Merge branch 'master' into enhancement/rollover_api

Original commit: elastic/x-pack-elasticsearch@f7a6e27f12

build.gradle

@@ -14,6 +14,7 @@ subprojects {
 }
 
 task bundlePack(type: Zip) {
+  onlyIf { project('kibana').bundlePlugin.enabled }
   dependsOn 'elasticsearch:x-pack:bundlePlugin'
   dependsOn 'kibana:bundlePlugin'
   from { zipTree(project('elasticsearch:x-pack').bundlePlugin.outputs.files.singleFile) }

elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/GroovyScriptConditionIT.java

@@ -11,6 +11,7 @@ import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.script.groovy.GroovyPlugin;
 import org.elasticsearch.search.aggregations.AggregationBuilders;
 import org.elasticsearch.search.aggregations.bucket.histogram.Histogram;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.xpack.watcher.condition.script.ExecutableScriptCondition;
 import org.elasticsearch.xpack.watcher.condition.script.ScriptCondition;
@@ -49,7 +50,7 @@ public class GroovyScriptConditionIT extends AbstractWatcherIntegrationTestCase
 
     @BeforeClass
     public static void startThreadPool() {
-        THREAD_POOL = new ThreadPool(GroovyScriptConditionIT.class.getSimpleName());
+        THREAD_POOL = new TestThreadPool(GroovyScriptConditionIT.class.getSimpleName());
     }
 
     @Before

elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/MessyTestUtils.java

@@ -14,7 +14,6 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.script.ScriptContextRegistry;
 import org.elasticsearch.script.ScriptEngineRegistry;
-import org.elasticsearch.script.ScriptEngineService;
 import org.elasticsearch.script.ScriptService;
 import org.elasticsearch.script.ScriptSettings;
 import org.elasticsearch.script.groovy.GroovyScriptEngineService;
@@ -25,8 +24,7 @@ import org.junit.Ignore;
 import org.mockito.Mockito;
 
 import java.util.Arrays;
-import java.util.HashSet;
+import java.util.Collections;
-import java.util.Set;
 
 @Ignore // not a test.
 @SuppressForbidden(reason = "gradle is broken and tries to run me as a test")
@@ -38,19 +36,13 @@ public final class MessyTestUtils {
                 .put("path.home", LuceneTestCase.createTempDir())
                 .build();
         GroovyScriptEngineService groovyScriptEngineService = new GroovyScriptEngineService(settings);
-        Set<ScriptEngineService> engineServiceSet = new HashSet<>();
+        ScriptEngineRegistry scriptEngineRegistry = new ScriptEngineRegistry(Collections.singleton(groovyScriptEngineService));
-        engineServiceSet.add(groovyScriptEngineService);
-        ScriptEngineRegistry scriptEngineRegistry = new ScriptEngineRegistry(
-                Arrays.asList(
-                        new ScriptEngineRegistry.ScriptEngineRegistration(GroovyScriptEngineService.class, GroovyScriptEngineService.NAME)
-                )
-        );
         ScriptContextRegistry scriptContextRegistry = new ScriptContextRegistry(Arrays.asList(ScriptServiceProxy.INSTANCE));
 
         ClusterService clusterService = Mockito.mock(ClusterService.class);
         Mockito.when(clusterService.state()).thenReturn(ClusterState.builder(new ClusterName("_name")).build());
         ScriptSettings scriptSettings = new ScriptSettings(scriptEngineRegistry, scriptContextRegistry);
-        return  ScriptServiceProxy.of(new ScriptService(settings, new Environment(settings), engineServiceSet,
+        return  ScriptServiceProxy.of(new ScriptService(settings, new Environment(settings),
                 new ResourceWatcherService(settings, tp), scriptEngineRegistry, scriptContextRegistry, scriptSettings),
                 clusterService);
     }

elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/ScriptConditionSearchIT.java

@@ -18,6 +18,7 @@ import org.elasticsearch.search.aggregations.bucket.histogram.Histogram;
 import org.elasticsearch.search.internal.InternalSearchHit;
 import org.elasticsearch.search.internal.InternalSearchHits;
 import org.elasticsearch.search.internal.InternalSearchResponse;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.xpack.watcher.condition.script.ExecutableScriptCondition;
 import org.elasticsearch.xpack.watcher.condition.script.ScriptCondition;
@@ -50,7 +51,7 @@ public class ScriptConditionSearchIT extends AbstractWatcherIntegrationTestCase
 
     @Before
     public void init() throws Exception {
-        tp = new ThreadPool(ThreadPool.Names.SAME);
+        tp = new TestThreadPool(ThreadPool.Names.SAME);
         scriptService = MessyTestUtils.getScriptServiceProxy(tp);
     }
 

elasticsearch/qa/messy-test-watcher-with-groovy/src/test/java/org/elasticsearch/messy/tests/ScriptConditionTests.java

@@ -17,6 +17,7 @@ import org.elasticsearch.script.GeneralScriptException;
 import org.elasticsearch.script.ScriptService.ScriptType;
 import org.elasticsearch.search.internal.InternalSearchResponse;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.xpack.watcher.condition.Condition;
 import org.elasticsearch.xpack.watcher.condition.script.ExecutableScriptCondition;
@@ -49,7 +50,7 @@ public class ScriptConditionTests extends ESTestCase {
     
     @Before
     public void init() {
-        tp = new ThreadPool(ThreadPool.Names.SAME);
+        tp = new TestThreadPool(ThreadPool.Names.SAME);
     }
 
     @After

elasticsearch/qa/shield-example-realm/build.gradle

@@ -37,6 +37,7 @@ processResources {
 
 task buildZip(type:Zip, dependsOn: [jar]) {
   from 'build/resources/main/x-pack-extension-descriptor.properties'
+  from 'build/resources/main/x-pack-extension-security.policy'
   from project.jar
 }
 

elasticsearch/qa/shield-example-realm/src/main/java/org/elasticsearch/example/ExampleRealmExtension.java

@@ -11,6 +11,9 @@ import org.elasticsearch.example.realm.CustomRealmFactory;
 import org.elasticsearch.shield.authc.AuthenticationModule;
 import org.elasticsearch.xpack.extensions.XPackExtension;
 
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
 public class ExampleRealmExtension extends XPackExtension {
     @Override
     public String name() {
@@ -25,5 +28,10 @@ public class ExampleRealmExtension extends XPackExtension {
     public void onModule(AuthenticationModule authenticationModule) {
         authenticationModule.addCustomRealm(CustomRealm.TYPE, CustomRealmFactory.class);
         authenticationModule.setAuthenticationFailureHandler(CustomAuthenticationFailureHandler.class);
+        // check that the extension's policy works.
+        AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
+            System.getSecurityManager().checkPrintJobAccess();
+            return null;
+        });
     }
 }

elasticsearch/qa/shield-example-realm/src/main/resources/x-pack-extension-security.policy

@@ -0,0 +1,3 @@
+grant {
+  permission java.lang.RuntimePermission "queuePrintJob";
+};

elasticsearch/qa/smoke-test-watcher-with-mustache/src/test/java/org/elasticsearch/smoketest/WatcherTemplateTests.java

@@ -49,18 +49,14 @@ public class WatcherTemplateTests extends ESTestCase {
     public void init() throws Exception {
         Settings setting = Settings.builder().put(ScriptService.SCRIPT_AUTO_RELOAD_ENABLED_SETTING, true).build();
         Environment environment = Mockito.mock(Environment.class);
-        Set<ScriptEngineService> engines = Collections.singleton(new MustacheScriptEngineService(setting));
         ResourceWatcherService resourceWatcherService = Mockito.mock(ResourceWatcherService.class);
         ScriptContextRegistry registry = new ScriptContextRegistry(Collections.singletonList(ScriptServiceProxy.INSTANCE));
 
         ScriptEngineRegistry scriptEngineRegistry = new ScriptEngineRegistry(
-                Arrays.asList(
+                Collections.singleton(new MustacheScriptEngineService(setting))
-                        new ScriptEngineRegistry.ScriptEngineRegistration(MustacheScriptEngineService.class,
-                                MustacheScriptEngineService.NAME)
-                )
         );
         ScriptSettings scriptSettings = new ScriptSettings(scriptEngineRegistry, registry);
-        ScriptService scriptService = new ScriptService(setting, environment, engines, resourceWatcherService, scriptEngineRegistry,
+        ScriptService scriptService = new ScriptService(setting, environment, resourceWatcherService, scriptEngineRegistry,
                 registry, scriptSettings);
         ClusterService clusterService = Mockito.mock(ClusterService.class);
         Mockito.when(clusterService.state()).thenReturn(ClusterState.builder(new ClusterName("_name")).build());

elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/Graph.java

@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph;
+package org.elasticsearch.xpack.graph;
 
 import org.elasticsearch.action.ActionModule;
 import org.elasticsearch.common.component.LifecycleComponent;
@@ -12,14 +12,15 @@ import org.elasticsearch.common.network.NetworkModule;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
-import org.elasticsearch.graph.action.GraphExploreAction;
-import org.elasticsearch.graph.action.TransportGraphExploreAction;
-import org.elasticsearch.graph.rest.action.RestGraphAction;
 import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.xpack.XPackPlugin;
+import org.elasticsearch.xpack.graph.action.GraphExploreAction;
+import org.elasticsearch.xpack.graph.action.TransportGraphExploreAction;
+import org.elasticsearch.xpack.graph.rest.action.RestGraphAction;
 
 import java.util.Collection;
 import java.util.Collections;
+import java.util.List;
 
 public class Graph extends Plugin {
 
@@ -69,10 +70,12 @@ public class Graph extends Plugin {
         if (enabled && transportClientMode == false) {
             module.registerRestHandler(RestGraphAction.class);        
         }
-    }    
+    }
-    
+
-    public void onModule(SettingsModule module) {
+
-        module.registerSetting(Setting.boolSetting(XPackPlugin.featureEnabledSetting(NAME), true, Setting.Property.NodeScope));
+    @Override
-    }    
+    public List<Setting<?>> getSettings() {
+        return Collections.singletonList(Setting.boolSetting(XPackPlugin.featureEnabledSetting(NAME), true, Setting.Property.NodeScope));
+    }
 
 }

elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/GraphFeatureSet.java

@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph;
+package org.elasticsearch.xpack.graph;
 
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.inject.Inject;

elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/GraphLicensee.java

@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph;
+package org.elasticsearch.xpack.graph;
 
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.inject.Inject;

elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/GraphModule.java

@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph;
+package org.elasticsearch.xpack.graph;
 
 import org.elasticsearch.common.inject.AbstractModule;
 import org.elasticsearch.common.inject.util.Providers;

elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/Connection.java

@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import com.carrotsearch.hppc.ObjectIntHashMap;
 
@@ -11,7 +11,7 @@ import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.common.xcontent.ToXContent.Params;
-import org.elasticsearch.graph.action.Vertex.VertexId;
+import org.elasticsearch.xpack.graph.action.Vertex.VertexId;
 
 import java.io.IOException;
 import java.util.Map;

elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreAction.java

@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import org.elasticsearch.action.Action;
 import org.elasticsearch.client.ElasticsearchClient;

elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreRequest.java

@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import org.elasticsearch.action.ActionRequest;
 import org.elasticsearch.action.ActionRequestValidationException;
@@ -149,9 +149,7 @@ public class GraphExploreRequest extends ActionRequest<GraphExploreRequest> impl
         indicesOptions = IndicesOptions.readIndicesOptions(in);
         types = in.readStringArray();
         routing = in.readOptionalString();
-        if (in.readBoolean()) {
+        timeout = in.readOptionalWriteable(TimeValue::new);
-            timeout = TimeValue.readTimeValue(in);
-        }
         sampleSize = in.readInt();
         sampleDiversityField = in.readOptionalString();
         maxDocsPerDiversityValue = in.readInt();
@@ -177,7 +175,7 @@ public class GraphExploreRequest extends ActionRequest<GraphExploreRequest> impl
         indicesOptions.writeIndicesOptions(out);
         out.writeStringArray(types);
         out.writeOptionalString(routing);
-        out.writeOptionalStreamable(timeout);
+        out.writeOptionalWriteable(timeout);
 
         out.writeInt(sampleSize);
         out.writeOptionalString(sampleDiversityField);

elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreRequestBuilder.java

@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import org.elasticsearch.action.ActionRequestBuilder;
 import org.elasticsearch.action.support.IndicesOptions;

elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/GraphExploreResponse.java

@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import com.carrotsearch.hppc.ObjectIntHashMap;
 
@@ -15,8 +15,8 @@ import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.xcontent.ToXContent;
 import org.elasticsearch.common.xcontent.XContentBuilder;
-import org.elasticsearch.graph.action.Connection.ConnectionId;
+import org.elasticsearch.xpack.graph.action.Connection.ConnectionId;
-import org.elasticsearch.graph.action.Vertex.VertexId;
+import org.elasticsearch.xpack.graph.action.Vertex.VertexId;
 
 import java.io.IOException;
 import java.util.Collection;

elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/Hop.java

@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import org.elasticsearch.action.ActionRequestValidationException;
 import org.elasticsearch.action.ValidateActions;

elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/TransportGraphExploreAction.java

@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import org.apache.lucene.search.BooleanQuery;
 import org.apache.lucene.util.PriorityQueue;
@@ -21,10 +21,6 @@ import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.util.CollectionUtils;
-import org.elasticsearch.graph.action.Connection.ConnectionId;
-import org.elasticsearch.graph.action.GraphExploreRequest.TermBoost;
-import org.elasticsearch.graph.action.Vertex.VertexId;
-import org.elasticsearch.graph.GraphLicensee;
 import org.elasticsearch.index.query.BoolQueryBuilder;
 import org.elasticsearch.index.query.QueryBuilders;
 import org.elasticsearch.license.plugin.core.LicenseUtils;
@@ -41,6 +37,10 @@ import org.elasticsearch.search.aggregations.bucket.terms.support.IncludeExclude
 import org.elasticsearch.search.builder.SearchSourceBuilder;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.TransportService;
+import org.elasticsearch.xpack.graph.GraphLicensee;
+import org.elasticsearch.xpack.graph.action.Connection.ConnectionId;
+import org.elasticsearch.xpack.graph.action.GraphExploreRequest.TermBoost;
+import org.elasticsearch.xpack.graph.action.Vertex.VertexId;
 
 import java.util.ArrayList;
 import java.util.HashMap;

elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/Vertex.java

@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;

elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/action/VertexRequest.java

@@ -3,11 +3,11 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.action;
+package org.elasticsearch.xpack.graph.action;
 
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
-import org.elasticsearch.graph.action.GraphExploreRequest.TermBoost;
+import org.elasticsearch.xpack.graph.action.GraphExploreRequest.TermBoost;
 
 import java.io.IOException;
 import java.util.HashMap;

elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/xpack/graph/rest/action/RestGraphAction.java

@@ -3,11 +3,11 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.rest.action;
+package org.elasticsearch.xpack.graph.rest.action;
 
-import static org.elasticsearch.graph.action.GraphExploreAction.INSTANCE;
 import static org.elasticsearch.rest.RestRequest.Method.GET;
 import static org.elasticsearch.rest.RestRequest.Method.POST;
+import static org.elasticsearch.xpack.graph.action.GraphExploreAction.INSTANCE;
 
 import java.io.IOException;
 import java.util.HashMap;
@@ -25,11 +25,6 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.xcontent.XContentFactory;
 import org.elasticsearch.common.xcontent.XContentParser;
-import org.elasticsearch.graph.action.GraphExploreRequest;
-import org.elasticsearch.graph.action.GraphExploreRequest.TermBoost;
-import org.elasticsearch.graph.action.GraphExploreResponse;
-import org.elasticsearch.graph.action.Hop;
-import org.elasticsearch.graph.action.VertexRequest;
 import org.elasticsearch.index.query.QueryParseContext;
 import org.elasticsearch.indices.query.IndicesQueriesRegistry;
 import org.elasticsearch.rest.BaseRestHandler;
@@ -38,6 +33,12 @@ import org.elasticsearch.rest.RestController;
 import org.elasticsearch.rest.RestRequest;
 import org.elasticsearch.rest.action.support.RestActions;
 import org.elasticsearch.rest.action.support.RestToXContentListener;
+import org.elasticsearch.xpack.graph.action.GraphExploreRequest;
+import org.elasticsearch.xpack.graph.action.GraphExploreResponse;
+import org.elasticsearch.xpack.graph.action.Hop;
+import org.elasticsearch.xpack.graph.action.VertexRequest;
+import org.elasticsearch.xpack.graph.action.GraphExploreRequest.TermBoost;
+
 
 /**
  * @see GraphExploreRequest
@@ -128,7 +129,7 @@ public class RestGraphAction extends BaseRestHandler {
                 }
             } else if (token == XContentParser.Token.START_OBJECT) {
                 if (context.getParseFieldMatcher().match(fieldName, QUERY_FIELD)) {
-                    currentHop.guidingQuery(context.parseInnerQueryBuilder());
+                    context.parseInnerQueryBuilder().ifPresent(currentHop::guidingQuery);
                 } else if (context.getParseFieldMatcher().match(fieldName, CONNECTIONS_FIELD)) {
                     parseHop(parser, context, graphRequest.createNextHop(null), graphRequest);
                 } else if (context.getParseFieldMatcher().match(fieldName, CONTROLS_FIELD)) {

elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/GraphFeatureSetTests.java

@@ -3,11 +3,13 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph;
+package org.elasticsearch.xpack.graph;
 
 import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.xpack.graph.GraphFeatureSet;
+import org.elasticsearch.xpack.graph.GraphLicensee;
 import org.junit.Before;
 
 import static org.hamcrest.core.Is.is;

elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/license/LicenseTests.java

@@ -3,12 +3,12 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.license;
+package org.elasticsearch.xpack.graph.license;
 
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.graph.GraphLicensee;
 import org.elasticsearch.license.core.License.OperationMode;
 import org.elasticsearch.license.plugin.core.AbstractLicenseeTestCase;
+import org.elasticsearch.xpack.graph.GraphLicensee;
 
 import static org.hamcrest.Matchers.is;
 

elasticsearch/x-pack/graph/src/test/java/org/elasticsearch/xpack/graph/test/GraphTests.java

@@ -3,7 +3,7 @@
  * or more contributor license agreements. Licensed under the Elastic License;
  * you may not use this file except in compliance with the Elastic License.
  */
-package org.elasticsearch.graph.test;
+package org.elasticsearch.xpack.graph.test;
 
 import org.apache.lucene.search.BooleanQuery;
 import org.elasticsearch.action.ActionRequestValidationException;
@@ -11,17 +11,11 @@ import org.elasticsearch.action.search.ShardSearchFailure;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.Settings.Builder;
 import org.elasticsearch.common.unit.TimeValue;
-import org.elasticsearch.graph.action.GraphExploreAction;
-import org.elasticsearch.graph.action.GraphExploreRequest;
-import org.elasticsearch.graph.action.GraphExploreRequestBuilder;
-import org.elasticsearch.graph.action.GraphExploreResponse;
-import org.elasticsearch.graph.action.Hop;
-import org.elasticsearch.graph.action.Vertex;
-import org.elasticsearch.graph.action.VertexRequest;
 import org.elasticsearch.index.query.QueryBuilders;
 import org.elasticsearch.index.query.ScriptQueryBuilder;
 import org.elasticsearch.marvel.Monitoring;
 import org.elasticsearch.plugins.Plugin;
+import org.elasticsearch.plugins.ScriptPlugin;
 import org.elasticsearch.script.AbstractSearchScript;
 import org.elasticsearch.script.ExecutableScript;
 import org.elasticsearch.script.NativeScriptFactory;
@@ -32,8 +26,17 @@ import org.elasticsearch.shield.Security;
 import org.elasticsearch.test.ESSingleNodeTestCase;
 import org.elasticsearch.xpack.watcher.Watcher;
 import org.elasticsearch.xpack.XPackPlugin;
+import org.elasticsearch.xpack.graph.action.GraphExploreAction;
+import org.elasticsearch.xpack.graph.action.GraphExploreRequest;
+import org.elasticsearch.xpack.graph.action.GraphExploreRequestBuilder;
+import org.elasticsearch.xpack.graph.action.GraphExploreResponse;
+import org.elasticsearch.xpack.graph.action.Hop;
+import org.elasticsearch.xpack.graph.action.Vertex;
+import org.elasticsearch.xpack.graph.action.VertexRequest;
 
 import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
 import java.util.Map;
 
 import static org.elasticsearch.cluster.metadata.IndexMetaData.SETTING_NUMBER_OF_REPLICAS;
@@ -346,7 +349,7 @@ public class GraphTests extends ESSingleNodeTestCase {
         assertThat(why, strongVertex.getWeight(), greaterThan(weakVertex.getWeight()));
     }
 
-    public static class ScriptedTimeoutPlugin extends Plugin {
+    public static class ScriptedTimeoutPlugin extends Plugin implements ScriptPlugin {
         @Override
         public String name() {
             return "test-scripted-graph-timeout";
@@ -357,8 +360,9 @@ public class GraphTests extends ESSingleNodeTestCase {
             return "Test for scripted timeouts on graph searches";
         }
 
-        public void onModule(ScriptModule module) {
+        @Override
-            module.registerScript(NativeTestScriptedTimeout.TEST_NATIVE_SCRIPT_TIMEOUT, NativeTestScriptedTimeout.Factory.class);
+        public List<NativeScriptFactory> getNativeScripts() {
+            return Collections.singletonList(new NativeTestScriptedTimeout.Factory());
         }
     }
 
@@ -377,6 +381,11 @@ public class GraphTests extends ESSingleNodeTestCase {
             public boolean needsScores() {
                 return false;
             }
+
+            @Override
+            public String getName() {
+                return TEST_NATIVE_SCRIPT_TIMEOUT;
+            }
         }
 
         @Override

elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/Licensing.java

@@ -28,6 +28,7 @@ import org.elasticsearch.license.plugin.rest.RestPutLicenseAction;
 
 import java.util.Collection;
 import java.util.Collections;
+import java.util.List;
 
 import static org.elasticsearch.xpack.XPackPlugin.isTribeClientNode;
 import static org.elasticsearch.xpack.XPackPlugin.isTribeNode;
@@ -80,8 +81,8 @@ public class Licensing {
         return Collections.emptyList();
     }
 
-    public void onModule(SettingsModule module) {
+    public List<Setting<?>> getSettings() {
         // TODO convert this wildcard to a real setting
-        module.registerSetting(Setting.groupSetting("license.", Setting.Property.NodeScope));
+        return Collections.singletonList(Setting.groupSetting("license.", Setting.Property.NodeScope));
     }
 }

elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/AbstractLicensesIntegrationTestCase.java

@@ -12,7 +12,6 @@ import org.elasticsearch.cluster.metadata.MetaData;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
-import org.elasticsearch.graph.Graph;
 import org.elasticsearch.license.core.License;
 import org.elasticsearch.license.plugin.action.put.PutLicenseAction;
 import org.elasticsearch.license.plugin.action.put.PutLicenseRequestBuilder;
@@ -31,6 +30,7 @@ import org.elasticsearch.test.ESIntegTestCase;
 import org.elasticsearch.test.InternalTestCluster;
 import org.elasticsearch.xpack.watcher.Watcher;
 import org.elasticsearch.xpack.XPackPlugin;
+import org.elasticsearch.xpack.graph.Graph;
 
 import java.util.ArrayList;
 import java.util.Collection;

elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/consumer/TestConsumerPluginBase.java

@@ -14,7 +14,9 @@ import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.plugins.Plugin;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collection;
+import java.util.List;
 
 public abstract class TestConsumerPluginBase extends Plugin {
 
@@ -44,13 +46,11 @@ public abstract class TestConsumerPluginBase extends Plugin {
         return services;
     }
 
-    public void onModule(SettingsModule module) {
+    @Override
-        try {
+    public List<Setting<?>> getSettings() {
-            module.registerSetting(Setting.simpleString("_trial_license_duration_in_seconds", Setting.Property.NodeScope));
+        return Arrays.asList(Setting.simpleString("_trial_license_duration_in_seconds", Setting.Property.NodeScope,
-            module.registerSetting(Setting.simpleString("_grace_duration_in_seconds", Setting.Property.NodeScope));
+                Setting.Property.Shared), Setting.simpleString("_grace_duration_in_seconds", Setting.Property.NodeScope,
-        } catch (IllegalArgumentException ex) {
+                Setting.Property.Shared));
-            // already loaded
-        }
     }
 
     public abstract Class<? extends TestPluginServiceBase> service();

elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/xpack/TribeTransportTestCase.java

@@ -20,7 +20,6 @@ import org.elasticsearch.common.network.NetworkModule;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.discovery.zen.ping.unicast.UnicastZenPing;
-import org.elasticsearch.graph.Graph;
 import org.elasticsearch.marvel.Monitoring;
 import org.elasticsearch.node.Node;
 import org.elasticsearch.plugins.Plugin;
@@ -31,6 +30,7 @@ import org.elasticsearch.test.ESIntegTestCase.Scope;
 import org.elasticsearch.test.InternalTestCluster;
 import org.elasticsearch.test.NodeConfigurationSource;
 import org.elasticsearch.test.TestCluster;
+import org.elasticsearch.xpack.graph.Graph;
 import org.elasticsearch.xpack.watcher.Watcher;
 
 import java.util.ArrayList;

elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/Monitoring.java

@@ -9,6 +9,7 @@ import org.elasticsearch.action.ActionModule;
 import org.elasticsearch.common.component.LifecycleComponent;
 import org.elasticsearch.common.inject.Module;
 import org.elasticsearch.common.network.NetworkModule;
+import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.marvel.action.MonitoringBulkAction;
@@ -80,7 +81,6 @@ public class Monitoring {
     }
 
     public void onModule(SettingsModule module) {
-        MonitoringSettings.register(module);
     }
 
     public void onModule(ActionModule module) {

elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/MonitoringSettings.java

@@ -15,6 +15,7 @@ import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.xpack.XPackPlugin;
 
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.function.Function;
@@ -125,22 +126,23 @@ public class MonitoringSettings extends AbstractComponent {
     public static final Setting<Settings> EXPORTERS_SETTINGS =
             groupSetting(key("agent.exporters."), Property.Dynamic, Property.NodeScope);
 
-    static void register(SettingsModule module) {
+    public static List<Setting<?>> getSettings() {
-        module.registerSetting(INDICES);
+        return Arrays.asList(INDICES,
-        module.registerSetting(INTERVAL);
+                INTERVAL,
-        module.registerSetting(INDEX_RECOVERY_TIMEOUT);
+                INDEX_RECOVERY_TIMEOUT,
-        module.registerSetting(INDEX_STATS_TIMEOUT);
+                INDEX_STATS_TIMEOUT,
-        module.registerSetting(INDICES_STATS_TIMEOUT);
+                INDICES_STATS_TIMEOUT,
-        module.registerSetting(INDEX_RECOVERY_ACTIVE_ONLY);
+                INDEX_RECOVERY_ACTIVE_ONLY,
-        module.registerSetting(COLLECTORS);
+                COLLECTORS,
-        module.registerSetting(CLUSTER_STATE_TIMEOUT);
+                CLUSTER_STATE_TIMEOUT,
-        module.registerSetting(CLUSTER_STATS_TIMEOUT);
+                CLUSTER_STATS_TIMEOUT,
-        module.registerSetting(HISTORY_DURATION);
+                HISTORY_DURATION,
-        module.registerSetting(EXPORTERS_SETTINGS);
+                EXPORTERS_SETTINGS,
-        module.registerSetting(ENABLED);
+                ENABLED);
+    }
 
-        module.registerSettingsFilter("xpack.monitoring.agent.exporters.*.auth.*");
+    public static List<String> getSettingsFilter() {
-        module.registerSettingsFilter("xpack.monitoring.agent.exporters.*.ssl.*");
+        return Arrays.asList("xpack.monitoring.agent.exporters.*.auth.*", "xpack.monitoring.agent.exporters.*.ssl.*");
     }
 
 

elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/action/TransportMonitoringBulkActionTests.java

@@ -30,6 +30,7 @@ import org.elasticsearch.marvel.agent.exporter.Exporters;
 import org.elasticsearch.marvel.agent.exporter.MonitoringDoc;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.test.transport.CapturingTransport;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.TransportService;
 import org.junit.After;
@@ -74,7 +75,7 @@ public class TransportMonitoringBulkActionTests extends ESTestCase {
 
     @BeforeClass
     public static void beforeClass() {
-        threadPool = new ThreadPool(TransportMonitoringBulkActionTests.class.getSimpleName());
+        threadPool = new TestThreadPool(TransportMonitoringBulkActionTests.class.getSimpleName());
     }
 
     @AfterClass

elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/resolver/shards/ShardsTests.java

@@ -25,6 +25,7 @@ import org.junit.After;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.greaterThan;
@@ -58,7 +59,7 @@ public class ShardsTests extends MarvelIntegTestCase {
     public void testShards() throws Exception {
         logger.debug("--> creating some indices so that shards collector reports data");
         for (int i = 0; i < randomIntBetween(1, 5); i++) {
-            client().prepareIndex(INDEX_PREFIX + i, "foo").setRefresh(true).setSource("field1", "value1").get();
+            client().prepareIndex(INDEX_PREFIX + i, "foo").setRefreshPolicy(IMMEDIATE).setSource("field1", "value1").get();
         }
 
         securedFlush();

elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/cleaner/CleanerServiceTests.java

@@ -11,6 +11,7 @@ import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.marvel.MonitoringSettings;
 import org.elasticsearch.marvel.MonitoringLicensee;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
@@ -40,7 +41,7 @@ public class CleanerServiceTests extends ESTestCase {
     @Before
     public void start() {
         clusterSettings = new ClusterSettings(Settings.EMPTY, Collections.singleton(MonitoringSettings.HISTORY_DURATION));
-        threadPool = new ThreadPool("CleanerServiceTests");
+        threadPool = new TestThreadPool("CleanerServiceTests");
     }
 
     @After

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Security.java

@@ -18,7 +18,6 @@ import org.elasticsearch.common.regex.Regex;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Setting.Property;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.index.IndexModule;
 import org.elasticsearch.shield.action.ShieldActionModule;
@@ -188,62 +187,70 @@ public class Security {
         return settingsBuilder.build();
     }
 
-    public void onModule(SettingsModule settingsModule) {
+    public List<Setting<?>> getSettings() {
+        List<Setting<?>> settingsList = new ArrayList<>();
         // always register for both client and node modes
-        XPackPlugin.registerFeatureEnabledSettings(settingsModule, NAME, true);
+        XPackPlugin.addFeatureEnabledSettings(settingsList, NAME, true);
-        settingsModule.registerSetting(USER_SETTING);
+        settingsList.add(USER_SETTING);
 
         // SSL settings
-        SSLConfiguration.Global.registerSettings(settingsModule);
+        SSLConfiguration.Global.addSettings(settingsList);
 
         // transport settings
-        ShieldNettyTransport.registerSettings(settingsModule);
+        ShieldNettyTransport.addSettings(settingsList);
 
         if (transportClientMode) {
-            return;
+            return settingsList;
         }
 
         // The following just apply in node mode
-        XPackPlugin.registerFeatureEnabledSettings(settingsModule, DLS_FLS_FEATURE, true);
+        XPackPlugin.addFeatureEnabledSettings(settingsList, DLS_FLS_FEATURE, true);
 
         // IP Filter settings
-        IPFilter.registerSettings(settingsModule);
+        IPFilter.addSettings(settingsList);
 
         // audit settings
-        AuditTrailModule.registerSettings(settingsModule);
+        AuditTrailModule.addSettings(settingsList);
 
         // authentication settings
-        FileRolesStore.registerSettings(settingsModule);
+        FileRolesStore.addSettings(settingsList);
-        AnonymousUser.registerSettings(settingsModule);
+        AnonymousUser.addSettings(settingsList);
-        Realms.registerSettings(settingsModule);
+        Realms.addSettings(settingsList);
-        NativeUsersStore.registerSettings(settingsModule);
+        NativeUsersStore.addSettings(settingsList);
-        NativeRolesStore.registerSettings(settingsModule);
+        NativeRolesStore.addSettings(settingsList);
-        InternalAuthenticationService.registerSettings(settingsModule);
+        InternalAuthenticationService.addSettings(settingsList);
-        InternalAuthorizationService.registerSettings(settingsModule);
+        InternalAuthorizationService.addSettings(settingsList);
 
         // HTTP settings
-        ShieldNettyHttpServerTransport.registerSettings(settingsModule);
+        ShieldNettyHttpServerTransport.addSettings(settingsList);
 
         // encryption settings
-        InternalCryptoService.registerSettings(settingsModule);
+        InternalCryptoService.addSettings(settingsList);
 
         // hide settings
-        settingsModule.registerSetting(Setting.listSetting(setting("hide_settings"), Collections.emptyList(), Function.identity(),
+        settingsList.add(Setting.listSetting(setting("hide_settings"), Collections.emptyList(), Function.identity(),
                 Property.NodeScope, Property.Filtered));
+        return settingsList;
+    }
+
+    
+    public List<String> getSettingsFilter() {
+        ArrayList<String> settingsFilter = new ArrayList<>();
         String[] asArray = settings.getAsArray(setting("hide_settings"));
         for (String pattern : asArray) {
-            settingsModule.registerSettingsFilter(pattern);
+            settingsFilter.add(pattern);
         }
 
-        settingsModule.registerSettingsFilter(setting("authc.realms.*.bind_dn"));
+        settingsFilter.add(setting("authc.realms.*.bind_dn"));
-        settingsModule.registerSettingsFilter(setting("authc.realms.*.bind_password"));
+        settingsFilter.add(setting("authc.realms.*.bind_password"));
-        settingsModule.registerSettingsFilter(setting("authc.realms.*." + SessionFactory.HOSTNAME_VERIFICATION_SETTING));
+        settingsFilter.add(setting("authc.realms.*." + SessionFactory.HOSTNAME_VERIFICATION_SETTING));
-        settingsModule.registerSettingsFilter(setting("authc.realms.*.truststore.password"));
+        settingsFilter.add(setting("authc.realms.*.truststore.password"));
-        settingsModule.registerSettingsFilter(setting("authc.realms.*.truststore.path"));
+        settingsFilter.add(setting("authc.realms.*.truststore.path"));
-        settingsModule.registerSettingsFilter(setting("authc.realms.*.truststore.algorithm"));
+        settingsFilter.add(setting("authc.realms.*.truststore.algorithm"));
 
         // hide settings where we don't define them - they are part of a group...
-        settingsModule.registerSettingsFilter("transport.profiles.*." + setting("*"));
+        settingsFilter.add("transport.profiles.*." + setting("*"));
+        return settingsFilter;
     }
 
     public void onIndexModule(IndexModule module) {

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/ShieldActionModule.java

@@ -9,6 +9,7 @@ import org.elasticsearch.common.inject.multibindings.Multibinder;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.shield.action.filter.ShieldActionFilter;
 import org.elasticsearch.shield.action.interceptor.BulkRequestInterceptor;
+import org.elasticsearch.shield.action.interceptor.FieldStatsRequestInterceptor;
 import org.elasticsearch.shield.action.interceptor.RealtimeRequestInterceptor;
 import org.elasticsearch.shield.action.interceptor.RequestInterceptor;
 import org.elasticsearch.shield.action.interceptor.SearchRequestInterceptor;
@@ -34,5 +35,6 @@ public class ShieldActionModule extends AbstractShieldModule.Node {
         multibinder.addBinding().to(SearchRequestInterceptor.class);
         multibinder.addBinding().to(UpdateRequestInterceptor.class);
         multibinder.addBinding().to(BulkRequestInterceptor.class);
+        multibinder.addBinding().to(FieldStatsRequestInterceptor.class);
     }
 }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java

@@ -47,12 +47,14 @@ public abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request> e
             for (String index : indicesRequest.indices()) {
                 IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(index);
                 if (indexAccessControl != null) {
-                    boolean fls = indexAccessControl.getFields() != null;
+                    boolean fieldLevelSecurityEnabled = indexAccessControl.getFields() != null;
-                    boolean dls = indexAccessControl.getQueries() != null;
+                    boolean documentLevelSecurityEnabled = indexAccessControl.getQueries() != null;
-                    if (fls || dls) {
+                    if (fieldLevelSecurityEnabled || documentLevelSecurityEnabled) {
-                        logger.debug("intercepted request for index [{}] with field level or document level security enabled, " +
+                        if (logger.isDebugEnabled()) {
-                                "disabling features", index);
+                            logger.debug("intercepted request for index [{}] with field level [{}] or document level [{}] security "
-                        disableFeatures(request);
+                                    + "enabled, disabling features", index, fieldLevelSecurityEnabled, documentLevelSecurityEnabled);
+                        }
+                        disableFeatures(request, fieldLevelSecurityEnabled, documentLevelSecurityEnabled);
                         return;
                     }
                 }
@@ -62,6 +64,6 @@ public abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request> e
         }
     }
 
-    protected abstract void disableFeatures(Request request);
+    protected abstract void disableFeatures(Request request, boolean fieldLevelSecurityEnabled, boolean documentLevelSecurityEnabled);
 
 }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/FieldStatsRequestInterceptor.java

@@ -0,0 +1,34 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.shield.action.interceptor;
+
+import org.elasticsearch.action.fieldstats.FieldStatsRequest;
+import org.elasticsearch.common.inject.Inject;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.threadpool.ThreadPool;
+import org.elasticsearch.transport.TransportRequest;
+
+/**
+ * Intercepts requests to shards to field level stats and strips fields that the user is not allowed to access from the response.
+ */
+public class FieldStatsRequestInterceptor extends FieldAndDocumentLevelSecurityRequestInterceptor<FieldStatsRequest> {
+    @Inject
+    public FieldStatsRequestInterceptor(Settings settings, ThreadPool threadPool) {
+        super(settings, threadPool.getThreadContext());
+    }
+
+    @Override
+    public boolean supports(TransportRequest request) {
+        return request instanceof FieldStatsRequest;
+    }
+
+    @Override
+    protected void disableFeatures(FieldStatsRequest request, boolean fieldLevelSecurityEnabled, boolean documentLevelSecurityEnabled) {
+        if (fieldLevelSecurityEnabled) {
+            request.setUseCache(false);
+        }
+    }
+}

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/RealtimeRequestInterceptor.java

@@ -23,7 +23,8 @@ public class RealtimeRequestInterceptor extends FieldAndDocumentLevelSecurityReq
     }
 
     @Override
-    protected void disableFeatures(RealtimeRequest realtimeRequest) {
+    protected void disableFeatures(RealtimeRequest realtimeRequest, boolean fieldLevelSecurityEnabled,
+            boolean documentLevelSecurityEnabled) {
         realtimeRequest.realtime(false);
     }
 

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/SearchRequestInterceptor.java

@@ -22,7 +22,7 @@ public class SearchRequestInterceptor extends FieldAndDocumentLevelSecurityReque
     }
 
     @Override
-    public void disableFeatures(SearchRequest request) {
+    public void disableFeatures(SearchRequest request, boolean fieldLevelSecurityEnabled, boolean documentLevelSecurityEnabled) {
         request.requestCache(false);
     }
 

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/UpdateRequestInterceptor.java

@@ -28,7 +28,7 @@ public class UpdateRequestInterceptor extends FieldAndDocumentLevelSecurityReque
     }
 
     @Override
-    protected void disableFeatures(UpdateRequest updateRequest) {
+    protected void disableFeatures(UpdateRequest updateRequest, boolean fieldLevelSecurityEnabled, boolean documentLevelSecurityEnabled) {
         throw new ElasticsearchSecurityException("Can't execute an update request if field or document level security is enabled",
                 RestStatus.BAD_REQUEST);
     }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/role/PutRoleRequest.java

@@ -7,6 +7,8 @@ package org.elasticsearch.shield.action.role;
 
 import org.elasticsearch.action.ActionRequest;
 import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.action.support.WriteRequest;
+import org.elasticsearch.action.support.WriteRequest.RefreshPolicy;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.bytes.BytesReference;
@@ -24,13 +26,13 @@ import static org.elasticsearch.action.ValidateActions.addValidationError;
 /**
  * Request object for adding a role to the shield index
  */
-public class PutRoleRequest extends ActionRequest<PutRoleRequest> {
+public class PutRoleRequest extends ActionRequest<PutRoleRequest> implements WriteRequest<PutRoleRequest> {
 
     private String name;
     private String[] clusterPrivileges = Strings.EMPTY_ARRAY;
     private List<RoleDescriptor.IndicesPrivileges> indicesPrivileges = new ArrayList<>();
     private String[] runAs = Strings.EMPTY_ARRAY;
-    private boolean refresh = true;
+    private RefreshPolicy refreshPolicy = RefreshPolicy.IMMEDIATE;
     
     public PutRoleRequest() {
     }
@@ -69,8 +71,19 @@ public class PutRoleRequest extends ActionRequest<PutRoleRequest> {
         this.runAs = usernames;
     }
 
-    public void refresh(boolean refresh) {
+    @Override
-        this.refresh = refresh;
+    public PutRoleRequest setRefreshPolicy(RefreshPolicy refreshPolicy) {
+        this.refreshPolicy = refreshPolicy;
+        return this;
+    }
+
+    /**
+     * Should this request trigger a refresh ({@linkplain RefreshPolicy#IMMEDIATE}, the default), wait for a refresh (
+     * {@linkplain RefreshPolicy#WAIT_UNTIL}), or proceed ignore refreshes entirely ({@linkplain RefreshPolicy#NONE}).
+     */
+    @Override
+    public WriteRequest.RefreshPolicy getRefreshPolicy() {
+        return refreshPolicy;
     }
 
     public String name() {
@@ -89,10 +102,6 @@ public class PutRoleRequest extends ActionRequest<PutRoleRequest> {
         return runAs;
     }
 
-    public boolean refresh() {
-        return refresh;
-    }
-
     @Override
     public void readFrom(StreamInput in) throws IOException {
         super.readFrom(in);
@@ -104,7 +113,7 @@ public class PutRoleRequest extends ActionRequest<PutRoleRequest> {
             indicesPrivileges.add(RoleDescriptor.IndicesPrivileges.createFrom(in));
         }
         runAs = in.readStringArray();
-        refresh = in.readBoolean();
+        refreshPolicy = RefreshPolicy.readFrom(in);
     }
 
     @Override
@@ -117,7 +126,7 @@ public class PutRoleRequest extends ActionRequest<PutRoleRequest> {
             index.writeTo(out);
         }
         out.writeStringArray(runAs);
-        out.writeBoolean(refresh);
+        refreshPolicy.writeTo(out);
     }
 
     RoleDescriptor roleDescriptor() {

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/role/PutRoleRequestBuilder.java

@@ -6,6 +6,7 @@
 package org.elasticsearch.shield.action.role;
 
 import org.elasticsearch.action.ActionRequestBuilder;
+import org.elasticsearch.action.support.WriteRequestBuilder;
 import org.elasticsearch.client.ElasticsearchClient;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.bytes.BytesReference;
@@ -14,7 +15,8 @@ import org.elasticsearch.shield.authz.RoleDescriptor;
 /**
  * Builder for requests to add a role to the administrative index
  */
-public class PutRoleRequestBuilder extends ActionRequestBuilder<PutRoleRequest, PutRoleResponse, PutRoleRequestBuilder> {
+public class PutRoleRequestBuilder extends ActionRequestBuilder<PutRoleRequest, PutRoleResponse, PutRoleRequestBuilder>
+        implements WriteRequestBuilder<PutRoleRequestBuilder> {
 
     public PutRoleRequestBuilder(ElasticsearchClient client) {
         this(client, PutRoleAction.INSTANCE);
@@ -54,9 +56,4 @@ public class PutRoleRequestBuilder extends ActionRequestBuilder<PutRoleRequest,
         request.addIndex(indices, privileges, fields, query);
         return this;
     }
-
-    public PutRoleRequestBuilder refresh(boolean refresh) {
-        request.refresh(refresh);
-        return this;
-    }
 }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/ChangePasswordRequest.java

@@ -7,6 +7,8 @@ package org.elasticsearch.shield.action.user;
 
 import org.elasticsearch.action.ActionRequest;
 import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.action.support.WriteRequest;
+import org.elasticsearch.action.support.WriteRequest.RefreshPolicy;
 import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.io.stream.StreamOutput;
@@ -17,12 +19,14 @@ import java.io.IOException;
 import static org.elasticsearch.action.ValidateActions.addValidationError;
 
 /**
+ * Request to change a user's password.
  */
-public class ChangePasswordRequest extends ActionRequest<ChangePasswordRequest> implements UserRequest {
+public class ChangePasswordRequest extends ActionRequest<ChangePasswordRequest>
+        implements UserRequest, WriteRequest<ChangePasswordRequest> {
 
     private String username;
     private char[] passwordHash;
-    private boolean refresh = true;
+    private RefreshPolicy refreshPolicy = RefreshPolicy.IMMEDIATE;
 
     @Override
     public ActionRequestValidationException validate() {
@@ -52,12 +56,19 @@ public class ChangePasswordRequest extends ActionRequest<ChangePasswordRequest>
         this.passwordHash = passwordHash;
     }
 
-    public boolean refresh() {
+    /**
-        return refresh;
+     * Should this request trigger a refresh ({@linkplain RefreshPolicy#IMMEDIATE}, the default), wait for a refresh (
+     * {@linkplain RefreshPolicy#WAIT_UNTIL}), or proceed ignore refreshes entirely ({@linkplain RefreshPolicy#NONE}).
+     */
+    @Override
+    public RefreshPolicy getRefreshPolicy() {
+        return refreshPolicy;
     }
 
-    public void refresh(boolean refresh) {
+    @Override
-        this.refresh = refresh;
+    public ChangePasswordRequest setRefreshPolicy(RefreshPolicy refreshPolicy) {
+        this.refreshPolicy = refreshPolicy;
+        return this;
     }
 
     @Override
@@ -70,6 +81,7 @@ public class ChangePasswordRequest extends ActionRequest<ChangePasswordRequest>
         super.readFrom(in);
         username = in.readString();
         passwordHash = CharArrays.utf8BytesToChars(in.readBytesReference().array());
+        refreshPolicy = RefreshPolicy.readFrom(in);
     }
 
     @Override
@@ -77,5 +89,6 @@ public class ChangePasswordRequest extends ActionRequest<ChangePasswordRequest>
         super.writeTo(out);
         out.writeString(username);
         out.writeBytesReference(new BytesArray(CharArrays.toUtf8Bytes(passwordHash)));
+        refreshPolicy.writeTo(out);
     }
 }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/ChangePasswordRequestBuilder.java

@@ -7,25 +7,28 @@ package org.elasticsearch.shield.action.user;
 
 import org.elasticsearch.ElasticsearchParseException;
 import org.elasticsearch.action.ActionRequestBuilder;
+import org.elasticsearch.action.support.WriteRequestBuilder;
 import org.elasticsearch.client.ElasticsearchClient;
 import org.elasticsearch.common.ParseFieldMatcher;
 import org.elasticsearch.common.ValidationException;
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.xcontent.XContentHelper;
 import org.elasticsearch.common.xcontent.XContentParser;
-import org.elasticsearch.shield.user.User;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.support.Validation;
+import org.elasticsearch.shield.user.User;
 import org.elasticsearch.xpack.common.xcontent.XContentUtils;
 
 import java.io.IOException;
 import java.util.Arrays;
 
 /**
+ * Request to change a user's password.
  */
 public class ChangePasswordRequestBuilder
-        extends ActionRequestBuilder<ChangePasswordRequest, ChangePasswordResponse, ChangePasswordRequestBuilder> {
+        extends ActionRequestBuilder<ChangePasswordRequest, ChangePasswordResponse, ChangePasswordRequestBuilder>
+        implements WriteRequestBuilder<ChangePasswordRequestBuilder> {
 
     public ChangePasswordRequestBuilder(ElasticsearchClient client) {
         this(client, ChangePasswordAction.INSTANCE);
@@ -81,9 +84,4 @@ public class ChangePasswordRequestBuilder
         }
         return this;
     }
-
-    public ChangePasswordRequestBuilder refresh(boolean refresh) {
-        request.refresh(refresh);
-        return this;
-    }
 }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/PutUserRequest.java

@@ -7,6 +7,8 @@ package org.elasticsearch.shield.action.user;
 
 import org.elasticsearch.action.ActionRequest;
 import org.elasticsearch.action.ActionRequestValidationException;
+import org.elasticsearch.action.support.WriteRequest;
+import org.elasticsearch.action.support.WriteRequest.RefreshPolicy;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.bytes.BytesReference;
@@ -22,7 +24,7 @@ import static org.elasticsearch.action.ValidateActions.addValidationError;
 /**
  * Request object to put a native user.
  */
-public class PutUserRequest extends ActionRequest<PutUserRequest> implements UserRequest {
+public class PutUserRequest extends ActionRequest<PutUserRequest> implements UserRequest, WriteRequest<PutUserRequest> {
 
     private String username;
     private String[] roles;
@@ -30,7 +32,7 @@ public class PutUserRequest extends ActionRequest<PutUserRequest> implements Use
     private String email;
     private Map<String, Object> metadata;
     private char[] passwordHash;
-    private boolean refresh = true;
+    private RefreshPolicy refreshPolicy = RefreshPolicy.IMMEDIATE;
 
     public PutUserRequest() {
     }
@@ -72,8 +74,19 @@ public class PutUserRequest extends ActionRequest<PutUserRequest> implements Use
         this.passwordHash = passwordHash;
     }
 
-    public void refresh(boolean refresh) {
+    /**
-        this.refresh = refresh;
+     * Should this request trigger a refresh ({@linkplain RefreshPolicy#IMMEDIATE}, the default), wait for a refresh (
+     * {@linkplain RefreshPolicy#WAIT_UNTIL}), or proceed ignore refreshes entirely ({@linkplain RefreshPolicy#NONE}).
+     */
+    @Override
+    public RefreshPolicy getRefreshPolicy() {
+        return refreshPolicy;
+    }
+
+    @Override
+    public PutUserRequest setRefreshPolicy(RefreshPolicy refreshPolicy) {
+        this.refreshPolicy = refreshPolicy;
+        return this;
     }
 
     public String username() {
@@ -101,10 +114,6 @@ public class PutUserRequest extends ActionRequest<PutUserRequest> implements Use
         return passwordHash;
     }
 
-    public boolean refresh() {
-        return refresh;
-    }
-
     @Override
     public String[] usernames() {
         return new String[] { username };
@@ -124,7 +133,7 @@ public class PutUserRequest extends ActionRequest<PutUserRequest> implements Use
         fullName = in.readOptionalString();
         email = in.readOptionalString();
         metadata = in.readBoolean() ? in.readMap() : null;
-        refresh = in.readBoolean();
+        refreshPolicy = RefreshPolicy.readFrom(in);
     }
 
     @Override
@@ -147,6 +156,6 @@ public class PutUserRequest extends ActionRequest<PutUserRequest> implements Use
             out.writeBoolean(true);
             out.writeMap(metadata);
         }
-        out.writeBoolean(refresh);
+        refreshPolicy.writeTo(out);
     }
 }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/PutUserRequestBuilder.java

@@ -7,6 +7,7 @@ package org.elasticsearch.shield.action.user;
 
 import org.elasticsearch.ElasticsearchParseException;
 import org.elasticsearch.action.ActionRequestBuilder;
+import org.elasticsearch.action.support.WriteRequestBuilder;
 import org.elasticsearch.client.ElasticsearchClient;
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.ParseFieldMatcher;
@@ -15,17 +16,18 @@ import org.elasticsearch.common.ValidationException;
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.xcontent.XContentHelper;
 import org.elasticsearch.common.xcontent.XContentParser;
-import org.elasticsearch.shield.user.User;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.support.Validation;
+import org.elasticsearch.shield.user.User;
 import org.elasticsearch.xpack.common.xcontent.XContentUtils;
 
 import java.io.IOException;
 import java.util.Arrays;
 import java.util.Map;
 
-public class PutUserRequestBuilder extends ActionRequestBuilder<PutUserRequest, PutUserResponse, PutUserRequestBuilder> {
+public class PutUserRequestBuilder extends ActionRequestBuilder<PutUserRequest, PutUserResponse, PutUserRequestBuilder>
+        implements WriteRequestBuilder<PutUserRequestBuilder> {
 
     private final Hasher hasher = Hasher.BCRYPT;
 
@@ -77,11 +79,6 @@ public class PutUserRequestBuilder extends ActionRequestBuilder<PutUserRequest,
         return this;
     }
 
-    public PutUserRequestBuilder refresh(boolean refresh) {
-        request.refresh(refresh);
-        return this;
-    }
-
     public PutUserRequestBuilder source(String username, BytesReference source) throws IOException {
         username(username);
         try (XContentParser parser = XContentHelper.createParser(source)) {

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/AuditTrailModule.java

@@ -102,10 +102,10 @@ public class AuditTrailModule extends AbstractShieldModule.Node {
         return false;
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
+    public static void addSettings(List<Setting<?>> settings) {
-        settingsModule.registerSetting(ENABLED_SETTING);
+        settings.add(ENABLED_SETTING);
-        settingsModule.registerSetting(OUTPUTS_SETTING);
+        settings.add(OUTPUTS_SETTING);
-        LoggingAuditTrail.registerSettings(settingsModule);
+        LoggingAuditTrail.registerSettings(settings);
-        IndexAuditTrail.registerSettings(settingsModule);
+        IndexAuditTrail.registerSettings(settings);
     }
 }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java

@@ -877,15 +877,15 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail, Cl
         }
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
+    public static void registerSettings(List<Setting<?>> settings) {
-        settingsModule.registerSetting(INDEX_SETTINGS);
+        settings.add(INDEX_SETTINGS);
-        settingsModule.registerSetting(EXCLUDE_EVENT_SETTINGS);
+        settings.add(EXCLUDE_EVENT_SETTINGS);
-        settingsModule.registerSetting(INCLUDE_EVENT_SETTINGS);
+        settings.add(INCLUDE_EVENT_SETTINGS);
-        settingsModule.registerSetting(ROLLOVER_SETTING);
+        settings.add(ROLLOVER_SETTING);
-        settingsModule.registerSetting(BULK_SIZE_SETTING);
+        settings.add(BULK_SIZE_SETTING);
-        settingsModule.registerSetting(FLUSH_TIMEOUT_SETTING);
+        settings.add(FLUSH_TIMEOUT_SETTING);
-        settingsModule.registerSetting(QUEUE_SIZE_SETTING);
+        settings.add(QUEUE_SIZE_SETTING);
-        settingsModule.registerSetting(REMOTE_CLIENT_SETTINGS);
+        settings.add(REMOTE_CLIENT_SETTINGS);
     }
 
     private class QueueConsumer extends Thread {

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/logfile/LoggingAuditTrail.java

@@ -35,6 +35,7 @@ import org.elasticsearch.transport.TransportMessage;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
+import java.util.List;
 
 import static org.elasticsearch.common.Strings.arrayToCommaDelimitedString;
 import static org.elasticsearch.shield.audit.AuditUtil.indices;
@@ -463,9 +464,9 @@ public class LoggingAuditTrail extends AbstractLifecycleComponent<LoggingAuditTr
         return builder.append(user.principal()).append("]").toString();
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
+    public static void registerSettings(List<Setting<?>> settings) {
-        settingsModule.registerSetting(HOST_ADDRESS_SETTING);
+        settings.add(HOST_ADDRESS_SETTING);
-        settingsModule.registerSetting(HOST_NAME_SETTING);
+        settings.add(HOST_NAME_SETTING);
-        settingsModule.registerSetting(NODE_NAME_SETTING);
+        settings.add(NODE_NAME_SETTING);
     }
 }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java

@@ -29,6 +29,7 @@ import org.elasticsearch.transport.TransportMessage;
 
 import java.io.IOException;
 import java.util.Base64;
+import java.util.List;
 
 import static org.elasticsearch.shield.Security.setting;
 import static org.elasticsearch.shield.support.Exceptions.authenticationError;
@@ -316,9 +317,9 @@ public class InternalAuthenticationService extends AbstractComponent implements
         return null;
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
+    public static void addSettings(List<Setting<?>> settings) {
-        settingsModule.registerSetting(SIGN_USER_HEADER);
+        settings.add(SIGN_USER_HEADER);
-        settingsModule.registerSetting(RUN_AS_ENABLED);
+        settings.add(RUN_AS_ENABLED);
     }
 
     // these methods are package private for testing. They are also needed so that a AuditableRequest can be created in tests

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java

@@ -6,6 +6,7 @@
 package org.elasticsearch.shield.authc;
 
 import org.elasticsearch.ElasticsearchException;
+import org.elasticsearch.common.collect.Iterators;
 import org.elasticsearch.common.component.AbstractLifecycleComponent;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Setting;
@@ -101,6 +102,10 @@ public class Realms extends AbstractLifecycleComponent<Realms> implements Iterab
 
     @Override
     public Iterator<Realm> iterator() {
+        if (shieldLicenseState.authenticationAndAuthorizationEnabled() == false) {
+            return Collections.emptyIterator();
+        }
+
         EnabledRealmType enabledRealmType = shieldLicenseState.enabledRealmType();
         switch (enabledRealmType) {
             case ALL:
@@ -207,7 +212,7 @@ public class Realms extends AbstractLifecycleComponent<Realms> implements Iterab
         }
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
+    public static void addSettings(List<Setting<?>> settingsModule) {
-        settingsModule.registerSetting(REALMS_GROUPS_SETTINGS);
+        settingsModule.add(REALMS_GROUPS_SETTINGS);
     }
 }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/NativeUsersStore.java

@@ -9,6 +9,7 @@ import com.carrotsearch.hppc.ObjectHashSet;
 import com.carrotsearch.hppc.ObjectLongHashMap;
 import com.carrotsearch.hppc.ObjectLongMap;
 import com.carrotsearch.hppc.cursors.ObjectCursor;
+
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.ExceptionsHelper;
 import org.elasticsearch.action.ActionListener;
@@ -23,6 +24,7 @@ import org.elasticsearch.action.search.ClearScrollResponse;
 import org.elasticsearch.action.search.SearchRequest;
 import org.elasticsearch.action.search.SearchResponse;
 import org.elasticsearch.action.search.SearchScrollRequest;
+import org.elasticsearch.action.support.WriteRequest.RefreshPolicy;
 import org.elasticsearch.action.update.UpdateResponse;
 import org.elasticsearch.client.Client;
 import org.elasticsearch.cluster.ClusterChangedEvent;
@@ -49,9 +51,6 @@ import org.elasticsearch.index.query.QueryBuilders;
 import org.elasticsearch.search.SearchHit;
 import org.elasticsearch.shield.InternalClient;
 import org.elasticsearch.shield.ShieldTemplateService;
-import org.elasticsearch.shield.user.SystemUser;
-import org.elasticsearch.shield.user.User;
-import org.elasticsearch.shield.user.User.Fields;
 import org.elasticsearch.shield.action.realm.ClearRealmCacheRequest;
 import org.elasticsearch.shield.action.realm.ClearRealmCacheResponse;
 import org.elasticsearch.shield.action.user.ChangePasswordRequest;
@@ -61,6 +60,9 @@ import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.client.SecurityClient;
 import org.elasticsearch.shield.support.SelfReschedulingRunnable;
+import org.elasticsearch.shield.user.SystemUser;
+import org.elasticsearch.shield.user.User;
+import org.elasticsearch.shield.user.User.Fields;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.threadpool.ThreadPool.Names;
 
@@ -324,7 +326,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
 
         client.prepareUpdate(ShieldTemplateService.SECURITY_INDEX_NAME, docType, username)
                 .setDoc(Fields.PASSWORD.getPreferredName(), String.valueOf(request.passwordHash()))
-                .setRefresh(request.refresh())
+                .setRefreshPolicy(request.getRefreshPolicy())
                 .execute(new ActionListener<UpdateResponse>() {
                     @Override
                     public void onResponse(UpdateResponse updateResponse) {
@@ -345,7 +347,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
                         }
 
                         if (docType.equals(RESERVED_USER_DOC_TYPE)) {
-                            createReservedUser(username, request.passwordHash(), request.refresh(), listener);
+                            createReservedUser(username, request.passwordHash(), request.getRefreshPolicy(), listener);
                         } else {
                             logger.debug("failed to change password for user [{}]", cause, request.username());
                             ValidationException validationException = new ValidationException();
@@ -356,10 +358,10 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
                 });
     }
 
-    private void createReservedUser(String username, char[] passwordHash, boolean refresh, ActionListener<Void> listener) {
+    private void createReservedUser(String username, char[] passwordHash, RefreshPolicy refresh, ActionListener<Void> listener) {
         client.prepareIndex(ShieldTemplateService.SECURITY_INDEX_NAME, RESERVED_USER_DOC_TYPE, username)
                 .setSource(Fields.PASSWORD.getPreferredName(), String.valueOf(passwordHash))
-                .setRefresh(refresh)
+                .setRefreshPolicy(refresh)
                 .execute(new ActionListener<IndexResponse>() {
                     @Override
                     public void onResponse(IndexResponse indexResponse) {
@@ -400,7 +402,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
                         User.Fields.FULL_NAME.getPreferredName(), putUserRequest.fullName(),
                         User.Fields.EMAIL.getPreferredName(), putUserRequest.email(),
                         User.Fields.METADATA.getPreferredName(), putUserRequest.metadata())
-                .setRefresh(putUserRequest.refresh())
+                .setRefreshPolicy(putUserRequest.getRefreshPolicy())
                 .execute(new ActionListener<UpdateResponse>() {
                     @Override
                     public void onResponse(UpdateResponse updateResponse) {
@@ -440,7 +442,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
                         User.Fields.FULL_NAME.getPreferredName(), putUserRequest.fullName(),
                         User.Fields.EMAIL.getPreferredName(), putUserRequest.email(),
                         User.Fields.METADATA.getPreferredName(), putUserRequest.metadata())
-                .setRefresh(putUserRequest.refresh())
+                .setRefreshPolicy(putUserRequest.getRefreshPolicy())
                 .execute(new ActionListener<IndexResponse>() {
                     @Override
                     public void onResponse(IndexResponse indexResponse) {
@@ -470,7 +472,7 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
             DeleteRequest request = client.prepareDelete(ShieldTemplateService.SECURITY_INDEX_NAME,
                     USER_DOC_TYPE, deleteUserRequest.username()).request();
             request.indicesOptions().ignoreUnavailable();
-            request.refresh(deleteUserRequest.refresh());
+            request.setRefreshPolicy(deleteUserRequest.refresh() ? RefreshPolicy.IMMEDIATE : RefreshPolicy.WAIT_UNTIL);
             client.delete(request, new ActionListener<DeleteResponse>() {
                 @Override
                 public void onResponse(DeleteResponse deleteResponse) {
@@ -865,9 +867,9 @@ public class NativeUsersStore extends AbstractComponent implements ClusterStateL
         void onUsersChanged(List<String> username);
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
+    public static void addSettings(List<Setting<?>> settings) {
-        settingsModule.registerSetting(SCROLL_SIZE_SETTING);
+        settings.add(SCROLL_SIZE_SETTING);
-        settingsModule.registerSetting(SCROLL_KEEP_ALIVE_SETTING);
+        settings.add(SCROLL_KEEP_ALIVE_SETTING);
-        settingsModule.registerSetting(POLL_INTERVAL_SETTING);
+        settings.add(POLL_INTERVAL_SETTING);
     }
 }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/InternalAuthorizationService.java

@@ -357,7 +357,7 @@ public class InternalAuthorizationService extends AbstractComponent implements A
         return authorizationError("action [{}] is unauthorized for user [{}]", action, user.principal());
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
+    public static void addSettings(List<Setting<?>> settings) {
-        settingsModule.registerSetting(ANONYMOUS_AUTHORIZATION_EXCEPTION_SETTING);
+        settings.add(ANONYMOUS_AUTHORIZATION_EXCEPTION_SETTING);
     }
 }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapper.java

@@ -35,6 +35,7 @@ import org.elasticsearch.index.cache.bitset.BitsetFilterCache;
 import org.elasticsearch.index.engine.EngineException;
 import org.elasticsearch.index.mapper.DocumentMapper;
 import org.elasticsearch.index.mapper.MapperService;
+import org.elasticsearch.index.mapper.internal.FieldNamesFieldMapper;
 import org.elasticsearch.index.mapper.internal.ParentFieldMapper;
 import org.elasticsearch.index.query.ParsedQuery;
 import org.elasticsearch.index.query.QueryBuilder;
@@ -52,6 +53,7 @@ import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Optional;
 import java.util.Set;
 
 import static org.apache.lucene.search.BooleanClause.Occur.SHOULD;
@@ -89,6 +91,7 @@ public class ShieldIndexSearcherWrapper extends IndexSearcherWrapper {
 
         Set<String> allowedMetaFields = new HashSet<>();
         allowedMetaFields.addAll(Arrays.asList(MapperService.getAllMetaFields()));
+        allowedMetaFields.add(FieldNamesFieldMapper.NAME); // TODO: add _field_names to MapperService#META_FIELDS?
         allowedMetaFields.add("_source"); // TODO: add _source to MapperService#META_FIELDS?
         allowedMetaFields.add("_version"); // TODO: add _version to MapperService#META_FIELDS?
         allowedMetaFields.remove("_all"); // The _all field contains actual data and we can't include that by default.
@@ -122,9 +125,11 @@ public class ShieldIndexSearcherWrapper extends IndexSearcherWrapper {
                 for (BytesReference bytesReference : permissions.getQueries()) {
                     QueryShardContext queryShardContext = copyQueryShardContext(this.queryShardContext);
                     try (XContentParser parser = XContentFactory.xContent(bytesReference).createParser(bytesReference)) {
-                        QueryBuilder queryBuilder = queryShardContext.newParseContext(parser).parseInnerQueryBuilder();
+                        Optional<QueryBuilder> queryBuilder = queryShardContext.newParseContext(parser).parseInnerQueryBuilder();
-                        ParsedQuery parsedQuery = queryShardContext.toQuery(queryBuilder);
+                        if (queryBuilder.isPresent()) {
-                        filter.add(parsedQuery.query(), SHOULD);
+                            ParsedQuery parsedQuery = queryShardContext.toQuery(queryBuilder.get());
+                            filter.add(parsedQuery.query(), SHOULD);
+                        }
                     }
                 }
                 // at least one of the queries should match

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java

@@ -260,7 +260,7 @@ public class FileRolesStore extends AbstractLifecycleComponent<RolesStore> imple
         }
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
+    public static void addSettings(List<Setting<?>> settings) {
-        settingsModule.registerSetting(ROLES_FILE_SETTING);
+        settings.add(ROLES_FILE_SETTING);
     }
 }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/NativeRolesStore.java

@@ -18,6 +18,7 @@ import org.elasticsearch.action.search.ClearScrollResponse;
 import org.elasticsearch.action.search.SearchRequest;
 import org.elasticsearch.action.search.SearchResponse;
 import org.elasticsearch.action.search.SearchScrollRequest;
+import org.elasticsearch.action.support.WriteRequest.RefreshPolicy;
 import org.elasticsearch.client.Client;
 import org.elasticsearch.cluster.ClusterChangedEvent;
 import org.elasticsearch.cluster.ClusterState;
@@ -30,7 +31,6 @@ import org.elasticsearch.common.inject.Provider;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Setting.Property;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.util.concurrent.AbstractRunnable;
 import org.elasticsearch.common.xcontent.ToXContent;
@@ -269,7 +269,7 @@ public class NativeRolesStore extends AbstractComponent implements RolesStore, C
         try {
             DeleteRequest request = client.prepareDelete(ShieldTemplateService.SECURITY_INDEX_NAME,
                     ROLE_DOC_TYPE, deleteRoleRequest.name()).request();
-            request.refresh(deleteRoleRequest.refresh());
+            request.setRefreshPolicy(deleteRoleRequest.refresh() ? RefreshPolicy.IMMEDIATE : RefreshPolicy.WAIT_UNTIL);
             client.delete(request, new ActionListener<DeleteResponse>() {
                 @Override
                 public void onResponse(DeleteResponse deleteResponse) {
@@ -299,7 +299,7 @@ public class NativeRolesStore extends AbstractComponent implements RolesStore, C
         try {
             client.prepareIndex(ShieldTemplateService.SECURITY_INDEX_NAME, ROLE_DOC_TYPE, role.getName())
                     .setSource(role.toXContent(jsonBuilder(), ToXContent.EMPTY_PARAMS))
-                    .setRefresh(request.refresh())
+                    .setRefreshPolicy(request.getRefreshPolicy())
                     .execute(new ActionListener<IndexResponse>() {
                         @Override
                         public void onResponse(IndexResponse indexResponse) {
@@ -603,9 +603,9 @@ public class NativeRolesStore extends AbstractComponent implements RolesStore, C
         }
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
+    public static void addSettings(List<Setting<?>> settings) {
-        settingsModule.registerSetting(SCROLL_SIZE_SETTING);
+        settings.add(SCROLL_SIZE_SETTING);
-        settingsModule.registerSetting(SCROLL_KEEP_ALIVE_SETTING);
+        settings.add(SCROLL_KEEP_ALIVE_SETTING);
-        settingsModule.registerSetting(POLL_INTERVAL_SETTING);
+        settings.add(POLL_INTERVAL_SETTING);
     }
 }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java

@@ -676,10 +676,10 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
         }
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
+    public static void addSettings(List<Setting<?>> settings) {
-        settingsModule.registerSetting(FILE_SETTING);
+        settings.add(FILE_SETTING);
-        settingsModule.registerSetting(ENCRYPTION_KEY_LENGTH_SETTING);
+        settings.add(ENCRYPTION_KEY_LENGTH_SETTING);
-        settingsModule.registerSetting(ENCRYPTION_KEY_ALGO_SETTING);
+        settings.add(ENCRYPTION_KEY_ALGO_SETTING);
-        settingsModule.registerSetting(ENCRYPTION_ALGO_SETTING);
+        settings.add(ENCRYPTION_ALGO_SETTING);
     }
 }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestPutRoleAction.java

@@ -36,9 +36,7 @@ public class RestPutRoleAction extends BaseRestHandler {
     @Override
     protected void handleRequest(RestRequest request, final RestChannel channel, Client client) throws Exception {
         PutRoleRequestBuilder requestBuilder = new SecurityClient(client).preparePutRole(request.param("name"), request.content());
-        if (request.hasParam("refresh")) {
+        requestBuilder.setRefreshPolicy(request.param("refresh"));
-            requestBuilder.refresh(request.paramAsBoolean("refresh", true));
-        }
         requestBuilder.execute(new RestBuilderListener<PutRoleResponse>(channel) {
             @Override
             public RestResponse buildResponse(PutRoleResponse putRoleResponse, XContentBuilder builder) throws Exception {

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestChangePasswordAction.java

@@ -47,7 +47,7 @@ public class RestChangePasswordAction extends BaseRestHandler {
         }
 
         new SecurityClient(client).prepareChangePassword(username, request.content())
-                .refresh(request.paramAsBoolean("refresh", true))
+                .setRefreshPolicy(request.param("refresh"))
                 .execute(new RestBuilderListener<ChangePasswordResponse>(channel) {
                     @Override
                     public RestResponse buildResponse(ChangePasswordResponse changePasswordResponse, XContentBuilder builder) throws

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestPutUserAction.java

@@ -37,7 +37,7 @@ public class RestPutUserAction extends BaseRestHandler {
     protected void handleRequest(RestRequest request, final RestChannel channel, Client client) throws Exception {
         PutUserRequestBuilder requestBuilder = new SecurityClient(client).preparePutUser(request.param("username"), request.content());
         if (request.hasParam("refresh")) {
-            requestBuilder.refresh(request.paramAsBoolean("refresh", true));
+            requestBuilder.setRefreshPolicy(request.param("refresh"));
         }
         requestBuilder.execute(new RestBuilderListener<PutUserResponse>(channel) {
             @Override

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/SSLConfiguration.java

@@ -147,25 +147,25 @@ public abstract class SSLConfiguration {
         static final Setting<Boolean> INCLUDE_JDK_CERTS_SETTING = Setting.boolSetting(globalKey(Custom.INCLUDE_JDK_CERTS_SETTING), true,
                 Property.NodeScope, Property.Filtered);
 
-        public static void registerSettings(SettingsModule settingsModule) {
+        public static void addSettings(List<Setting<?>> settings) {
-            settingsModule.registerSetting(Global.CIPHERS_SETTING);
+            settings.add(Global.CIPHERS_SETTING);
-            settingsModule.registerSetting(Global.SUPPORTED_PROTOCOLS_SETTING);
+            settings.add(Global.SUPPORTED_PROTOCOLS_SETTING);
-            settingsModule.registerSetting(Global.KEYSTORE_PATH_SETTING);
+            settings.add(Global.KEYSTORE_PATH_SETTING);
-            settingsModule.registerSetting(Global.KEYSTORE_PASSWORD_SETTING);
+            settings.add(Global.KEYSTORE_PASSWORD_SETTING);
-            settingsModule.registerSetting(Global.KEYSTORE_ALGORITHM_SETTING);
+            settings.add(Global.KEYSTORE_ALGORITHM_SETTING);
-            settingsModule.registerSetting(Global.KEYSTORE_KEY_PASSWORD_SETTING);
+            settings.add(Global.KEYSTORE_KEY_PASSWORD_SETTING);
-            settingsModule.registerSetting(Global.KEY_PATH_SETTING);
+            settings.add(Global.KEY_PATH_SETTING);
-            settingsModule.registerSetting(Global.KEY_PASSWORD_SETTING);
+            settings.add(Global.KEY_PASSWORD_SETTING);
-            settingsModule.registerSetting(Global.CERT_SETTING);
+            settings.add(Global.CERT_SETTING);
-            settingsModule.registerSetting(Global.TRUSTSTORE_PATH_SETTING);
+            settings.add(Global.TRUSTSTORE_PATH_SETTING);
-            settingsModule.registerSetting(Global.TRUSTSTORE_PASSWORD_SETTING);
+            settings.add(Global.TRUSTSTORE_PASSWORD_SETTING);
-            settingsModule.registerSetting(Global.TRUSTSTORE_ALGORITHM_SETTING);
+            settings.add(Global.TRUSTSTORE_ALGORITHM_SETTING);
-            settingsModule.registerSetting(Global.PROTOCOL_SETTING);
+            settings.add(Global.PROTOCOL_SETTING);
-            settingsModule.registerSetting(Global.SESSION_CACHE_SIZE_SETTING);
+            settings.add(Global.SESSION_CACHE_SIZE_SETTING);
-            settingsModule.registerSetting(Global.SESSION_CACHE_TIMEOUT_SETTING);
+            settings.add(Global.SESSION_CACHE_TIMEOUT_SETTING);
-            settingsModule.registerSetting(Global.CA_PATHS_SETTING);
+            settings.add(Global.CA_PATHS_SETTING);
-            settingsModule.registerSetting(Global.INCLUDE_JDK_CERTS_SETTING);
+            settings.add(Global.INCLUDE_JDK_CERTS_SETTING);
-            settingsModule.registerSetting(Global.RELOAD_ENABLED_SETTING);
+            settings.add(Global.RELOAD_ENABLED_SETTING);
         }
 
         private final KeyConfig keyConfig;

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/filter/IPFilter.java

@@ -260,13 +260,13 @@ public class IPFilter {
         updateRules();
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
+    public static void addSettings(List<Setting<?>> settings) {
-        settingsModule.registerSetting(ALLOW_BOUND_ADDRESSES_SETTING);
+        settings.add(ALLOW_BOUND_ADDRESSES_SETTING);
-        settingsModule.registerSetting(IP_FILTER_ENABLED_SETTING);
+        settings.add(IP_FILTER_ENABLED_SETTING);
-        settingsModule.registerSetting(IP_FILTER_ENABLED_HTTP_SETTING);
+        settings.add(IP_FILTER_ENABLED_HTTP_SETTING);
-        settingsModule.registerSetting(HTTP_FILTER_ALLOW_SETTING);
+        settings.add(HTTP_FILTER_ALLOW_SETTING);
-        settingsModule.registerSetting(HTTP_FILTER_DENY_SETTING);
+        settings.add(HTTP_FILTER_DENY_SETTING);
-        settingsModule.registerSetting(TRANSPORT_FILTER_ALLOW_SETTING);
+        settings.add(TRANSPORT_FILTER_ALLOW_SETTING);
-        settingsModule.registerSetting(TRANSPORT_FILTER_DENY_SETTING);
+        settings.add(TRANSPORT_FILTER_DENY_SETTING);
     }
 }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.java

@@ -27,6 +27,7 @@ import org.jboss.netty.handler.ssl.SslHandler;
 import javax.net.ssl.SSLEngine;
 
 import java.util.Collections;
+import java.util.List;
 
 import static org.elasticsearch.http.HttpTransportSettings.SETTING_HTTP_COMPRESSION;
 import static org.elasticsearch.shield.Security.setting;
@@ -128,10 +129,10 @@ public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport {
         }
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
+    public static void addSettings(List<Setting<?>> settings) {
-        settingsModule.registerSetting(SSL_SETTING);
+        settings.add(SSL_SETTING);
-        settingsModule.registerSetting(CLIENT_AUTH_SETTING);
+        settings.add(CLIENT_AUTH_SETTING);
-        settingsModule.registerSetting(DEPRECATED_SSL_SETTING);
+        settings.add(DEPRECATED_SSL_SETTING);
     }
 
     public static void overrideSettings(Settings.Builder settingsBuilder, Settings settings) {

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransport.java

@@ -34,6 +34,7 @@ import org.jboss.netty.handler.ssl.SslHandler;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
 import java.net.InetSocketAddress;
+import java.util.List;
 
 import static org.elasticsearch.shield.Security.featureEnabledSetting;
 import static org.elasticsearch.shield.Security.setting;
@@ -249,17 +250,17 @@ public class ShieldNettyTransport extends NettyTransport {
         }
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
+    public static void addSettings(List<Setting<?>> settingsModule) {
-        settingsModule.registerSetting(SSL_SETTING);
+        settingsModule.add(SSL_SETTING);
-        settingsModule.registerSetting(HOSTNAME_VERIFICATION_SETTING);
+        settingsModule.add(HOSTNAME_VERIFICATION_SETTING);
-        settingsModule.registerSetting(HOSTNAME_VERIFICATION_RESOLVE_NAME_SETTING);
+        settingsModule.add(HOSTNAME_VERIFICATION_RESOLVE_NAME_SETTING);
-        settingsModule.registerSetting(CLIENT_AUTH_SETTING);
+        settingsModule.add(CLIENT_AUTH_SETTING);
-        settingsModule.registerSetting(PROFILE_SSL_SETTING);
+        settingsModule.add(PROFILE_SSL_SETTING);
-        settingsModule.registerSetting(PROFILE_CLIENT_AUTH_SETTING);
+        settingsModule.add(PROFILE_CLIENT_AUTH_SETTING);
 
         // deprecated transport settings
-        settingsModule.registerSetting(DEPRECATED_SSL_SETTING);
+        settingsModule.add(DEPRECATED_SSL_SETTING);
-        settingsModule.registerSetting(DEPRECATED_PROFILE_SSL_SETTING);
+        settingsModule.add(DEPRECATED_PROFILE_SSL_SETTING);
-        settingsModule.registerSetting(DEPRECATED_HOSTNAME_VERIFICATION_SETTING);
+        settingsModule.add(DEPRECATED_HOSTNAME_VERIFICATION_SETTING);
     }
 }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/user/AnonymousUser.java

@@ -12,6 +12,7 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.shield.user.User.ReservedUser;
 
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 
@@ -80,8 +81,12 @@ public class AnonymousUser extends ReservedUser {
         return roles;
     }
 
-    public static void registerSettings(SettingsModule settingsModule) {
+    public static List<Setting<?>> getSettings() {
-        settingsModule.registerSetting(USERNAME_SETTING);
+        return Arrays.asList();
-        settingsModule.registerSetting(ROLES_SETTING);
+    }
+
+    public static void addSettings(List<Setting<?>> settingsList) {
+        settingsList.add(USERNAME_SETTING);
+        settingsList.add(ROLES_SETTING);
     }
 }

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRolesCacheTests.java

@@ -13,10 +13,9 @@ import org.elasticsearch.common.network.NetworkModule;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.rest.RestStatus;
-import org.elasticsearch.shield.action.role.PutRoleResponse;
-import org.elasticsearch.shield.action.role.GetRolesResponse;
 import org.elasticsearch.shield.ShieldTemplateService;
-import org.elasticsearch.shield.authc.esnative.NativeRealm;
+import org.elasticsearch.shield.action.role.GetRolesResponse;
+import org.elasticsearch.shield.action.role.PutRoleResponse;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
 import org.elasticsearch.shield.authz.RoleDescriptor;
@@ -31,10 +30,13 @@ import org.junit.BeforeClass;
 import java.util.Arrays;
 import java.util.List;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.NONE;
 import static org.hamcrest.Matchers.arrayWithSize;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.notNullValue;
 
+
 /**
  * Test for the Shield clear roles API that changes the polling aspect of shield to only run once an hour in order to
  * test the cache clearing APIs.
@@ -91,13 +93,12 @@ public class ClearRolesCacheTests extends NativeRealmIntegTestCase {
         int modifiedRolesCount = randomIntBetween(1, roles.length);
         List<String> toModify = randomSubsetOf(modifiedRolesCount, roles);
         logger.debug("--> modifying roles {} to have run_as", toModify);
-        final boolean refresh = randomBoolean();
         for (String role : toModify) {
             PutRoleResponse response = securityClient.preparePutRole(role)
                     .cluster("none")
                     .addIndices(new String[] { "*" }, new String[] { "ALL" }, null, null)
                     .runAs(role)
-                    .refresh(refresh)
+                    .setRefreshPolicy(randomBoolean() ? IMMEDIATE : NONE)
                     .get();
             assertThat(response.isCreated(), is(false));
             logger.debug("--> updated role [{}] with run_as", role);
@@ -115,7 +116,7 @@ public class ClearRolesCacheTests extends NativeRealmIntegTestCase {
             UpdateResponse response = internalClient().prepareUpdate().setId(role).setIndex(ShieldTemplateService.SECURITY_INDEX_NAME)
                     .setType(NativeRolesStore.ROLE_DOC_TYPE)
                     .setDoc("run_as", new String[] { role })
-                    .setRefresh(refresh)
+                    .setRefreshPolicy(refresh ? IMMEDIATE : NONE)
                     .get();
             assertThat(response.isCreated(), is(false));
             logger.debug("--> updated role [{}] with run_as", role);
@@ -158,7 +159,7 @@ public class ClearRolesCacheTests extends NativeRealmIntegTestCase {
         final boolean refresh = randomBoolean();
         DeleteResponse response = internalClient()
                 .prepareDelete(ShieldTemplateService.SECURITY_INDEX_NAME, NativeRolesStore.ROLE_DOC_TYPE, role)
-                .setRefresh(refresh)
+                .setRefreshPolicy(refresh ? IMMEDIATE : NONE)
                 .get();
         assertThat(response.isFound(), is(true));
 

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DateMathExpressionIntegTests.java

@@ -23,6 +23,8 @@ import org.elasticsearch.test.ShieldIntegTestCase;
 
 import java.util.Collections;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.NONE;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.is;
@@ -64,7 +66,8 @@ public class DateMathExpressionIntegTests extends ShieldIntegTestCase {
             CreateIndexResponse response = client.admin().indices().prepareCreate(expression).get();
             assertThat(response.isAcknowledged(), is(true));
         }
-        IndexResponse response = client.prepareIndex(expression, "type").setSource("foo", "bar").setRefresh(refeshOnOperation).get();
+        IndexResponse response = client.prepareIndex(expression, "type").setSource("foo", "bar")
+                .setRefreshPolicy(refeshOnOperation ? IMMEDIATE : NONE).get();
 
         assertThat(response.isCreated(), is(true));
         assertThat(response.getIndex(), containsString(expectedIndexName));
@@ -84,7 +87,7 @@ public class DateMathExpressionIntegTests extends ShieldIntegTestCase {
 
         UpdateResponse updateResponse = client.prepareUpdate(expression, "type", response.getId())
                 .setDoc("new", "field")
-                .setRefresh(refeshOnOperation)
+                .setRefreshPolicy(refeshOnOperation ? IMMEDIATE : NONE)
                 .get();
         assertThat(updateResponse.isCreated(), is(false));
 

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java

@@ -17,6 +17,7 @@ import org.elasticsearch.xpack.XPackPlugin;
 
 import java.util.Collections;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
@@ -94,10 +95,10 @@ public class DocumentAndFieldLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "2").setSource("field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         SearchResponse response = client().filterWithHeader(
@@ -133,10 +134,10 @@ public class DocumentAndFieldLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "2").setSource("field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // Both users have the same role query, but user3 has access to field2 and not field1, which should result in zero hits:

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java

@@ -33,6 +33,7 @@ import org.elasticsearch.xpack.XPackPlugin;
 
 import java.util.Collections;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.index.query.QueryBuilders.hasChildQuery;
 import static org.elasticsearch.index.query.QueryBuilders.hasParentQuery;
 import static org.elasticsearch.index.query.QueryBuilders.matchAllQuery;
@@ -108,13 +109,13 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text", "field3", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "2").setSource("field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "3").setSource("field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         SearchResponse response = client()
@@ -289,13 +290,13 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
                                 "field3", "type=text,term_vector=with_positions_offsets_payloads")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "2").setSource("field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "3").setSource("field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         boolean realtime = randomBoolean();
@@ -354,13 +355,13 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
                                 "field3", "type=text,term_vector=with_positions_offsets_payloads")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "2").setSource("field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "3").setSource("field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         boolean realtime = randomBoolean();
@@ -419,13 +420,13 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text,fielddata=true", "field3", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "2").setSource("field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type1", "3").setSource("field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         SearchResponse response = client().prepareSearch("test")
@@ -483,11 +484,11 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type2", "_parent", "type=type1", "field3", "type=text,fielddata=true")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         client().prepareIndex("test", "type2", "2").setSource("field3", "value3")
                 .setParent("1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         SearchResponse response = client().prepareSearch("test")
@@ -705,7 +706,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
                 .addMapping("type", "field1", "type=text", "field2", "type=text")
         );
         client().prepareIndex("test", "type", "1").setSource("field1", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // With document level security enabled the update is not allowed:

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java

@@ -24,6 +24,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.index.query.QueryBuilders.matchQuery;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
@@ -141,7 +142,7 @@ public class FieldLevelSecurityRandomTests extends ShieldIntegTestCase {
         assertAcked(client().admin().indices().prepareCreate("test")
                         .addMapping("type1", (Object[])fieldMappers)
         );
-        client().prepareIndex("test", "type1", "1").setSource(doc).setRefresh(true).get();
+        client().prepareIndex("test", "type1", "1").setSource(doc).setRefreshPolicy(IMMEDIATE).get();
 
         for (String allowedField : allowedFields) {
             logger.info("Checking allowed field [{}]", allowedField);

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java

@@ -32,7 +32,9 @@ import org.elasticsearch.xpack.XPackPlugin;
 
 import java.util.Collections;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.index.query.QueryBuilders.constantScoreQuery;
+import static org.elasticsearch.index.query.QueryBuilders.existsQuery;
 import static org.elasticsearch.index.query.QueryBuilders.hasChildQuery;
 import static org.elasticsearch.index.query.QueryBuilders.matchQuery;
 import static org.elasticsearch.index.query.QueryBuilders.termQuery;
@@ -136,7 +138,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text", "field3", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2", "field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // user1 has access to field1, so the query should match with the document:
@@ -481,14 +483,12 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
         assertThat(response.getResponses()[0].getResponse().getSource().get("field2").toString(), equalTo("value2"));
     }
 
-    // norelease - we need to fix the issue so that only fields a user can see are returned
-    @AwaitsFix(bugUrl = "https://github.com/elastic/x-plugins/issues/2120")
     public void testFieldStatsApi() throws Exception {
         assertAcked(client().admin().indices().prepareCreate("test")
                         .addMapping("type1", "field1", "type=text", "field2", "type=text", "field3", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2", "field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // user1 is granted access to field1 only:
@@ -622,7 +622,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text", "field3", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2", "field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         int max = scaledRandomIntBetween(4, 32);
@@ -660,7 +660,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text", "field3", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         int max = scaledRandomIntBetween(4, 32);
@@ -702,7 +702,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                                 "field3", "type=text,store=true")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2", "field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // user1 is granted access to field1 only:
@@ -799,7 +799,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text", "field3", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2", "field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // user1 is granted access to field1 only:
@@ -873,7 +873,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
         );
 
         client().prepareIndex("test", "type1", "1").setSource("field1", 1d, "field2", 2d)
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // user1 is granted to use field1, so it is included in the sort_values
@@ -882,28 +882,28 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                 .prepareSearch("test")
                 .addSort("field1", SortOrder.ASC)
                 .get();
-        assertThat((Long) response.getHits().getAt(0).sortValues()[0], equalTo(1L));
+        assertThat(response.getHits().getAt(0).sortValues()[0], equalTo(1L));
 
         // user2 is not granted to use field1, so the default missing sort value is included
         response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
                 .prepareSearch("test")
                 .addSort("field1", SortOrder.ASC)
                 .get();
-        assertThat((Long) response.getHits().getAt(0).sortValues()[0], equalTo(Long.MAX_VALUE));
+        assertThat(response.getHits().getAt(0).sortValues()[0], equalTo(Long.MAX_VALUE));
 
         // user1 is not granted to use field2, so the default missing sort value is included
         response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD)))
                 .prepareSearch("test")
                 .addSort("field2", SortOrder.ASC)
                 .get();
-        assertThat((Long) response.getHits().getAt(0).sortValues()[0], equalTo(Long.MAX_VALUE));
+        assertThat(response.getHits().getAt(0).sortValues()[0], equalTo(Long.MAX_VALUE));
 
         // user2 is granted to use field2, so it is included in the sort_values
         response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
                 .prepareSearch("test")
                 .addSort("field2", SortOrder.ASC)
                 .get();
-        assertThat((Long) response.getHits().getAt(0).sortValues()[0], equalTo(2L));
+        assertThat(response.getHits().getAt(0).sortValues()[0], equalTo(2L));
     }
 
     public void testAggs() throws Exception {
@@ -911,7 +911,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text,fielddata=true", "field2", "type=text,fielddata=true")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // user1 is authorized to use field1, so buckets are include for a term agg on field1
@@ -951,7 +951,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                                 "field3", "type=text,term_vector=with_positions_offsets_payloads")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2", "field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         boolean realtime = randomBoolean();
@@ -1035,7 +1035,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                                 "field3", "type=text,term_vector=with_positions_offsets_payloads")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2", "field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         boolean realtime = randomBoolean();
@@ -1155,7 +1155,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
         );
         client().prepareIndex("test", "type", "1")
                 .setSource("field1", "value1", "field2", "value1")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // With field level security enabled the update is not allowed:
@@ -1200,7 +1200,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
                         .addMapping("type1", "field1", "type=text", "field2", "type=text")
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         // user6 has access to all fields, so the query should match with the document:
@@ -1224,4 +1224,64 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
         assertThat(response.getHits().getAt(0).sourceAsMap().get("field2").toString(), equalTo("value2"));
     }
 
+    public void testExistQuery() {
+        assertAcked(client().admin().indices().prepareCreate("test")
+                .addMapping("type1", "field1", "type=text", "field2", "type=text", "field3", "type=text")
+        );
+        client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2", "field3", "value3")
+                .setRefreshPolicy(IMMEDIATE)
+                .get();
+
+        // user1 has access to field1, so the query should match with the document:
+        SearchResponse response = client()
+                .filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD)))
+                .prepareSearch("test")
+                .setQuery(existsQuery("field1"))
+                .get();
+        assertHitCount(response, 1);
+        // user1 has no access to field2, so the query should not match with the document:
+        response = client()
+                .filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD)))
+                .prepareSearch("test")
+                .setQuery(existsQuery("field2"))
+                .get();
+        assertHitCount(response, 0);
+        // user2 has no access to field1, so the query should not match with the document:
+        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
+                .prepareSearch("test")
+                .setQuery(existsQuery("field1"))
+                .get();
+        assertHitCount(response, 0);
+        // user2 has access to field2, so the query should match with the document:
+        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
+                .prepareSearch("test")
+                .setQuery(existsQuery("field2"))
+                .get();
+        assertHitCount(response, 1);
+        // user3 has access to field1 and field2, so the query should match with the document:
+        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user3", USERS_PASSWD)))
+                .prepareSearch("test")
+                .setQuery(existsQuery("field1"))
+                .get();
+        assertHitCount(response, 1);
+        // user3 has access to field1 and field2, so the query should match with the document:
+        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user3", USERS_PASSWD)))
+                .prepareSearch("test")
+                .setQuery(existsQuery("field2"))
+                .get();
+        assertHitCount(response, 1);
+        // user4 has access to no fields, so the query should not match with the document:
+        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user4", USERS_PASSWD)))
+                .prepareSearch("test")
+                .setQuery(existsQuery("field1"))
+                .get();
+        assertHitCount(response, 0);
+        // user4 has access to no fields, so the query should not match with the document:
+        response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user4", USERS_PASSWD)))
+                .prepareSearch("test")
+                .setQuery(existsQuery("field2"))
+                .get();
+        assertHitCount(response, 0);
+    }
+
 }

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java

@@ -16,6 +16,7 @@ import org.elasticsearch.xpack.XPackPlugin;
 
 import java.util.Collections;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
@@ -72,7 +73,7 @@ public class IndicesPermissionsWithAliasesWildcardsAndRegexsTests extends Shield
                         .addAlias(new Alias("an_alias"))
         );
         client().prepareIndex("test", "type1", "1").setSource("field1", "value1", "field2", "value2",  "field3", "value3")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
 
         GetResponse getResponse = client()

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/KibanaUserRoleIntegTests.java

@@ -25,6 +25,7 @@ import org.elasticsearch.test.ShieldIntegTestCase;
 import java.util.Locale;
 
 import static java.util.Collections.singletonMap;
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.hamcrest.Matchers.arrayContaining;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.greaterThan;
@@ -183,7 +184,7 @@ public class KibanaUserRoleIntegTests extends ShieldIntegTestCase {
                 .setIndex(index)
                 .setType("dashboard")
                 .setSource("foo", "bar")
-                .setRefresh(true)
+                .setRefreshPolicy(IMMEDIATE)
                 .get();
         assertThat(response.isCreated(), is(true));
 

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ShieldClearScrollTests.java

@@ -24,6 +24,7 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertThrows;
@@ -63,7 +64,7 @@ public class ShieldClearScrollTests extends ShieldIntegTestCase {
 
     @Before
     public void indexRandomDocuments() {
-        BulkRequestBuilder bulkRequestBuilder = client().prepareBulk().setRefresh(true);
+        BulkRequestBuilder bulkRequestBuilder = client().prepareBulk().setRefreshPolicy(IMMEDIATE);
         for (int i = 0; i < randomIntBetween(10, 50); i++) {
             bulkRequestBuilder.add(client().prepareIndex("index", "type", String.valueOf(i)).setSource("{ \"foo\" : \"bar\" }"));
         }

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/SecurityFeatureSetTests.java

@@ -15,6 +15,7 @@ import org.elasticsearch.xpack.watcher.support.xcontent.XContentSource;
 import org.junit.Before;
 
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -92,7 +93,7 @@ public class SecurityFeatureSetTests extends ESTestCase {
             realmUsage.put("key3", i % 2 == 0);
             when(realm.usageStats()).thenReturn(realmUsage);
         }
-        when(realms.iterator()).thenReturn(realmsList.iterator());
+        when(realms.iterator()).thenReturn(available ? realmsList.iterator() : Collections.<Realm>emptyIterator());
 
         SecurityFeatureSet featureSet = new SecurityFeatureSet(settings.build(), licenseState, realms, namedWriteableRegistry);
         XPackFeatureSet.Usage usage = featureSet.usage();
@@ -102,12 +103,14 @@ public class SecurityFeatureSetTests extends ESTestCase {
         assertThat(usage.available(), is(available));
         XContentSource source = new XContentSource(usage);
 
-        if (enabled) {
+        if (enabled && available) {
             for (int i = 0; i < 5; i++) {
                 assertThat(source.getValue("enabled_realms." + i + ".key1"), is("value" + i));
                 assertThat(source.getValue("enabled_realms." + i + ".key2"), is(i));
                 assertThat(source.getValue("enabled_realms." + i + ".key3"), is(i % 2 == 0));
             }
+        } else if (enabled) {
+            assertThat(source.getValue("enabled_realms"), is(notNullValue()));
         } else {
             assertThat(source.getValue("enabled_realms"), is(nullValue()));
         }

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/VersionCompatibilityTests.java

@@ -37,6 +37,6 @@ public class VersionCompatibilityTests extends ESTestCase {
          *
          */
         assertThat("Remove workaround in LicenseService class when es core supports merging cluster level custom metadata",
-                   Version.CURRENT.equals(Version.V_5_0_0), is(true));
+                   Version.CURRENT.equals(Version.V_5_0_0_alpha4), is(true));
     }
 }

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/AuditTrailModuleTests.java

@@ -11,14 +11,14 @@ import org.elasticsearch.common.inject.Injector;
 import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
 import org.elasticsearch.common.network.NetworkModule;
 import org.elasticsearch.common.network.NetworkService;
-import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
-import org.elasticsearch.indices.breaker.CircuitBreakerModule;
+import org.elasticsearch.indices.breaker.CircuitBreakerService;
+import org.elasticsearch.node.Node;
 import org.elasticsearch.shield.audit.logfile.LoggingAuditTrail;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
-import org.elasticsearch.threadpool.ThreadPoolModule;
 import org.elasticsearch.transport.Transport;
 import org.elasticsearch.transport.local.LocalTransport;
 
@@ -35,8 +35,7 @@ public class AuditTrailModuleTests extends ESTestCase {
                 .put("client.type", "node")
                 .put(AuditTrailModule.ENABLED_SETTING.getKey(), false)
                 .build();
-        SettingsModule settingsModule = new SettingsModule(settings);
+        SettingsModule settingsModule = new SettingsModule(settings, AuditTrailModule.ENABLED_SETTING);
-        settingsModule.registerSetting(AuditTrailModule.ENABLED_SETTING);
         Injector injector = Guice.createInjector(settingsModule, new AuditTrailModule(settings));
         AuditTrail auditTrail = injector.getInstance(AuditTrail.class);
         assertThat(auditTrail, is(AuditTrail.NOOP));
@@ -55,10 +54,9 @@ public class AuditTrailModuleTests extends ESTestCase {
                 .put(AuditTrailModule.ENABLED_SETTING.getKey(), true)
                 .put("client.type", "node")
                 .build();
-        ThreadPool pool = new ThreadPool("testLogFile");
+        ThreadPool pool = new TestThreadPool("testLogFile");
         try {
-            SettingsModule settingsModule = new SettingsModule(settings);
+            SettingsModule settingsModule = new SettingsModule(settings, AuditTrailModule.ENABLED_SETTING);
-            settingsModule.registerSetting(AuditTrailModule.ENABLED_SETTING);
             Injector injector = Guice.createInjector(
                     settingsModule,
                     new NetworkModule(new NetworkService(settings), settings, false, new NamedWriteableRegistry()) {
@@ -68,8 +66,11 @@ public class AuditTrailModuleTests extends ESTestCase {
                         }
                     },
                     new AuditTrailModule(settings),
-                    new CircuitBreakerModule(settings),
+                    b -> {
-                    new ThreadPoolModule(pool),
+                        b.bind(CircuitBreakerService.class).toInstance(Node.createCircuitBreakerService(settingsModule.getSettings(),
+                                settingsModule.getClusterSettings()));
+                        b.bind(ThreadPool.class).toInstance(pool);
+                    },
                     new Version.Module(Version.CURRENT)
             );
             AuditTrail auditTrail = injector.getInstance(AuditTrail.class);
@@ -89,9 +90,7 @@ public class AuditTrailModuleTests extends ESTestCase {
                 .put(AuditTrailModule.OUTPUTS_SETTING.getKey() , "foo")
                 .put("client.type", "node")
                 .build();
-        SettingsModule settingsModule = new SettingsModule(settings);
+        SettingsModule settingsModule = new SettingsModule(settings, AuditTrailModule.ENABLED_SETTING, AuditTrailModule.OUTPUTS_SETTING);
-        settingsModule.registerSetting(AuditTrailModule.ENABLED_SETTING);
-        settingsModule.registerSetting(AuditTrailModule.OUTPUTS_SETTING);
         try {
             Guice.createInjector(settingsModule, new AuditTrailModule(settings));
             fail("Expect initialization to fail when an unknown audit trail output is configured");

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailMutedTests.java

@@ -25,6 +25,7 @@ import org.elasticsearch.shield.transport.filter.ShieldIpFilterRule;
 import org.elasticsearch.shield.user.SystemUser;
 import org.elasticsearch.shield.user.User;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.Transport;
 import org.elasticsearch.transport.TransportMessage;
@@ -58,7 +59,7 @@ public class IndexAuditTrailMutedTests extends ESTestCase {
         when(transport.boundAddress()).thenReturn(new BoundTransportAddress(new TransportAddress[] { DummyTransportAddress.INSTANCE },
                         DummyTransportAddress.INSTANCE));
 
-        threadPool = new ThreadPool("index audit trail tests");
+        threadPool = new TestThreadPool("index audit trail tests");
         transportClient = TransportClient.builder().settings(Settings.EMPTY).build();
         clientCalled = new AtomicBoolean(false);
         client = new InternalClient(transportClient) {

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java

@@ -43,6 +43,7 @@ import org.elasticsearch.test.ESIntegTestCase;
 import org.elasticsearch.test.InternalTestCluster;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.test.ShieldSettingsSource;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.Transport;
 import org.elasticsearch.transport.TransportInfo;
@@ -260,7 +261,7 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase {
         BoundTransportAddress boundTransportAddress = new BoundTransportAddress(new TransportAddress[]{DummyTransportAddress.INSTANCE},
                 DummyTransportAddress.INSTANCE);
         when(transport.boundAddress()).thenReturn(boundTransportAddress);
-        threadPool = new ThreadPool("index audit trail tests");
+        threadPool = new TestThreadPool("index audit trail tests");
         enqueuedMessage = new SetOnce<>();
         auditor = new IndexAuditTrail(settings, transport, Providers.of(internalClient()), threadPool, mock(ClusterService.class)) {
             @Override

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailUpdateMappingTests.java

@@ -14,6 +14,7 @@ import org.elasticsearch.common.transport.DummyTransportAddress;
 import org.elasticsearch.common.transport.TransportAddress;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.test.rest.FakeRestRequest;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.transport.Transport;
 import org.junit.After;
@@ -39,7 +40,7 @@ public class IndexAuditTrailUpdateMappingTests extends ShieldIntegTestCase {
 
     @Before
     public void setup() {
-        threadPool = new ThreadPool("index audit trail update mapping tests");
+        threadPool = new TestThreadPool("index audit trail update mapping tests");
     }
 
     public void testMappingIsUpdated() throws Exception {

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java

@@ -94,6 +94,7 @@ public class InternalAuthenticationServiceTests extends ESTestCase {
         Settings settings = Settings.builder().put("path.home", createTempDir()).build();
         SecurityLicenseState shieldLicenseState = mock(SecurityLicenseState.class);
         when(shieldLicenseState.enabledRealmType()).thenReturn(EnabledRealmType.ALL);
+        when(shieldLicenseState.authenticationAndAuthorizationEnabled()).thenReturn(true);
         realms = new Realms(Settings.EMPTY, new Environment(settings), Collections.<String, Realm.Factory>emptyMap(), shieldLicenseState,
                 mock(ReservedRealm.class)) {
 

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RealmsTests.java

@@ -52,6 +52,7 @@ public class RealmsTests extends ESTestCase {
         }
         shieldLicenseState = mock(SecurityLicenseState.class);
         reservedRealm = mock(ReservedRealm.class);
+        when(shieldLicenseState.authenticationAndAuthorizationEnabled()).thenReturn(true);
         when(shieldLicenseState.enabledRealmType()).thenReturn(EnabledRealmType.ALL);
     }
 
@@ -338,6 +339,21 @@ public class RealmsTests extends ESTestCase {
         assertThat(count, equalTo(orderToIndex.size()));
     }
 
+    public void testAuthcAuthzDisabled() {
+        Settings settings = Settings.builder()
+                .put("path.home", createTempDir())
+                .put("xpack.security.authc.realms.realm_1.type", FileRealm.TYPE)
+                .put("xpack.security.authc.realms.realm_1.order", 0)
+                .build();
+        Environment env = new Environment(settings);
+        Realms realms = new Realms(settings, env, factories, shieldLicenseState, reservedRealm).start();
+
+        assertThat(realms.iterator().hasNext(), is(true));
+
+        when(shieldLicenseState.authenticationAndAuthorizationEnabled()).thenReturn(false);
+        assertThat(realms.iterator().hasNext(), is(false));
+    }
+
     static class DummyRealm extends Realm {
 
         public DummyRealm(String type, RealmConfig config) {

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryRealmTests.java

@@ -22,6 +22,7 @@ import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.authc.support.SecuredStringTests;
 import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.junit.After;
@@ -92,7 +93,7 @@ public class ActiveDirectoryRealmTests extends ESTestCase {
             directoryServer.startListening();
             directoryServers[i] = directoryServer;
         }
-        threadPool = new ThreadPool("active directory realm tests");
+        threadPool = new TestThreadPool("active directory realm tests");
         resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool);
         globalSettings = Settings.builder().put("path.home", createTempDir()).build();
     }

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/NativeRealmIntegTests.java

@@ -44,6 +44,7 @@ import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 
+import static org.elasticsearch.action.support.WriteRequest.RefreshPolicy.IMMEDIATE;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
 import static org.hamcrest.Matchers.arrayContaining;
 import static org.hamcrest.Matchers.containsString;
@@ -205,7 +206,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase {
         createIndex("idx");
         ensureGreen("idx");
         // Index a document with the default test user
-        client().prepareIndex("idx", "doc", "1").setSource("body", "foo").setRefresh(true).get();
+        client().prepareIndex("idx", "doc", "1").setSource("body", "foo").setRefreshPolicy(IMMEDIATE).get();
 
         String token = basicAuthHeaderValue("joe", new SecuredString("s3krit".toCharArray()));
         SearchResponse searchResp = client().filterWithHeader(Collections.singletonMap("Authorization", token)).prepareSearch("idx").get();
@@ -227,7 +228,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase {
         createIndex("idx");
         ensureGreen("idx");
         // Index a document with the default test user
-        client().prepareIndex("idx", "doc", "1").setSource("body", "foo").setRefresh(true).get();
+        client().prepareIndex("idx", "doc", "1").setSource("body", "foo").setRefreshPolicy(IMMEDIATE).get();
         String token = basicAuthHeaderValue("joe", new SecuredString("s3krit".toCharArray()));
         SearchResponse searchResp = client().filterWithHeader(Collections.singletonMap("Authorization", token)).prepareSearch("idx").get();
 
@@ -262,7 +263,7 @@ public class NativeRealmIntegTests extends NativeRealmIntegTestCase {
         createIndex("idx");
         ensureGreen("idx");
         // Index a document with the default test user
-        client().prepareIndex("idx", "doc", "1").setSource("body", "foo").setRefresh(true).get();
+        client().prepareIndex("idx", "doc", "1").setSource("body", "foo").setRefreshPolicy(IMMEDIATE).get();
         String token = basicAuthHeaderValue("joe", new SecuredString("s3krit".toCharArray()));
         SearchResponse searchResp = client().filterWithHeader(Collections.singletonMap("Authorization", token)).prepareSearch("idx").get();
 

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserPasswdStoreTests.java

@@ -16,6 +16,7 @@ import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.RefreshListener;
 import org.elasticsearch.shield.authc.support.SecuredStringTests;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.junit.After;
@@ -62,7 +63,7 @@ public class FileUserPasswdStoreTests extends ESTestCase {
                 .put("path.home", createTempDir())
                 .build();
         env = new Environment(settings);
-        threadPool = new ThreadPool("test");
+        threadPool = new TestThreadPool("test");
     }
 
     @After

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/file/FileUserRolesStoreTests.java

@@ -15,6 +15,7 @@ import org.elasticsearch.shield.audit.logfile.CapturingLogger;
 import org.elasticsearch.shield.authc.RealmConfig;
 import org.elasticsearch.shield.authc.support.RefreshListener;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.XPackPlugin;
@@ -63,7 +64,7 @@ public class FileUserRolesStoreTests extends ESTestCase {
                 .put("path.home", createTempDir())
                 .build();
         env = new Environment(settings);
-        threadPool = new ThreadPool("test");
+        threadPool = new TestThreadPool("test");
     }
 
     @After
@@ -224,7 +225,7 @@ public class FileUserRolesStoreTests extends ESTestCase {
     public void testParseFileEmptyRolesDoesNotCauseNPE() throws Exception {
         ThreadPool threadPool = null;
         try {
-            threadPool = new ThreadPool("test");
+            threadPool = new TestThreadPool("test");
             Path usersRoles = writeUsersRoles("role1:admin");
 
             Settings settings = Settings.builder()

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/LdapRealmTests.java

@@ -15,6 +15,7 @@ import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.authc.support.SecuredStringTests;
 import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
 import org.elasticsearch.shield.user.User;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.junit.After;
@@ -49,7 +50,7 @@ public class LdapRealmTests extends LdapTestCase {
 
     @Before
     public void init() throws Exception {
-        threadPool = new ThreadPool("ldap realm tests");
+        threadPool = new TestThreadPool("ldap realm tests");
         resourceWatcherService = new ResourceWatcherService(Settings.EMPTY, threadPool);
         globalSettings = Settings.builder().put("path.home", createTempDir()).build();
     }

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/support/DnRoleMapperTests.java

@@ -13,6 +13,7 @@ import org.elasticsearch.shield.authc.RealmConfig;
 import org.elasticsearch.shield.authc.activedirectory.ActiveDirectoryRealm;
 import org.elasticsearch.shield.authc.ldap.LdapRealm;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.junit.After;
@@ -69,7 +70,7 @@ public class DnRoleMapperTests extends ESTestCase {
                 .put("path.home", createTempDir())
                 .build();
         env = new Environment(settings);
-        threadPool = new ThreadPool("test");
+        threadPool = new TestThreadPool("test");
     }
 
     @After

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapperIntegrationTests.java

@@ -39,6 +39,7 @@ import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.test.IndexSettingsModule;
 
 import java.util.Collections;
+import java.util.Optional;
 
 import static java.util.Collections.singleton;
 import static java.util.Collections.singletonMap;
@@ -138,7 +139,8 @@ public class ShieldIndexSearcherWrapperIntegrationTests extends ESTestCase {
         for (int i = 0; i < numValues; i++) {
             ParsedQuery parsedQuery = new ParsedQuery(new TermQuery(new Term("field", values[i])));
             when(queryShardContext.newParseContext(any(XContentParser.class))).thenReturn(queryParseContext);
-            when(queryParseContext.parseInnerQueryBuilder()).thenReturn((QueryBuilder) new TermQueryBuilder("field", values[i]));
+            when(queryParseContext.parseInnerQueryBuilder())
+                    .thenReturn(Optional.of((QueryBuilder) new TermQueryBuilder("field", values[i])));
             when(queryShardContext.toQuery(any(QueryBuilder.class))).thenReturn(parsedQuery);
             DirectoryReader wrappedDirectoryReader = wrapper.wrap(directoryReader);
             IndexSearcher indexSearcher = wrapper.wrap(new IndexSearcher(wrappedDirectoryReader));

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapperUnitTests.java

@@ -134,7 +134,7 @@ public class ShieldIndexSearcherWrapperUnitTests extends ESTestCase {
 
         FieldSubsetReader.FieldSubsetDirectoryReader result =
                 (FieldSubsetReader.FieldSubsetDirectoryReader) shieldIndexSearcherWrapper.wrap(esIn);
-        assertThat(result.getFieldNames().size(), equalTo(11));
+        assertThat(result.getFieldNames().size(), equalTo(12));
         assertThat(result.getFieldNames().contains("_uid"), is(true));
         assertThat(result.getFieldNames().contains("_id"), is(true));
         assertThat(result.getFieldNames().contains("_version"), is(true));
@@ -146,6 +146,7 @@ public class ShieldIndexSearcherWrapperUnitTests extends ESTestCase {
         assertThat(result.getFieldNames().contains("_ttl"), is(true));
         assertThat(result.getFieldNames().contains("_size"), is(true));
         assertThat(result.getFieldNames().contains("_index"), is(true));
+        assertThat(result.getFieldNames().contains("_field_names"), is(true));
         // _all contains actual user data and therefor can't be included by default
         assertThat(result.getFieldNames().contains("_all"), is(false));
     }
@@ -469,6 +470,16 @@ public class ShieldIndexSearcherWrapperUnitTests extends ESTestCase {
         public Weight createWeight(IndexSearcher searcher, boolean needsScores) throws IOException {
             return new CreateScorerOnceWeight(query.createWeight(searcher, needsScores));
         }
+
+        @Override
+        public boolean equals(Object obj) {
+            return sameClassAs(obj) && query.equals(((CreateScorerOnceQuery) obj).query);
+        }
+
+        @Override
+        public int hashCode() {
+            return 31 * classHash() + query.hashCode();
+        }
     }
 
     public void doTestIndexSearcherWrapper(boolean sparse, boolean deletions) throws IOException {

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java

@@ -17,6 +17,7 @@ import org.elasticsearch.shield.authz.permission.RunAsPermission;
 import org.elasticsearch.shield.authz.privilege.ClusterPrivilege;
 import org.elasticsearch.shield.authz.privilege.IndexPrivilege;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.XPackPlugin;
@@ -257,7 +258,7 @@ public class FileRolesStoreTests extends ESTestCase {
                     .build();
 
             Environment env = new Environment(settings);
-            threadPool = new ThreadPool("test");
+            threadPool = new TestThreadPool("test");
             watcherService = new ResourceWatcherService(settings, threadPool);
             final CountDownLatch latch = new CountDownLatch(1);
             FileRolesStore store = new FileRolesStore(settings, env, watcherService, new RefreshListener() {

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/crypto/InternalCryptoServiceTests.java

@@ -10,6 +10,7 @@ import org.elasticsearch.common.io.Streams;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.junit.After;
@@ -53,7 +54,7 @@ public class InternalCryptoServiceTests extends ESTestCase {
                 .put("path.home", createTempDir())
                 .build();
         env = new Environment(settings);
-        threadPool = new ThreadPool("test");
+        threadPool = new TestThreadPool("test");
         watcherService = new ResourceWatcherService(settings, threadPool);
         watcherService.start();
     }

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/SSLConfigurationTests.java

@@ -15,6 +15,7 @@ import org.elasticsearch.shield.ssl.SSLConfiguration.Custom;
 import org.elasticsearch.shield.ssl.SSLConfiguration.Global;
 import org.elasticsearch.shield.ssl.TrustConfig.Reloadable.Listener;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 
@@ -321,7 +322,7 @@ public class SSLConfigurationTests extends ESTestCase {
         AtomicReference<Exception> exceptionRef = new AtomicReference<>();
         Listener listener = createRefreshListener(latch, exceptionRef);
 
-        ThreadPool threadPool = new ThreadPool("reload");
+        ThreadPool threadPool = new TestThreadPool("reload");
         try {
             ResourceWatcherService resourceWatcherService =
                     new ResourceWatcherService(Settings.builder().put("resource.reload.interval.high", "1s").build(), threadPool).start();
@@ -384,7 +385,7 @@ public class SSLConfigurationTests extends ESTestCase {
         AtomicReference<Exception> exceptionRef = new AtomicReference<>();
         Listener listener = createRefreshListener(latch, exceptionRef);
 
-        ThreadPool threadPool = new ThreadPool("reload pem");
+        ThreadPool threadPool = new TestThreadPool("reload pem");
         try {
             ResourceWatcherService resourceWatcherService =
                     new ResourceWatcherService(Settings.builder().put("resource.reload.interval.high", "1s").build(), threadPool).start();
@@ -460,7 +461,7 @@ public class SSLConfigurationTests extends ESTestCase {
         AtomicReference<Exception> exceptionRef = new AtomicReference<>();
         Listener listener = createRefreshListener(latch, exceptionRef);
 
-        ThreadPool threadPool = new ThreadPool("reload");
+        ThreadPool threadPool = new TestThreadPool("reload");
         try {
             ResourceWatcherService resourceWatcherService =
                     new ResourceWatcherService(Settings.builder().put("resource.reload.interval.high", "1s").build(), threadPool).start();
@@ -506,7 +507,7 @@ public class SSLConfigurationTests extends ESTestCase {
         AtomicReference<Exception> exceptionRef = new AtomicReference<>();
         Listener listener = createRefreshListener(latch, exceptionRef);
 
-        ThreadPool threadPool = new ThreadPool("reload");
+        ThreadPool threadPool = new TestThreadPool("reload");
         try {
             ResourceWatcherService resourceWatcherService =
                     new ResourceWatcherService(Settings.builder().put("resource.reload.interval.high", "1s").build(), threadPool).start();
@@ -554,7 +555,7 @@ public class SSLConfigurationTests extends ESTestCase {
         AtomicReference<Exception> exceptionRef = new AtomicReference<>();
         Listener listener = createRefreshListener(latch, exceptionRef);
 
-        ThreadPool threadPool = new ThreadPool("reload");
+        ThreadPool threadPool = new TestThreadPool("reload");
         try {
             ResourceWatcherService resourceWatcherService =
                     new ResourceWatcherService(Settings.builder().put("resource.reload.interval.high", "1s").build(), threadPool).start();
@@ -603,7 +604,7 @@ public class SSLConfigurationTests extends ESTestCase {
         AtomicReference<Exception> exceptionRef = new AtomicReference<>();
         Listener listener = createRefreshListener(latch, exceptionRef);
 
-        ThreadPool threadPool = new ThreadPool("reload pem");
+        ThreadPool threadPool = new TestThreadPool("reload pem");
         try {
             ResourceWatcherService resourceWatcherService =
                     new ResourceWatcherService(Settings.builder().put("resource.reload.interval.high", "1s").build(), threadPool).start();
@@ -654,7 +655,7 @@ public class SSLConfigurationTests extends ESTestCase {
         AtomicReference<Exception> exceptionRef = new AtomicReference<>();
         Listener listener = createRefreshListener(latch, exceptionRef);
 
-        ThreadPool threadPool = new ThreadPool("reload");
+        ThreadPool threadPool = new TestThreadPool("reload");
         try {
             ResourceWatcherService resourceWatcherService =
                     new ResourceWatcherService(Settings.builder().put("resource.reload.interval.high", "1s").build(), threadPool).start();
@@ -693,7 +694,7 @@ public class SSLConfigurationTests extends ESTestCase {
         AtomicReference<Exception> exceptionRef = new AtomicReference<>();
         Listener listener = createRefreshListener(latch, exceptionRef);
 
-        ThreadPool threadPool = new ThreadPool("reload");
+        ThreadPool threadPool = new TestThreadPool("reload");
         try {
             ResourceWatcherService resourceWatcherService =
                     new ResourceWatcherService(Settings.builder().put("resource.reload.interval.high", "1s").build(), threadPool).start();

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/support/SelfReschedulingRunnableTests.java

@@ -10,6 +10,7 @@ import org.elasticsearch.common.logging.ESLogger;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.util.concurrent.AbstractRunnable;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.threadpool.TestThreadPool;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.threadpool.ThreadPool.Names;
 
@@ -189,7 +190,7 @@ public class SelfReschedulingRunnableTests extends ESTestCase {
     }
 
     public void testStopPreventsRunning() throws Exception {
-        final ThreadPool threadPool = new ThreadPool("test-stop-self-schedule");
+        final ThreadPool threadPool = new TestThreadPool("test-stop-self-schedule");
         final AtomicInteger failureCounter = new AtomicInteger(0);
         final AtomicInteger runCounter = new AtomicInteger(0);
         final AbstractRunnable runnable = new AbstractRunnable() {
@@ -232,7 +233,7 @@ public class SelfReschedulingRunnableTests extends ESTestCase {
     }
 
     public void testStopPreventsRescheduling() throws Exception {
-        final ThreadPool threadPool = new ThreadPool("test-stop-self-schedule");
+        final ThreadPool threadPool = new TestThreadPool("test-stop-self-schedule");
         final CountDownLatch threadRunningLatch = new CountDownLatch(randomIntBetween(1, 16));
         final CountDownLatch stopCalledLatch = new CountDownLatch(1);
         final AbstractRunnable runnable = new AbstractRunnable() {

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/SettingsFilterTests.java

@@ -15,7 +15,9 @@ import org.elasticsearch.shield.ssl.SSLConfiguration;
 import org.elasticsearch.xpack.XPackPlugin;
 import org.hamcrest.Matcher;
 
+import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 import static org.hamcrest.CoreMatchers.nullValue;
@@ -85,13 +87,14 @@ public class SettingsFilterTests extends ESTestCase {
                 .build();
 
         XPackPlugin xPackPlugin = new XPackPlugin(settings);
-        SettingsModule settingsModule = new SettingsModule(settings);
+        List<Setting<?>> settingList = new ArrayList<>();
+        settingList.add(Setting.simpleString("foo.bar", Setting.Property.NodeScope));
+        settingList.add(Setting.simpleString("foo.baz", Setting.Property.NodeScope));
+        settingList.add(Setting.simpleString("bar.baz", Setting.Property.NodeScope));
+        settingList.add(Setting.simpleString("baz.foo", Setting.Property.NodeScope));
+        settingList.addAll(xPackPlugin.getSettings());
         // custom settings, potentially added by a plugin
-        settingsModule.registerSetting(Setting.simpleString("foo.bar", Setting.Property.NodeScope));
+        SettingsModule settingsModule = new SettingsModule(settings, settingList, xPackPlugin.getSettingsFilter());
-        settingsModule.registerSetting(Setting.simpleString("foo.baz", Setting.Property.NodeScope));
-        settingsModule.registerSetting(Setting.simpleString("bar.baz", Setting.Property.NodeScope));
-        settingsModule.registerSetting(Setting.simpleString("baz.foo", Setting.Property.NodeScope));
-        xPackPlugin.onModule(settingsModule);
 
         Injector injector = Guice.createInjector(settingsModule);
         SettingsFilter settingsFilter = injector.getInstance(SettingsFilter.class);

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldSettingsSource.java

@@ -217,7 +217,7 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
             return getSSLSettingsForPEMFiles("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.pem", "testnode",
                     Collections.singletonList("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.crt"),
                     Arrays.asList("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode-client-profile.crt",
-                            "/org/elasticsearch/shield/transport/ssl/certs/simple/activedir.crt",
+                            "/org/elasticsearch/shield/transport/ssl/certs/simple/active-directory-ca.crt",
                             "/org/elasticsearch/shield/transport/ssl/certs/simple/testclient.crt",
                             "/org/elasticsearch/shield/transport/ssl/certs/simple/openldap.crt",
                             "/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.crt"),

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/transport/KnownActionsTests.java

@@ -9,12 +9,12 @@ import org.apache.lucene.util.IOUtils;
 import org.elasticsearch.action.Action;
 import org.elasticsearch.common.io.PathUtils;
 import org.elasticsearch.common.io.Streams;
-import org.elasticsearch.graph.Graph;
 import org.elasticsearch.license.plugin.Licensing;
 import org.elasticsearch.shield.action.ShieldActionModule;
 import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.xpack.XPackPlugin;
+import org.elasticsearch.xpack.graph.Graph;
 import org.junit.BeforeClass;
 
 import java.io.IOException;