceWatcherService(settings, tp), scriptEngineRegistry, scriptContextRegistry, scriptSettings),
                 clusterService);
     }
diff --git a/elasticsearch/qa/smoke-test-watcher-with-mustache/src/test/java/org/elasticsearch/smoketest/WatcherTemplateTests.java b/elasticsearch/qa/smoke-test-watcher-with-mustache/src/test/java/org/elasticsearch/smoketest/WatcherTemplateTests.java
index efe00900d07..5475529e2d8 100644
--- a/elasticsearch/qa/smoke-test-watcher-with-mustache/src/test/java/org/elasticsearch/smoketest/WatcherTemplateTests.java
+++ b/elasticsearch/qa/smoke-test-watcher-with-mustache/src/test/java/org/elasticsearch/smoketest/WatcherTemplateTests.java
@@ -49,18 +49,14 @@ public class WatcherTemplateTests extends ESTestCase {
     public void init() throws Exception {
         Settings setting = Settings.builder().put(ScriptService.SCRIPT_AUTO_RELOAD_ENABLED_SETTING, true).build();
         Environment environment = Mockito.mock(Environment.class);
-        Set<ScriptEngineService> engines = Collections.singleton(new MustacheScriptEngineService(setting));
         ResourceWatcherService resourceWatcherService = Mockito.mock(ResourceWatcherService.class);
         ScriptContextRegistry registry = new ScriptContextRegistry(Collections.singletonList(ScriptServiceProxy.INSTANCE));
 
         ScriptEngineRegistry scriptEngineRegistry = new ScriptEngineRegistry(
-                Arrays.asList(
-                        new ScriptEngineRegistry.ScriptEngineRegistration(MustacheScriptEngineService.class,
-                                MustacheScriptEngineService.NAME)
-                )
+                Collections.singleton(new MustacheScriptEngineService(setting))
         );
         ScriptSettings scriptSettings = new ScriptSettings(scriptEngineRegistry, registry);
-        ScriptService scriptService = new ScriptService(setting, environment, engines, resourceWatcherService, scriptEngineRegistry,
+        ScriptService scriptService = new ScriptService(setting, environment, resourceWatcherService, scriptEngineRegistry,
                 registry, scriptSettings);
         ClusterService clusterService = Mockito.mock(ClusterService.class);
         Mockito.when(clusterService.state()).thenReturn(ClusterState.builder(new ClusterName("_name")).build());
diff --git a/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/test/GraphTests.java b/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/test/GraphTests.java
index 9fe576c8dc5..9131921669f 100644
--- a/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/test/GraphTests.java
+++ b/elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/test/GraphTests.java
@@ -15,6 +15,7 @@ import org.elasticsearch.index.query.QueryBuilders;
 import org.elasticsearch.index.query.ScriptQueryBuilder;
 import org.elasticsearch.marvel.Monitoring;
 import org.elasticsearch.plugins.Plugin;
+import org.elasticsearch.plugins.ScriptPlugin;
 import org.elasticsearch.script.AbstractSearchScript;
 import org.elasticsearch.script.ExecutableScript;
 import org.elasticsearch.script.NativeScriptFactory;
@@ -34,6 +35,8 @@ import org.elasticsearch.xpack.graph.action.Vertex;
 import org.elasticsearch.xpack.graph.action.VertexRequest;
 
 import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
 import java.util.Map;
 
 import static org.elasticsearch.cluster.metadata.IndexMetaData.SETTING_NUMBER_OF_REPLICAS;
@@ -346,7 +349,7 @@ public class GraphTests extends ESSingleNodeTestCase {
         assertThat(why, strongVertex.getWeight(), greaterThan(weakVertex.getWeight()));
     }
 
-    public static class ScriptedTimeoutPlugin extends Plugin {
+    public static class ScriptedTimeoutPlugin extends Plugin implements ScriptPlugin {
         @Override
         public String name() {
             return "test-scripted-graph-timeout";
@@ -357,8 +360,9 @@ public class GraphTests extends ESSingleNodeTestCase {
             return "Test for scripted timeouts on graph searches";
         }
 
-        public void onModule(ScriptModule module) {
-            module.registerScript(NativeTestScriptedTimeout.TEST_NATIVE_SCRIPT_TIMEOUT, NativeTestScriptedTimeout.Factory.class);
+        @Override
+        public List<NativeScriptFactory> getNativeScripts() {
+            return Collections.singletonList(new NativeTestScriptedTimeout.Factory());
         }
     }
 
@@ -377,6 +381,11 @@ public class GraphTests extends ESSingleNodeTestCase {
             public boolean needsScores() {
                 return false;
             }
+
+            @Override
+            public String getName() {
+                return TEST_NATIVE_SCRIPT_TIMEOUT;
+            }
         }
 
         @Override
diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
index 456f8db3598..17aefe14881 100644
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
@@ -22,6 +22,8 @@ import org.elasticsearch.index.IndexModule;
 import org.elasticsearch.license.plugin.Licensing;
 import org.elasticsearch.marvel.Monitoring;
 import org.elasticsearch.plugins.Plugin;
+import org.elasticsearch.plugins.ScriptPlugin;
+import org.elasticsearch.script.ScriptContext;
 import org.elasticsearch.script.ScriptModule;
 import org.elasticsearch.shield.Security;
 import org.elasticsearch.shield.authc.AuthenticationModule;
@@ -31,6 +33,7 @@ import org.elasticsearch.xpack.action.TransportXPackInfoAction;
 import org.elasticsearch.xpack.action.TransportXPackUsageAction;
 import org.elasticsearch.xpack.action.XPackInfoAction;
 import org.elasticsearch.xpack.action.XPackUsageAction;
+import org.elasticsearch.xpack.common.ScriptServiceProxy;
 import org.elasticsearch.xpack.common.http.HttpClientModule;
 import org.elasticsearch.xpack.common.init.LazyInitializationModule;
 import org.elasticsearch.xpack.common.init.LazyInitializationService;
@@ -55,7 +58,7 @@ import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 
-public class XPackPlugin extends Plugin {
+public class XPackPlugin extends Plugin implements ScriptPlugin {
 
     public static final String NAME = "x-pack";
 
@@ -182,8 +185,9 @@ public class XPackPlugin extends Plugin {
         return builder.build();
     }
 
-    public void onModule(ScriptModule module) {
-        watcher.onModule(module);
+    @Override
+    public ScriptContext.Plugin getCustomScriptContexts() {
+        return ScriptServiceProxy.INSTANCE;
     }
 
     public void onModule(SettingsModule module) {
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java
index 2f8b1e1ce2f..50d34f72318 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java
@@ -140,9 +140,6 @@ public class Watcher {
         return Settings.EMPTY;
     }
 
-    public void onModule(ScriptModule module) {
-        module.registerScriptContext(ScriptServiceProxy.INSTANCE);
-    }
 
     public void onModule(SettingsModule module) {
         for (TemplateConfig templateConfig : WatcherIndexTemplateRegistry.TEMPLATE_CONFIGS) {
diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/script/MockMustacheScriptEngine.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/script/MockMustacheScriptEngine.java
index 6430fde4a16..31b4f8fb44f 100644
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/script/MockMustacheScriptEngine.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/script/MockMustacheScriptEngine.java
@@ -5,10 +5,9 @@
  */
 package org.elasticsearch.script;
 
+import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.xpack.common.text.DefaultTextTemplateEngine;
 
-import java.util.Collections;
-import java.util.List;
 import java.util.Map;
 
 /**
@@ -27,10 +26,10 @@ public class MockMustacheScriptEngine extends MockScriptEngine {
             return NAME;
         }
 
-        public void onModule(ScriptModule module) {
-            module.addScriptEngine(new ScriptEngineRegistry.ScriptEngineRegistration(MockMustacheScriptEngine.class, NAME, true));
+        @Override
+        public ScriptEngineService getScriptEngineService(Settings settings) {
+            return new MockMustacheScriptEngine();
         }
-
     }
 
     @Override
@@ -51,4 +50,9 @@ public class MockMustacheScriptEngine extends MockScriptEngine {
 
         return super.compile(name, script, params);
     }
+
+    @Override
+    public boolean isInlineScriptEnabled() {
+        return true;
+    }
 }
diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/script/SleepScriptEngine.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/script/SleepScriptEngine.java
index c0cf787d7e8..ad593bfe8ac 100644
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/script/SleepScriptEngine.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/script/SleepScriptEngine.java
@@ -6,12 +6,13 @@
 package org.elasticsearch.script;
 
 import org.elasticsearch.common.Nullable;
+import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.plugins.Plugin;
+import org.elasticsearch.plugins.ScriptPlugin;
 import org.elasticsearch.search.lookup.SearchLookup;
 
 import java.io.IOException;
 import java.util.Collections;
-import java.util.List;
 import java.util.Map;
 
 /**
@@ -21,7 +22,7 @@ public class SleepScriptEngine implements ScriptEngineService {
 
     public static final String NAME = "sleep";
 
-    public static class TestPlugin extends Plugin {
+    public static class TestPlugin extends Plugin implements ScriptPlugin {
 
         public TestPlugin() {
         }
@@ -36,11 +37,10 @@ public class SleepScriptEngine implements ScriptEngineService {
             return "Mock script engine for integration tests";
         }
 
-        public void onModule(ScriptModule module) {
-            module.addScriptEngine(new ScriptEngineRegistry.ScriptEngineRegistration(SleepScriptEngine.class,
-                            SleepScriptEngine.NAME, true));
+        @Override
+        public ScriptEngineService getScriptEngineService(Settings settings) {
+            return new SleepScriptEngine();
         }
-
     }
 
     @Override
@@ -92,4 +92,8 @@ public class SleepScriptEngine implements ScriptEngineService {
                 .params(Collections.singletonMap("millis", millis)).build();
     }
 
+    @Override
+    public boolean isInlineScriptEnabled() {
+        return true;
+    }
 }
diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/test/WatcherTestUtils.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/test/WatcherTestUtils.java
index e576cfd50ab..f11d07a3f4a 100644
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/test/WatcherTestUtils.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/test/WatcherTestUtils.java
@@ -254,7 +254,7 @@ public final class WatcherTestUtils {
         ScriptSettings scriptSettings = new ScriptSettings(scriptEngineRegistry, scriptContextRegistry);
         ClusterService clusterService = Mockito.mock(ClusterService.class);
         Mockito.when(clusterService.state()).thenReturn(ClusterState.builder(new ClusterName("_name")).build());
-        return  ScriptServiceProxy.of(new ScriptService(settings, new Environment(settings), Collections.emptySet(),
+        return  ScriptServiceProxy.of(new ScriptService(settings, new Environment(settings),
                 new ResourceWatcherService(settings, tp), scriptEngineRegistry, scriptContextRegistry, scriptSettings),
                 clusterService);
     }

From b2c944a480d6195c395a4731f0015b3f62693959 Mon Sep 17 00:00:00 2001
From: Simon Willnauer <simon.willnauer@elasticsearch.com>
Date: Thu, 16 Jun 2016 15:53:01 +0200
Subject: [PATCH 22/22] Cut over settings registration to a pull model
 elastic/elasticsearchelastic/elasticsearch#18890 (elastic/elasticsearch#2538)

Followup for elastic/elasticsearchelastic/elasticsearch#18890

Original commit: elastic/x-pack-elasticsearch@a65ee6913f49dfe452c0a57c2e4af389a6a9ede4
---
 .../org/elasticsearch/xpack/graph/Graph.java  | 13 ++--
 .../license/plugin/Licensing.java             |  5 +-
 .../consumer/TestConsumerPluginBase.java      | 14 ++---
 .../org/elasticsearch/marvel/Monitoring.java  |  2 +-
 .../marvel/MonitoringSettings.java            | 32 +++++-----
 .../org/elasticsearch/shield/Security.java    | 63 ++++++++++---------
 .../shield/audit/AuditTrailModule.java        | 10 +--
 .../shield/audit/index/IndexAuditTrail.java   | 18 +++---
 .../audit/logfile/LoggingAuditTrail.java      |  9 +--
 .../authc/InternalAuthenticationService.java  |  7 ++-
 .../elasticsearch/shield/authc/Realms.java    |  4 +-
 .../authc/esnative/NativeUsersStore.java      |  8 +--
 .../authz/InternalAuthorizationService.java   |  4 +-
 .../shield/authz/store/FileRolesStore.java    |  4 +-
 .../shield/authz/store/NativeRolesStore.java  |  9 ++-
 .../shield/crypto/InternalCryptoService.java  | 10 +--
 .../shield/ssl/SSLConfiguration.java          | 38 +++++------
 .../shield/transport/filter/IPFilter.java     | 16 ++---
 .../netty/ShieldNettyHttpServerTransport.java |  9 +--
 .../transport/netty/ShieldNettyTransport.java | 21 ++++---
 .../shield/user/AnonymousUser.java            | 11 +++-
 .../shield/audit/AuditTrailModuleTests.java   | 22 +++----
 .../test/SettingsFilterTests.java             | 15 +++--
 .../org/elasticsearch/xpack/XPackPlugin.java  | 44 ++++++++-----
 .../xpack/notification/Notification.java      | 26 ++++----
 .../elasticsearch/xpack/watcher/Watcher.java  | 45 ++++++-------
 .../WatcherIndexTemplateRegistryTests.java    |  7 ++-
 27 files changed, 254 insertions(+), 212 deletions(-)

diff --git a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/Graph.java b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/Graph.java
index 9c435dba74f..b21f1884bc5 100644
--- a/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/Graph.java
+++ b/elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/Graph.java
@@ -20,6 +20,7 @@ import org.elasticsearch.xpack.graph.rest.action.RestGraphAction;
 
 import java.util.Collection;
 import java.util.Collections;
+import java.util.List;
 
 public class Graph extends Plugin {
 
@@ -69,10 +70,12 @@ public class Graph extends Plugin {
         if (enabled && transportClientMode == false) {
             module.registerRestHandler(RestGraphAction.class);        
         }
-    }    
-    
-    public void onModule(SettingsModule module) {
-        module.registerSetting(Setting.boolSetting(XPackPlugin.featureEnabledSetting(NAME), true, Setting.Property.NodeScope));
-    }    
+    }
+
+
+    @Override
+    public List<Setting<?>> getSettings() {
+        return Collections.singletonList(Setting.boolSetting(XPackPlugin.featureEnabledSetting(NAME), true, Setting.Property.NodeScope));
+    }
 
 }
diff --git a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/Licensing.java b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/Licensing.java
index 22c95840dd9..0f52530f74f 100644
--- a/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/Licensing.java
+++ b/elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/Licensing.java
@@ -28,6 +28,7 @@ import org.elasticsearch.license.plugin.rest.RestPutLicenseAction;
 
 import java.util.Collection;
 import java.util.Collections;
+import java.util.List;
 
 import static org.elasticsearch.xpack.XPackPlugin.isTribeClientNode;
 import static org.elasticsearch.xpack.XPackPlugin.isTribeNode;
@@ -80,8 +81,8 @@ public class Licensing {
         return Collections.emptyList();
     }
 
-    public void onModule(SettingsModule module) {
+    public List<Setting<?>> getSettings() {
         // TODO convert this wildcard to a real setting
-        module.registerSetting(Setting.groupSetting("license.", Setting.Property.NodeScope));
+        return Collections.singletonList(Setting.groupSetting("license.", Setting.Property.NodeScope));
     }
 }
diff --git a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/consumer/TestConsumerPluginBase.java b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/consumer/TestConsumerPluginBase.java
index 46c50b0375c..4261e375d49 100644
--- a/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/consumer/TestConsumerPluginBase.java
+++ b/elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/consumer/TestConsumerPluginBase.java
@@ -14,7 +14,9 @@ import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.plugins.Plugin;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collection;
+import java.util.List;
 
 public abstract class TestConsumerPluginBase extends Plugin {
 
@@ -44,13 +46,11 @@ public abstract class TestConsumerPluginBase extends Plugin {
         return services;
     }
 
-    public void onModule(SettingsModule module) {
-        try {
-            module.registerSetting(Setting.simpleString("_trial_license_duration_in_seconds", Setting.Property.NodeScope));
-            module.registerSetting(Setting.simpleString("_grace_duration_in_seconds", Setting.Property.NodeScope));
-        } catch (IllegalArgumentException ex) {
-            // already loaded
-        }
+    @Override
+    public List<Setting<?>> getSettings() {
+        return Arrays.asList(Setting.simpleString("_trial_license_duration_in_seconds", Setting.Property.NodeScope,
+                Setting.Property.Shared), Setting.simpleString("_grace_duration_in_seconds", Setting.Property.NodeScope,
+                Setting.Property.Shared));
     }
 
     public abstract Class<? extends TestPluginServiceBase> service();
diff --git a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/Monitoring.java b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/Monitoring.java
index 8b29f92ffa5..4ec351b8ee6 100644
--- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/Monitoring.java
+++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/Monitoring.java
@@ -9,6 +9,7 @@ import org.elasticsearch.action.ActionModule;
 import org.elasticsearch.common.component.LifecycleComponent;
 import org.elasticsearch.common.inject.Module;
 import org.elasticsearch.common.network.NetworkModule;
+import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.marvel.action.MonitoringBulkAction;
@@ -80,7 +81,6 @@ public class Monitoring {
     }
 
     public void onModule(SettingsModule module) {
-        MonitoringSettings.register(module);
     }
 
     public void onModule(ActionModule module) {
diff --git a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/MonitoringSettings.java b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/MonitoringSettings.java
index 3ee8afcce21..714f4c9c9ae 100644
--- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/MonitoringSettings.java
+++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/MonitoringSettings.java
@@ -15,6 +15,7 @@ import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.xpack.XPackPlugin;
 
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.function.Function;
@@ -125,22 +126,23 @@ public class MonitoringSettings extends AbstractComponent {
     public static final Setting<Settings> EXPORTERS_SETTINGS =
             groupSetting(key("agent.exporters."), Property.Dynamic, Property.NodeScope);
 
-    static void register(SettingsModule module) {
-        module.registerSetting(INDICES);
-        module.registerSetting(INTERVAL);
-        module.registerSetting(INDEX_RECOVERY_TIMEOUT);
-        module.registerSetting(INDEX_STATS_TIMEOUT);
-        module.registerSetting(INDICES_STATS_TIMEOUT);
-        module.registerSetting(INDEX_RECOVERY_ACTIVE_ONLY);
-        module.registerSetting(COLLECTORS);
-        module.registerSetting(CLUSTER_STATE_TIMEOUT);
-        module.registerSetting(CLUSTER_STATS_TIMEOUT);
-        module.registerSetting(HISTORY_DURATION);
-        module.registerSetting(EXPORTERS_SETTINGS);
-        module.registerSetting(ENABLED);
+    public static List<Setting<?>> getSettings() {
+        return Arrays.asList(INDICES,
+                INTERVAL,
+                INDEX_RECOVERY_TIMEOUT,
+                INDEX_STATS_TIMEOUT,
+                INDICES_STATS_TIMEOUT,
+                INDEX_RECOVERY_ACTIVE_ONLY,
+                COLLECTORS,
+                CLUSTER_STATE_TIMEOUT,
+                CLUSTER_STATS_TIMEOUT,
+                HISTORY_DURATION,
+                EXPORTERS_SETTINGS,
+                ENABLED);
+    }
 
-        module.registerSettingsFilter("xpack.monitoring.agent.exporters.*.auth.*");
-        module.registerSettingsFilter("xpack.monitoring.agent.exporters.*.ssl.*");
+    public static List<String> getSettingsFilter() {
+        return Arrays.asList("xpack.monitoring.agent.exporters.*.auth.*", "xpack.monitoring.agent.exporters.*.ssl.*");
     }
 
 
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Security.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Security.java
index 6d63c016a03..aaa68307b1b 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Security.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Security.java
@@ -18,7 +18,6 @@ import org.elasticsearch.common.regex.Regex;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Setting.Property;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.index.IndexModule;
 import org.elasticsearch.shield.action.ShieldActionModule;
@@ -188,62 +187,70 @@ public class Security {
         return settingsBuilder.build();
     }
 
-    public void onModule(SettingsModule settingsModule) {
+    public List<Setting<?>> getSettings() {
+        List<Setting<?>> settingsList = new ArrayList<>();
         // always register for both client and node modes
-        XPackPlugin.registerFeatureEnabledSettings(settingsModule, NAME, true);
-        settingsModule.registerSetting(USER_SETTING);
+        XPackPlugin.addFeatureEnabledSettings(settingsList, NAME, true);
+        settingsList.add(USER_SETTING);
 
         // SSL settings
-        SSLConfiguration.Global.registerSettings(settingsModule);
+        SSLConfiguration.Global.addSettings(settingsList);
 
         // transport settings
-        ShieldNettyTransport.registerSettings(settingsModule);
+        ShieldNettyTransport.addSettings(settingsList);
 
         if (transportClientMode) {
-            return;
+            return settingsList;
         }
 
         // The following just apply in node mode
-        XPackPlugin.registerFeatureEnabledSettings(settingsModule, DLS_FLS_FEATURE, true);
+        XPackPlugin.addFeatureEnabledSettings(settingsList, DLS_FLS_FEATURE, true);
 
         // IP Filter settings
-        IPFilter.registerSettings(settingsModule);
+        IPFilter.addSettings(settingsList);
 
         // audit settings
-        AuditTrailModule.registerSettings(settingsModule);
+        AuditTrailModule.addSettings(settingsList);
 
         // authentication settings
-        FileRolesStore.registerSettings(settingsModule);
-        AnonymousUser.registerSettings(settingsModule);
-        Realms.registerSettings(settingsModule);
-        NativeUsersStore.registerSettings(settingsModule);
-        NativeRolesStore.registerSettings(settingsModule);
-        InternalAuthenticationService.registerSettings(settingsModule);
-        InternalAuthorizationService.registerSettings(settingsModule);
+        FileRolesStore.addSettings(settingsList);
+        AnonymousUser.addSettings(settingsList);
+        Realms.addSettings(settingsList);
+        NativeUsersStore.addSettings(settingsList);
+        NativeRolesStore.addSettings(settingsList);
+        InternalAuthenticationService.addSettings(settingsList);
+        InternalAuthorizationService.addSettings(settingsList);
 
         // HTTP settings
-        ShieldNettyHttpServerTransport.registerSettings(settingsModule);
+        ShieldNettyHttpServerTransport.addSettings(settingsList);
 
         // encryption settings
-        InternalCryptoService.registerSettings(settingsModule);
+        InternalCryptoService.addSettings(settingsList);
 
         // hide settings
-        settingsModule.registerSetting(Setting.listSetting(setting("hide_settings"), Collections.emptyList(), Function.identity(),
+        settingsList.add(Setting.listSetting(setting("hide_settings"), Collections.emptyList(), Function.identity(),
                 Property.NodeScope, Property.Filtered));
+        return settingsList;
+    }
+
+    
+    public List<String> getSettingsFilter() {
+        ArrayList<String> settingsFilter = new ArrayList<>();
         String[] asArray = settings.getAsArray(setting("hide_settings"));
         for (String pattern : asArray) {
-            settingsModule.registerSettingsFilter(pattern);
+            settingsFilter.add(pattern);
         }
 
-        settingsModule.registerSettingsFilter(setting("authc.realms.*.bind_dn"));
-        settingsModule.registerSettingsFilter(setting("authc.realms.*.bind_password"));
-        settingsModule.registerSettingsFilter(setting("authc.realms.*." + SessionFactory.HOSTNAME_VERIFICATION_SETTING));
-        settingsModule.registerSettingsFilter(setting("authc.realms.*.truststore.password"));
-        settingsModule.registerSettingsFilter(setting("authc.realms.*.truststore.path"));
-        settingsModule.registerSettingsFilter(setting("authc.realms.*.truststore.algorithm"));
+        settingsFilter.add(setting("authc.realms.*.bind_dn"));
+        settingsFilter.add(setting("authc.realms.*.bind_password"));
+        settingsFilter.add(setting("authc.realms.*." + SessionFactory.HOSTNAME_VERIFICATION_SETTING));
+        settingsFilter.add(setting("authc.realms.*.truststore.password"));
+        settingsFilter.add(setting("authc.realms.*.truststore.path"));
+        settingsFilter.add(setting("authc.realms.*.truststore.algorithm"));
 
         // hide settings where we don't define them - they are part of a group...
-        settingsModule.registerSettingsFilter("transport.profiles.*." + setting("*"));
+        settingsFilter.add("transport.profiles.*." + setting("*"));
+        return settingsFilter;
     }
 
     public void onIndexModule(IndexModule module) {
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/AuditTrailModule.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/AuditTrailModule.java
index f58e0f01b81..1b1a18c0e21 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/AuditTrailModule.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/AuditTrailModule.java
@@ -102,10 +102,10 @@ public class AuditTrailModule extends AbstractShieldModule.Node {
         return false;
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
-        settingsModule.registerSetting(ENABLED_SETTING);
-        settingsModule.registerSetting(OUTPUTS_SETTING);
-        LoggingAuditTrail.registerSettings(settingsModule);
-        IndexAuditTrail.registerSettings(settingsModule);
+    public static void addSettings(List<Setting<?>> settings) {
+        settings.add(ENABLED_SETTING);
+        settings.add(OUTPUTS_SETTING);
+        LoggingAuditTrail.registerSettings(settings);
+        IndexAuditTrail.registerSettings(settings);
     }
 }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java
index 1e2b4665d66..da8163139b1 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java
@@ -877,15 +877,15 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail, Cl
         }
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
-        settingsModule.registerSetting(INDEX_SETTINGS);
-        settingsModule.registerSetting(EXCLUDE_EVENT_SETTINGS);
-        settingsModule.registerSetting(INCLUDE_EVENT_SETTINGS);
-        settingsModule.registerSetting(ROLLOVER_SETTING);
-        settingsModule.registerSetting(BULK_SIZE_SETTING);
-        settingsModule.registerSetting(FLUSH_TIMEOUT_SETTING);
-        settingsModule.registerSetting(QUEUE_SIZE_SETTING);
-        settingsModule.registerSetting(REMOTE_CLIENT_SETTINGS);
+    public static void registerSettings(List<Setting<?>> settings) {
+        settings.add(INDEX_SETTINGS);
+        settings.add(EXCLUDE_EVENT_SETTINGS);
+        settings.add(INCLUDE_EVENT_SETTINGS);
+        settings.add(ROLLOVER_SETTING);
+        settings.add(BULK_SIZE_SETTING);
+        settings.add(FLUSH_TIMEOUT_SETTING);
+        settings.add(QUEUE_SIZE_SETTING);
+        settings.add(REMOTE_CLIENT_SETTINGS);
     }
 
     private class QueueConsumer extends Thread {
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrail.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrail.java
index 92396f02c94..4f4f6942883 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrail.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrail.java
@@ -35,6 +35,7 @@ import org.elasticsearch.transport.TransportMessage;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
+import java.util.List;
 
 import static org.elasticsearch.common.Strings.arrayToCommaDelimitedString;
 import static org.elasticsearch.shield.audit.AuditUtil.indices;
@@ -463,9 +464,9 @@ public class LoggingAuditTrail extends AbstractLifecycleComponent<LoggingAuditTr
         return builder.append(user.principal()).append("]").toString();
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
-        settingsModule.registerSetting(HOST_ADDRESS_SETTING);
-        settingsModule.registerSetting(HOST_NAME_SETTING);
-        settingsModule.registerSetting(NODE_NAME_SETTING);
+    public static void registerSettings(List<Setting<?>> settings) {
+        settings.add(HOST_ADDRESS_SETTING);
+        settings.add(HOST_NAME_SETTING);
+        settings.add(NODE_NAME_SETTING);
     }
 }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
index 343b08d50c4..4805354c83e 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
@@ -29,6 +29,7 @@ import org.elasticsearch.transport.TransportMessage;
 
 import java.io.IOException;
 import java.util.Base64;
+import java.util.List;
 
 import static org.elasticsearch.shield.Security.setting;
 import static org.elasticsearch.shield.support.Exceptions.authenticationError;
@@ -316,9 +317,9 @@ public class InternalAuthenticationService extends AbstractComponent implements
         return null;
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
-        settingsModule.registerSetting(SIGN_USER_HEADER);
-        settingsModule.registerSetting(RUN_AS_ENABLED);
+    public static void addSettings(List<Setting<?>> settings) {
+        settings.add(SIGN_USER_HEADER);
+        settings.add(RUN_AS_ENABLED);
     }
 
     // these methods are package private for testing. They are also needed so that a AuditableRequest can be created in tests
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java
index 604110c6ddc..b2981ec9d1f 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java
@@ -212,7 +212,7 @@ public class Realms extends AbstractLifecycleComponent<Realms> implements Iterab
         }
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
-        settingsModule.registerSetting(REALMS_GROUPS_SETTINGS);
+    public static void addSettings(List<Setting<?>> settingsModule) {
+        settingsModule.add(REALMS_GROUPS_SETTINGS);
     }
 }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeUsersStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeUsersStore.java
index ce56350aed9..052813d801f 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeUsersStore.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeUsersStore.java
@@ -867,9 +867,9 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
         void onUsersChanged(List<String> username);
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
-        settingsModule.registerSetting(SCROLL_SIZE_SETTING);
-        settingsModule.registerSetting(SCROLL_KEEP_ALIVE_SETTING);
-        settingsModule.registerSetting(POLL_INTERVAL_SETTING);
+    public static void addSettings(List<Setting<?>> settings) {
+        settings.add(SCROLL_SIZE_SETTING);
+        settings.add(SCROLL_KEEP_ALIVE_SETTING);
+        settings.add(POLL_INTERVAL_SETTING);
     }
 }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/InternalAuthorizationService.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/InternalAuthorizationService.java
index a640b080cf6..ed8e4835333 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/InternalAuthorizationService.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/InternalAuthorizationService.java
@@ -357,7 +357,7 @@ public class InternalAuthorizationService extends AbstractComponent implements A
         return authorizationError("action [{}] is unauthorized for user [{}]", action, user.principal());
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
-        settingsModule.registerSetting(ANONYMOUS_AUTHORIZATION_EXCEPTION_SETTING);
+    public static void addSettings(List<Setting<?>> settings) {
+        settings.add(ANONYMOUS_AUTHORIZATION_EXCEPTION_SETTING);
     }
 }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java
index 389c70254e0..19edfa313cb 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java
@@ -260,7 +260,7 @@ public class FileRolesStore extends AbstractLifecycleComponent<RolesStore> imple
         }
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
-        settingsModule.registerSetting(ROLES_FILE_SETTING);
+    public static void addSettings(List<Setting<?>> settings) {
+        settings.add(ROLES_FILE_SETTING);
     }
 }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/NativeRolesStore.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/NativeRolesStore.java
index 46bfb0c3c71..e977dc77b45 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/NativeRolesStore.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/NativeRolesStore.java
@@ -31,7 +31,6 @@ import org.elasticsearch.common.inject.Provider;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Setting.Property;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.util.concurrent.AbstractRunnable;
 import org.elasticsearch.common.xcontent.ToXContent;
@@ -604,9 +603,9 @@ public class NativeRolesStore extends AbstractComponent implements RolesStore, C
         }
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
-        settingsModule.registerSetting(SCROLL_SIZE_SETTING);
-        settingsModule.registerSetting(SCROLL_KEEP_ALIVE_SETTING);
-        settingsModule.registerSetting(POLL_INTERVAL_SETTING);
+    public static void addSettings(List<Setting<?>> settings) {
+        settings.add(SCROLL_SIZE_SETTING);
+        settings.add(SCROLL_KEEP_ALIVE_SETTING);
+        settings.add(POLL_INTERVAL_SETTING);
     }
 }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java
index 30994e722f2..ef96be6b210 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java
@@ -676,10 +676,10 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
         }
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
-        settingsModule.registerSetting(FILE_SETTING);
-        settingsModule.registerSetting(ENCRYPTION_KEY_LENGTH_SETTING);
-        settingsModule.registerSetting(ENCRYPTION_KEY_ALGO_SETTING);
-        settingsModule.registerSetting(ENCRYPTION_ALGO_SETTING);
+    public static void addSettings(List<Setting<?>> settings) {
+        settings.add(FILE_SETTING);
+        settings.add(ENCRYPTION_KEY_LENGTH_SETTING);
+        settings.add(ENCRYPTION_KEY_ALGO_SETTING);
+        settings.add(ENCRYPTION_ALGO_SETTING);
     }
 }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/SSLConfiguration.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/SSLConfiguration.java
index 2286bff2cbb..cabac13e0f7 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/SSLConfiguration.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/SSLConfiguration.java
@@ -147,25 +147,25 @@ public abstract class SSLConfiguration {
         static final Setting<Boolean> INCLUDE_JDK_CERTS_SETTING = Setting.boolSetting(globalKey(Custom.INCLUDE_JDK_CERTS_SETTING), true,
                 Property.NodeScope, Property.Filtered);
 
-        public static void registerSettings(SettingsModule settingsModule) {
-            settingsModule.registerSetting(Global.CIPHERS_SETTING);
-            settingsModule.registerSetting(Global.SUPPORTED_PROTOCOLS_SETTING);
-            settingsModule.registerSetting(Global.KEYSTORE_PATH_SETTING);
-            settingsModule.registerSetting(Global.KEYSTORE_PASSWORD_SETTING);
-            settingsModule.registerSetting(Global.KEYSTORE_ALGORITHM_SETTING);
-            settingsModule.registerSetting(Global.KEYSTORE_KEY_PASSWORD_SETTING);
-            settingsModule.registerSetting(Global.KEY_PATH_SETTING);
-            settingsModule.registerSetting(Global.KEY_PASSWORD_SETTING);
-            settingsModule.registerSetting(Global.CERT_SETTING);
-            settingsModule.registerSetting(Global.TRUSTSTORE_PATH_SETTING);
-            settingsModule.registerSetting(Global.TRUSTSTORE_PASSWORD_SETTING);
-            settingsModule.registerSetting(Global.TRUSTSTORE_ALGORITHM_SETTING);
-            settingsModule.registerSetting(Global.PROTOCOL_SETTING);
-            settingsModule.registerSetting(Global.SESSION_CACHE_SIZE_SETTING);
-            settingsModule.registerSetting(Global.SESSION_CACHE_TIMEOUT_SETTING);
-            settingsModule.registerSetting(Global.CA_PATHS_SETTING);
-            settingsModule.registerSetting(Global.INCLUDE_JDK_CERTS_SETTING);
-            settingsModule.registerSetting(Global.RELOAD_ENABLED_SETTING);
+        public static void addSettings(List<Setting<?>> settings) {
+            settings.add(Global.CIPHERS_SETTING);
+            settings.add(Global.SUPPORTED_PROTOCOLS_SETTING);
+            settings.add(Global.KEYSTORE_PATH_SETTING);
+            settings.add(Global.KEYSTORE_PASSWORD_SETTING);
+            settings.add(Global.KEYSTORE_ALGORITHM_SETTING);
+            settings.add(Global.KEYSTORE_KEY_PASSWORD_SETTING);
+            settings.add(Global.KEY_PATH_SETTING);
+            settings.add(Global.KEY_PASSWORD_SETTING);
+            settings.add(Global.CERT_SETTING);
+            settings.add(Global.TRUSTSTORE_PATH_SETTING);
+            settings.add(Global.TRUSTSTORE_PASSWORD_SETTING);
+            settings.add(Global.TRUSTSTORE_ALGORITHM_SETTING);
+            settings.add(Global.PROTOCOL_SETTING);
+            settings.add(Global.SESSION_CACHE_SIZE_SETTING);
+            settings.add(Global.SESSION_CACHE_TIMEOUT_SETTING);
+            settings.add(Global.CA_PATHS_SETTING);
+            settings.add(Global.INCLUDE_JDK_CERTS_SETTING);
+            settings.add(Global.RELOAD_ENABLED_SETTING);
         }
 
         private final KeyConfig keyConfig;
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/filter/IPFilter.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/filter/IPFilter.java
index b7df9e2234c..ee1724b0f63 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/filter/IPFilter.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/filter/IPFilter.java
@@ -260,13 +260,13 @@ public class IPFilter {
         updateRules();
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
-        settingsModule.registerSetting(ALLOW_BOUND_ADDRESSES_SETTING);
-        settingsModule.registerSetting(IP_FILTER_ENABLED_SETTING);
-        settingsModule.registerSetting(IP_FILTER_ENABLED_HTTP_SETTING);
-        settingsModule.registerSetting(HTTP_FILTER_ALLOW_SETTING);
-        settingsModule.registerSetting(HTTP_FILTER_DENY_SETTING);
-        settingsModule.registerSetting(TRANSPORT_FILTER_ALLOW_SETTING);
-        settingsModule.registerSetting(TRANSPORT_FILTER_DENY_SETTING);
+    public static void addSettings(List<Setting<?>> settings) {
+        settings.add(ALLOW_BOUND_ADDRESSES_SETTING);
+        settings.add(IP_FILTER_ENABLED_SETTING);
+        settings.add(IP_FILTER_ENABLED_HTTP_SETTING);
+        settings.add(HTTP_FILTER_ALLOW_SETTING);
+        settings.add(HTTP_FILTER_DENY_SETTING);
+        settings.add(TRANSPORT_FILTER_ALLOW_SETTING);
+        settings.add(TRANSPORT_FILTER_DENY_SETTING);
     }
 }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java
index c477f94312c..51545e62a75 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java
@@ -27,6 +27,7 @@ import org.jboss.netty.handler.ssl.SslHandler;
 import javax.net.ssl.SSLEngine;
 
 import java.util.Collections;
+import java.util.List;
 
 import static org.elasticsearch.http.HttpTransportSettings.SETTING_HTTP_COMPRESSION;
 import static org.elasticsearch.shield.Security.setting;
@@ -128,10 +129,10 @@ public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport {
         }
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
-        settingsModule.registerSetting(SSL_SETTING);
-        settingsModule.registerSetting(CLIENT_AUTH_SETTING);
-        settingsModule.registerSetting(DEPRECATED_SSL_SETTING);
+    public static void addSettings(List<Setting<?>> settings) {
+        settings.add(SSL_SETTING);
+        settings.add(CLIENT_AUTH_SETTING);
+        settings.add(DEPRECATED_SSL_SETTING);
     }
 
     public static void overrideSettings(Settings.Builder settingsBuilder, Settings settings) {
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransport.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransport.java
index d226a5ba4b9..89cf5b1287b 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransport.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransport.java
@@ -34,6 +34,7 @@ import org.jboss.netty.handler.ssl.SslHandler;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
 import java.net.InetSocketAddress;
+import java.util.List;
 
 import static org.elasticsearch.shield.Security.featureEnabledSetting;
 import static org.elasticsearch.shield.Security.setting;
@@ -249,17 +250,17 @@ public class ShieldNettyTransport extends NettyTransport {
         }
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
-        settingsModule.registerSetting(SSL_SETTING);
-        settingsModule.registerSetting(HOSTNAME_VERIFICATION_SETTING);
-        settingsModule.registerSetting(HOSTNAME_VERIFICATION_RESOLVE_NAME_SETTING);
-        settingsModule.registerSetting(CLIENT_AUTH_SETTING);
-        settingsModule.registerSetting(PROFILE_SSL_SETTING);
-        settingsModule.registerSetting(PROFILE_CLIENT_AUTH_SETTING);
+    public static void addSettings(List<Setting<?>> settingsModule) {
+        settingsModule.add(SSL_SETTING);
+        settingsModule.add(HOSTNAME_VERIFICATION_SETTING);
+        settingsModule.add(HOSTNAME_VERIFICATION_RESOLVE_NAME_SETTING);
+        settingsModule.add(CLIENT_AUTH_SETTING);
+        settingsModule.add(PROFILE_SSL_SETTING);
+        settingsModule.add(PROFILE_CLIENT_AUTH_SETTING);
 
         // deprecated transport settings
-        settingsModule.registerSetting(DEPRECATED_SSL_SETTING);
-        settingsModule.registerSetting(DEPRECATED_PROFILE_SSL_SETTING);
-        settingsModule.registerSetting(DEPRECATED_HOSTNAME_VERIFICATION_SETTING);
+        settingsModule.add(DEPRECATED_SSL_SETTING);
+        settingsModule.add(DEPRECATED_PROFILE_SSL_SETTING);
+        settingsModule.add(DEPRECATED_HOSTNAME_VERIFICATION_SETTING);
     }
 }
diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/user/AnonymousUser.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/user/AnonymousUser.java
index 818be16d489..55742e31f2b 100644
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/user/AnonymousUser.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/user/AnonymousUser.java
@@ -12,6 +12,7 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.shield.user.User.ReservedUser;
 
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 
@@ -80,8 +81,12 @@ public class AnonymousUser extends ReservedUser {
         return roles;
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
-        settingsModule.registerSetting(USERNAME_SETTING);
-        settingsModule.registerSetting(ROLES_SETTING);
+    public static List<Setting<?>> getSettings() {
+        return Arrays.asList();
+    }
+
+    public static void addSettings(List<Setting<?>> settingsList) {
+        settingsList.add(USERNAME_SETTING);
+        settingsList.add(ROLES_SETTING);
     }
 }
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/AuditTrailModuleTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/AuditTrailModuleTests.java
index 46bb410fca3..b7ae372caf7 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/AuditTrailModuleTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/AuditTrailModuleTests.java
@@ -11,15 +11,14 @@ import org.elasticsearch.common.inject.Injector;
 import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
 import org.elasticsearch.common.network.NetworkModule;
 import org.elasticsearch.common.network.NetworkService;
-import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
-import org.elasticsearch.indices.breaker.CircuitBreakerModule;
+import org.elasticsearch.indices.breaker.CircuitBreakerService;
+import org.elasticsearch.node.Node;
 import org.elasticsearch.shield.audit.logfile.LoggingAuditTrail;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
-import org.elasticsearch.threadpool.ThreadPoolModule;
 import org.elasticsearch.transport.Transport;
 import org.elasticsearch.transport.local.LocalTransport;
 
@@ -36,8 +35,7 @@ public class AuditTrailModuleTests extends ESTestCase {
                 .put("client.type", "node")
                 .put(AuditTrailModule.ENABLED_SETTING.getKey(), false)
                 .build();
-        SettingsModule settingsModule = new SettingsModule(settings);
-        settingsModule.registerSetting(AuditTrailModule.ENABLED_SETTING);
+        SettingsModule settingsModule = new SettingsModule(settings, AuditTrailModule.ENABLED_SETTING);
         Injector injector = Guice.createInjector(settingsModule, new AuditTrailModule(settings));
         AuditTrail auditTrail = injector.getInstance(AuditTrail.class);
         assertThat(auditTrail, is(AuditTrail.NOOP));
@@ -58,8 +56,7 @@ public class AuditTrailModuleTests extends ESTestCase {
                 .build();
         ThreadPool pool = new TestThreadPool("testLogFile");
         try {
-            SettingsModule settingsModule = new SettingsModule(settings);
-            settingsModule.registerSetting(AuditTrailModule.ENABLED_SETTING);
+            SettingsModule settingsModule = new SettingsModule(settings, AuditTrailModule.ENABLED_SETTING);
             Injector injector = Guice.createInjector(
                     settingsModule,
                     new NetworkModule(new NetworkService(settings), settings, false, new NamedWriteableRegistry()) {
@@ -69,8 +66,11 @@ public class AuditTrailModuleTests extends ESTestCase {
                         }
                     },
                     new AuditTrailModule(settings),
-                    new CircuitBreakerModule(settings),
-                    new ThreadPoolModule(pool),
+                    b -> {
+                        b.bind(CircuitBreakerService.class).toInstance(Node.createCircuitBreakerService(settingsModule.getSettings(),
+                                settingsModule.getClusterSettings()));
+                        b.bind(ThreadPool.class).toInstance(pool);
+                    },
                     new Version.Module(Version.CURRENT)
             );
             AuditTrail auditTrail = injector.getInstance(AuditTrail.class);
@@ -90,9 +90,7 @@ public class AuditTrailModuleTests extends ESTestCase {
                 .put(AuditTrailModule.OUTPUTS_SETTING.getKey() , "foo")
                 .put("client.type", "node")
                 .build();
-        SettingsModule settingsModule = new SettingsModule(settings);
-        settingsModule.registerSetting(AuditTrailModule.ENABLED_SETTING);
-        settingsModule.registerSetting(AuditTrailModule.OUTPUTS_SETTING);
+        SettingsModule settingsModule = new SettingsModule(settings, AuditTrailModule.ENABLED_SETTING, AuditTrailModule.OUTPUTS_SETTING);
         try {
             Guice.createInjector(settingsModule, new AuditTrailModule(settings));
             fail("Expect initialization to fail when an unknown audit trail output is configured");
diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/SettingsFilterTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/SettingsFilterTests.java
index 945472b94c3..767b656b666 100644
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/SettingsFilterTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/SettingsFilterTests.java
@@ -15,7 +15,9 @@ import org.elasticsearch.shield.ssl.SSLConfiguration;
 import org.elasticsearch.xpack.XPackPlugin;
 import org.hamcrest.Matcher;
 
+import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 import static org.hamcrest.CoreMatchers.nullValue;
@@ -85,13 +87,14 @@ public class SettingsFilterTests extends ESTestCase {
                 .build();
 
         XPackPlugin xPackPlugin = new XPackPlugin(settings);
-        SettingsModule settingsModule = new SettingsModule(settings);
+        List<Setting<?>> settingList = new ArrayList<>();
+        settingList.add(Setting.simpleString("foo.bar", Setting.Property.NodeScope));
+        settingList.add(Setting.simpleString("foo.baz", Setting.Property.NodeScope));
+        settingList.add(Setting.simpleString("bar.baz", Setting.Property.NodeScope));
+        settingList.add(Setting.simpleString("baz.foo", Setting.Property.NodeScope));
+        settingList.addAll(xPackPlugin.getSettings());
         // custom settings, potentially added by a plugin
-        settingsModule.registerSetting(Setting.simpleString("foo.bar", Setting.Property.NodeScope));
-        settingsModule.registerSetting(Setting.simpleString("foo.baz", Setting.Property.NodeScope));
-        settingsModule.registerSetting(Setting.simpleString("bar.baz", Setting.Property.NodeScope));
-        settingsModule.registerSetting(Setting.simpleString("baz.foo", Setting.Property.NodeScope));
-        xPackPlugin.onModule(settingsModule);
+        SettingsModule settingsModule = new SettingsModule(settings, settingList, xPackPlugin.getSettingsFilter());
 
         Injector injector = Guice.createInjector(settingsModule);
         SettingsFilter settingsFilter = injector.getInstance(SettingsFilter.class);
diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
index 17aefe14881..66d5a20b1f4 100644
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
@@ -21,6 +21,7 @@ import org.elasticsearch.env.Environment;
 import org.elasticsearch.index.IndexModule;
 import org.elasticsearch.license.plugin.Licensing;
 import org.elasticsearch.marvel.Monitoring;
+import org.elasticsearch.marvel.MonitoringSettings;
 import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.plugins.ScriptPlugin;
 import org.elasticsearch.script.ScriptContext;
@@ -28,7 +29,6 @@ import org.elasticsearch.script.ScriptModule;
 import org.elasticsearch.shield.Security;
 import org.elasticsearch.shield.authc.AuthenticationModule;
 import org.elasticsearch.threadpool.ExecutorBuilder;
-import org.elasticsearch.threadpool.ThreadPoolModule;
 import org.elasticsearch.xpack.action.TransportXPackInfoAction;
 import org.elasticsearch.xpack.action.TransportXPackUsageAction;
 import org.elasticsearch.xpack.action.XPackInfoAction;
@@ -190,22 +190,34 @@ public class XPackPlugin extends Plugin implements ScriptPlugin {
         return ScriptServiceProxy.INSTANCE;
     }
 
-    public void onModule(SettingsModule module) {
+    @Override
+    public List<Setting<?>> getSettings() {
+        ArrayList<Setting<?>> settings = new ArrayList<>();
+        settings.addAll(notification.getSettings());
+        settings.addAll(security.getSettings());
+        settings.addAll(MonitoringSettings.getSettings());
+        settings.addAll(watcher.getSettings());
+        settings.addAll(graph.getSettings());
+        settings.addAll(licensing.getSettings());
         // we add the `xpack.version` setting to all internal indices
-        module.registerSetting(Setting.simpleString("index.xpack.version", Setting.Property.IndexScope));
+        settings.add(Setting.simpleString("index.xpack.version", Setting.Property.IndexScope));
 
         // http settings
-        module.registerSetting(Setting.simpleString("xpack.http.default_read_timeout", Setting.Property.NodeScope));
-        module.registerSetting(Setting.simpleString("xpack.http.default_connection_timeout", Setting.Property.NodeScope));
-        module.registerSetting(Setting.groupSetting("xpack.http.ssl.", Setting.Property.NodeScope));
-        module.registerSetting(Setting.groupSetting("xpack.http.proxy.", Setting.Property.NodeScope));
+        settings.add(Setting.simpleString("xpack.http.default_read_timeout", Setting.Property.NodeScope));
+        settings.add(Setting.simpleString("xpack.http.default_connection_timeout", Setting.Property.NodeScope));
+        settings.add(Setting.groupSetting("xpack.http.ssl.", Setting.Property.NodeScope));
+        settings.add(Setting.groupSetting("xpack.http.proxy.", Setting.Property.NodeScope));
+        return settings;
+    }
 
-        notification.onModule(module);
-        security.onModule(module);
-        monitoring.onModule(module);
-        watcher.onModule(module);
-        graph.onModule(module);
-        licensing.onModule(module);
+    @Override
+    public List<String> getSettingsFilter() {
+        List<String> filters = new ArrayList<>();
+        filters.addAll(notification.getSettingsFilter());
+        filters.addAll(security.getSettingsFilter());
+        filters.addAll(MonitoringSettings.getSettingsFilter());
+        filters.addAll(graph.getSettingsFilter());
+        return filters;
     }
 
     @Override
@@ -309,9 +321,9 @@ public class XPackPlugin extends Plugin implements ScriptPlugin {
      *
      *          {@code "<feature>.enabled": true | false}
      */
-    public static void registerFeatureEnabledSettings(SettingsModule settingsModule, String featureName, boolean defaultValue) {
-        settingsModule.registerSetting(Setting.boolSetting(featureEnabledSetting(featureName), defaultValue, Setting.Property.NodeScope));
-        settingsModule.registerSetting(Setting.boolSetting(legacyFeatureEnabledSetting(featureName),
+    public static void addFeatureEnabledSettings(List<Setting<?>> settingsList, String featureName, boolean defaultValue) {
+        settingsList.add(Setting.boolSetting(featureEnabledSetting(featureName), defaultValue, Setting.Property.NodeScope));
+        settingsList.add(Setting.boolSetting(legacyFeatureEnabledSetting(featureName),
                 defaultValue, Setting.Property.NodeScope));
     }
 
diff --git a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/notification/Notification.java b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/notification/Notification.java
index a1d2e67b6fc..755b18098ae 100644
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/notification/Notification.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/notification/Notification.java
@@ -36,18 +36,22 @@ public class Notification {
         this.transportClient = "transport".equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey()));
     }
 
-    public void onModule(SettingsModule module) {
-        module.registerSetting(InternalSlackService.SLACK_ACCOUNT_SETTING);
-        module.registerSetting(InternalEmailService.EMAIL_ACCOUNT_SETTING);
-        module.registerSetting(InternalHipChatService.HIPCHAT_ACCOUNT_SETTING);
-        module.registerSetting(InternalPagerDutyService.PAGERDUTY_ACCOUNT_SETTING);
+    public List<Setting<?>> getSettings() {
+        return Arrays.asList(InternalSlackService.SLACK_ACCOUNT_SETTING,
+        InternalEmailService.EMAIL_ACCOUNT_SETTING,
+        InternalHipChatService.HIPCHAT_ACCOUNT_SETTING,
+        InternalPagerDutyService.PAGERDUTY_ACCOUNT_SETTING);
+    }
 
-        module.registerSettingsFilter("xpack.notification.email.account.*.smtp.password");
-        module.registerSettingsFilter("xpack.notification.slack.account.*.url");
-        module.registerSettingsFilter("xpack.notification.pagerduty.account.*.url");
-        module.registerSettingsFilter("xpack.notification.pagerduty." + PagerDutyAccount.SERVICE_KEY_SETTING);
-        module.registerSettingsFilter("xpack.notification.pagerduty.account.*." + PagerDutyAccount.SERVICE_KEY_SETTING);
-        module.registerSettingsFilter("xpack.notification.hipchat.account.*.auth_token");
+    public List<String> getSettingsFilter() {
+        ArrayList<String> settingsFilter = new ArrayList<>();
+        settingsFilter.add("xpack.notification.email.account.*.smtp.password");
+        settingsFilter.add("xpack.notification.slack.account.*.url");
+        settingsFilter.add("xpack.notification.pagerduty.account.*.url");
+        settingsFilter.add("xpack.notification.pagerduty." + PagerDutyAccount.SERVICE_KEY_SETTING);
+        settingsFilter.add("xpack.notification.pagerduty.account.*." + PagerDutyAccount.SERVICE_KEY_SETTING);
+        settingsFilter.add("xpack.notification.hipchat.account.*.auth_token");
+        return settingsFilter;
     }
 
     public Collection<Class<? extends LifecycleComponent>> nodeServices() {
diff --git a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java
index 50d34f72318..aaaa604764f 100644
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java
@@ -19,12 +19,10 @@ import org.elasticsearch.common.network.NetworkModule;
 import org.elasticsearch.common.regex.Regex;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.common.util.concurrent.EsExecutors;
 import org.elasticsearch.script.ScriptModule;
 import org.elasticsearch.threadpool.ExecutorBuilder;
 import org.elasticsearch.threadpool.FixedExecutorBuilder;
-import org.elasticsearch.threadpool.ThreadPoolModule;
 import org.elasticsearch.xpack.XPackPlugin;
 import org.elasticsearch.xpack.common.init.LazyInitializationModule;
 import org.elasticsearch.xpack.watcher.actions.WatcherActionModule;
@@ -141,29 +139,31 @@ public class Watcher {
     }
 
 
-    public void onModule(SettingsModule module) {
+    public List<Setting<?>> getSettings() {
+        List<Setting<?>> settings = new ArrayList<>();
         for (TemplateConfig templateConfig : WatcherIndexTemplateRegistry.TEMPLATE_CONFIGS) {
-            module.registerSetting(templateConfig.getSetting());
+            settings.add(templateConfig.getSetting());
         }
-        module.registerSetting(INDEX_WATCHER_VERSION_SETTING);
-        module.registerSetting(INDEX_WATCHER_TEMPLATE_VERSION_SETTING);
-        module.registerSetting(Setting.intSetting("xpack.watcher.execution.scroll.size", 0, Setting.Property.NodeScope));
-        module.registerSetting(Setting.intSetting("xpack.watcher.watch.scroll.size", 0, Setting.Property.NodeScope));
-        module.registerSetting(Setting.boolSetting(XPackPlugin.featureEnabledSetting(Watcher.NAME), true, Setting.Property.NodeScope));
-        module.registerSetting(ENCRYPT_SENSITIVE_DATA_SETTING);
+        settings.add(INDEX_WATCHER_VERSION_SETTING);
+        settings.add(INDEX_WATCHER_TEMPLATE_VERSION_SETTING);
+        settings.add(Setting.intSetting("xpack.watcher.execution.scroll.size", 0, Setting.Property.NodeScope));
+        settings.add(Setting.intSetting("xpack.watcher.watch.scroll.size", 0, Setting.Property.NodeScope));
+        settings.add(Setting.boolSetting(XPackPlugin.featureEnabledSetting(Watcher.NAME), true, Setting.Property.NodeScope));
+        settings.add(ENCRYPT_SENSITIVE_DATA_SETTING);
 
-        module.registerSetting(Setting.simpleString("xpack.watcher.internal.ops.search.default_timeout", Setting.Property.NodeScope));
-        module.registerSetting(Setting.simpleString("xpack.watcher.internal.ops.bulk.default_timeout", Setting.Property.NodeScope));
-        module.registerSetting(Setting.simpleString("xpack.watcher.internal.ops.index.default_timeout", Setting.Property.NodeScope));
-        module.registerSetting(Setting.simpleString("xpack.watcher.execution.default_throttle_period", Setting.Property.NodeScope));
-        module.registerSetting(Setting.simpleString("xpack.watcher.actions.index.default_timeout", Setting.Property.NodeScope));
-        module.registerSetting(Setting.simpleString("xpack.watcher.index.rest.direct_access", Setting.Property.NodeScope));
-        module.registerSetting(Setting.simpleString("xpack.watcher.trigger.schedule.engine", Setting.Property.NodeScope));
-        module.registerSetting(Setting.simpleString("xpack.watcher.input.search.default_timeout", Setting.Property.NodeScope));
-        module.registerSetting(Setting.simpleString("xpack.watcher.transform.search.default_timeout", Setting.Property.NodeScope));
-        module.registerSetting(Setting.simpleString("xpack.watcher.trigger.schedule.ticker.tick_interval", Setting.Property.NodeScope));
-        module.registerSetting(Setting.simpleString("xpack.watcher.execution.scroll.timeout", Setting.Property.NodeScope));
-        module.registerSetting(Setting.simpleString("xpack.watcher.start_immediately", Setting.Property.NodeScope));
+        settings.add(Setting.simpleString("xpack.watcher.internal.ops.search.default_timeout", Setting.Property.NodeScope));
+        settings.add(Setting.simpleString("xpack.watcher.internal.ops.bulk.default_timeout", Setting.Property.NodeScope));
+        settings.add(Setting.simpleString("xpack.watcher.internal.ops.index.default_timeout", Setting.Property.NodeScope));
+        settings.add(Setting.simpleString("xpack.watcher.execution.default_throttle_period", Setting.Property.NodeScope));
+        settings.add(Setting.simpleString("xpack.watcher.actions.index.default_timeout", Setting.Property.NodeScope));
+        settings.add(Setting.simpleString("xpack.watcher.index.rest.direct_access", Setting.Property.NodeScope));
+        settings.add(Setting.simpleString("xpack.watcher.trigger.schedule.engine", Setting.Property.NodeScope));
+        settings.add(Setting.simpleString("xpack.watcher.input.search.default_timeout", Setting.Property.NodeScope));
+        settings.add(Setting.simpleString("xpack.watcher.transform.search.default_timeout", Setting.Property.NodeScope));
+        settings.add(Setting.simpleString("xpack.watcher.trigger.schedule.ticker.tick_interval", Setting.Property.NodeScope));
+        settings.add(Setting.simpleString("xpack.watcher.execution.scroll.timeout", Setting.Property.NodeScope));
+        settings.add(Setting.simpleString("xpack.watcher.start_immediately", Setting.Property.NodeScope));
+        return settings;
     }
 
     public List<ExecutorBuilder<?>> getExecutorBuilders(final Settings settings) {
@@ -279,4 +279,5 @@ public class Watcher {
                 "[.watcher-history-YYYY.MM.dd] are allowed to be created", value);
     }
 
+    
 }
diff --git a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/support/WatcherIndexTemplateRegistryTests.java b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/support/WatcherIndexTemplateRegistryTests.java
index 41d7cbc29ff..1db1130953f 100644
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/support/WatcherIndexTemplateRegistryTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/xpack/watcher/support/WatcherIndexTemplateRegistryTests.java
@@ -15,6 +15,8 @@ import org.elasticsearch.xpack.watcher.test.AbstractWatcherIntegrationTestCase;
 
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
 import java.util.function.Function;
 
 import static org.elasticsearch.test.ESIntegTestCase.Scope.TEST;
@@ -85,8 +87,9 @@ public class WatcherIndexTemplateRegistryTests extends AbstractWatcherIntegratio
 
         public static final Setting<String> KEY_1 = new Setting<>("index.key1", "", Function.identity(), Setting.Property.IndexScope);
 
-        public void onModule(SettingsModule module) {
-            module.registerSetting(KEY_1);
+        @Override
+        public List<Setting<?>> getSettings() {
+            return Collections.singletonList(KEY_1);
         }
     }
 }