Cleanup settings filtering after elastic/elasticsearchelastic/elasticsearch#16425

This change registers all filtered settings up-front and removes all the unnecessary wrappers around SettingsFilter. This is a pretty big change and needs some review but after all things are generally simplified and settings are always filtered even if shield is not enabled which is the right thing todo. Relates to elastic/elasticsearchelastic/elasticsearch#16425 Original commit: elastic/x-pack-elasticsearch@c7df85492b
2016-02-03 21:26:08 +01:00 · 2016-02-03 21:26:08 +01:00 · 1c5d04c99b
parent 5abc2f836e
commit 1c5d04c99b
45 changed files with 94 additions and 436 deletions
--- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/MarvelPlugin.java
+++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/MarvelPlugin.java
@ -23,7 +23,6 @@ import org.elasticsearch.marvel.agent.settings.MarvelSettings;
 import org.elasticsearch.marvel.cleaner.CleanerService;
 import org.elasticsearch.marvel.license.LicenseModule;
 import org.elasticsearch.marvel.license.MarvelLicensee;
 import org.elasticsearch.marvel.shield.MarvelShieldModule;
 import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.xpack.XPackPlugin;
@ -70,13 +69,6 @@ public class MarvelPlugin extends Plugin {
    public Collection<Module> nodeModules() {
        List<Module> modules = new ArrayList<>();
        // Always load the security integration for tribe nodes.
        // This is useful if the tribe node is connected to a
        // protected monitored cluster: __marvel_user operations must be allowed.
        if (enabled || isTribeNode(settings) || isTribeClientNode(settings)) {
            modules.add(new MarvelShieldModule(settings));
        }
        if (enabled) {
            modules.add(new MarvelModule());
            modules.add(new LicenseModule());
@ -141,5 +133,6 @@ public class MarvelPlugin extends Plugin {
        module.registerSetting(Setting.simpleString("marvel.agent.exporter.es.ssl.truststore.password", false, Setting.Scope.CLUSTER));
        module.registerSetting(Setting.simpleString("marvel.agent.exporter.es.ssl.truststore.path", false, Setting.Scope.CLUSTER));
        module.registerSetting(Setting.boolSetting("marvel.enabled", false, false, Setting.Scope.CLUSTER));
        module.registerSettingsFilter("marvel.agent.exporters.auth.password");
    }
 }
--- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexRecoveryCollector.java
+++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexRecoveryCollector.java
@ -17,8 +17,8 @@ import org.elasticsearch.marvel.agent.collector.AbstractCollector;
 import org.elasticsearch.marvel.agent.exporter.MarvelDoc;
 import org.elasticsearch.marvel.agent.settings.MarvelSettings;
 import org.elasticsearch.marvel.license.MarvelLicensee;
 import org.elasticsearch.marvel.shield.MarvelShieldIntegration;
 import org.elasticsearch.shield.InternalClient;
 import org.elasticsearch.shield.ShieldPlugin;
 import java.util.ArrayList;
 import java.util.Arrays;
@ -65,7 +65,7 @@ public class IndexRecoveryCollector extends AbstractCollector<IndexRecoveryColle
                results.add(new IndexRecoveryMarvelDoc(clusterUUID(), TYPE, System.currentTimeMillis(), recoveryResponse));
            }
        } catch (IndexNotFoundException e) {
-            if (MarvelShieldIntegration.enabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
+            if (ShieldPlugin.shieldEnabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
                logger.debug("collector [{}] - unable to collect data for missing index [{}]", name(), e.getIndex());
            } else {
                throw e;
--- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexStatsCollector.java
+++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexStatsCollector.java
@ -18,8 +18,8 @@ import org.elasticsearch.marvel.agent.collector.AbstractCollector;
 import org.elasticsearch.marvel.agent.exporter.MarvelDoc;
 import org.elasticsearch.marvel.agent.settings.MarvelSettings;
 import org.elasticsearch.marvel.license.MarvelLicensee;
 import org.elasticsearch.marvel.shield.MarvelShieldIntegration;
 import org.elasticsearch.shield.InternalClient;
 import org.elasticsearch.shield.ShieldPlugin;
 import java.util.ArrayList;
 import java.util.Arrays;
@ -76,7 +76,7 @@ public class IndexStatsCollector extends AbstractCollector<IndexStatsCollector>
                results.add(new IndexStatsMarvelDoc(clusterUUID, TYPE, timestamp, indexStats));
            }
        } catch (IndexNotFoundException e) {
-            if (MarvelShieldIntegration.enabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
+            if (ShieldPlugin.shieldEnabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
                logger.debug("collector [{}] - unable to collect data for missing index [{}]", name(), e.getIndex());
            } else {
                throw e;
--- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndicesStatsCollector.java
+++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndicesStatsCollector.java
@ -17,8 +17,8 @@ import org.elasticsearch.marvel.agent.collector.AbstractCollector;
 import org.elasticsearch.marvel.agent.exporter.MarvelDoc;
 import org.elasticsearch.marvel.agent.settings.MarvelSettings;
 import org.elasticsearch.marvel.license.MarvelLicensee;
 import org.elasticsearch.marvel.shield.MarvelShieldIntegration;
 import org.elasticsearch.shield.InternalClient;
 import org.elasticsearch.shield.ShieldPlugin;
 import java.util.Arrays;
 import java.util.Collection;
@ -63,7 +63,7 @@ public class IndicesStatsCollector extends AbstractCollector<IndicesStatsCollect
            return Collections.singletonList(new IndicesStatsMarvelDoc(clusterUUID(), TYPE, System.currentTimeMillis(), indicesStats));
        } catch (IndexNotFoundException e) {
-            if (MarvelShieldIntegration.enabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
+            if (ShieldPlugin.shieldEnabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
                logger.debug("collector [{}] - unable to collect data for missing index [{}]", name(), e.getIndex());
                return Collections.emptyList();
            }
--- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/exporter/Exporter.java
+++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/exporter/Exporter.java
@ -12,7 +12,6 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsException;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.marvel.agent.settings.MarvelSettings;
 import org.elasticsearch.marvel.shield.MarvelSettingsFilter;
 import org.joda.time.format.DateTimeFormat;
 import org.joda.time.format.DateTimeFormatter;
@ -123,9 +122,6 @@ public abstract class Exporter  {
            return singleton;
        }
        public void filterOutSensitiveSettings(String prefix, MarvelSettingsFilter filter) {
        }
        public abstract E create(Config config);
    }
--- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/exporter/Exporters.java
+++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/exporter/Exporters.java
@ -16,7 +16,6 @@ import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsException;
 import org.elasticsearch.marvel.agent.exporter.local.LocalExporter;
 import org.elasticsearch.marvel.shield.MarvelSettingsFilter;
 import java.util.ArrayList;
 import java.util.Collections;
@ -35,7 +34,6 @@ public class Exporters extends AbstractLifecycleComponent<Exporters> implements
    public static final Setting<Settings> EXPORTERS_SETTING = Setting.groupSetting("marvel.agent.exporters.", true, Setting.Scope.CLUSTER);
    private final Map<String, Exporter.Factory> factories;
    private final MarvelSettingsFilter settingsFilter;
    private final ClusterService clusterService;
    private volatile CurrentExporters exporters = CurrentExporters.EMPTY;
@ -43,12 +41,11 @@ public class Exporters extends AbstractLifecycleComponent<Exporters> implements
    @Inject
    public Exporters(Settings settings, Map<String, Exporter.Factory> factories,
-                     MarvelSettingsFilter settingsFilter, ClusterService clusterService,
+                     ClusterService clusterService,
                     ClusterSettings clusterSettings) {
        super(settings);
        this.factories = factories;
        this.settingsFilter = settingsFilter;
        this.clusterService = clusterService;
        exporterSettings = EXPORTERS_SETTING.get(settings);
        clusterSettings.addSettingsUpdateConsumer(EXPORTERS_SETTING, this::setExportersSetting);
@ -148,7 +145,6 @@ public class Exporters extends AbstractLifecycleComponent<Exporters> implements
            if (factory == null) {
                throw new SettingsException("unknown exporter type [" + type + "] set for exporter [" + name + "]");
            }
            factory.filterOutSensitiveSettings(EXPORTERS_SETTING + ".*.", settingsFilter);
            Exporter.Config config = new Exporter.Config(name, settings, exporterSettings);
            if (!config.enabled()) {
                hasDisabled = true;
--- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/exporter/http/HttpExporter.java
+++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/exporter/http/HttpExporter.java
@ -28,7 +28,6 @@ import org.elasticsearch.marvel.agent.exporter.MarvelTemplateUtils;
 import org.elasticsearch.marvel.agent.renderer.Renderer;
 import org.elasticsearch.marvel.agent.renderer.RendererRegistry;
 import org.elasticsearch.marvel.agent.settings.MarvelSettings;
 import org.elasticsearch.marvel.shield.MarvelSettingsFilter;
 import org.elasticsearch.marvel.support.VersionUtils;
 import javax.net.ssl.HostnameVerifier;
@ -729,10 +728,5 @@ public class HttpExporter extends Exporter {
        public HttpExporter create(Config config) {
            return new HttpExporter(config, env, rendererRegistry);
        }
        @Override
        public void filterOutSensitiveSettings(String prefix, MarvelSettingsFilter filter) {
            filter.filterOut(prefix + AUTH_PASSWORD_SETTING);
        }
    }
 }
--- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/MarvelSettingsFilter.java
+++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/MarvelSettingsFilter.java
@ -1,43 +0,0 @@
 /*
 * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
 * or more contributor license agreements. Licensed under the Elastic License;
 * you may not use this file except in compliance with the Elastic License.
 */
 package org.elasticsearch.marvel.shield;
 import org.elasticsearch.common.inject.Inject;
 /**
 *
 */
 public interface MarvelSettingsFilter {
    void filterOut(String... patterns);
    class Noop implements MarvelSettingsFilter {
        public static Noop INSTANCE = new Noop();
        private Noop() {
        }
        @Override
        public void filterOut(String... patterns) {
        }
    }
    class Shield implements MarvelSettingsFilter {
        private final MarvelShieldIntegration shieldIntegration;
        @Inject
        public Shield(MarvelShieldIntegration shieldIntegration) {
            this.shieldIntegration = shieldIntegration;
        }
        @Override
        public void filterOut(String... patterns) {
            shieldIntegration.filterOutSettings(patterns);
        }
    }
 }
--- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/MarvelShieldIntegration.java
+++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/MarvelShieldIntegration.java
@ -1,37 +0,0 @@
 /*
 * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
 * or more contributor license agreements. Licensed under the Elastic License;
 * you may not use this file except in compliance with the Elastic License.
 */
 package org.elasticsearch.marvel.shield;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.inject.Injector;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.shield.ShieldSettingsFilter;
 /**
 *
 */
 public class MarvelShieldIntegration {
    private final ShieldSettingsFilter settingsFilter;
    @Inject
    public MarvelShieldIntegration(Settings settings, Injector injector) {
        boolean enabled = enabled(settings);
        settingsFilter = enabled ? injector.getInstance(ShieldSettingsFilter.class) : null;
    }
    public void filterOutSettings(String... patterns) {
        if (settingsFilter != null) {
            settingsFilter.filterOut(patterns);
        }
    }
    public static boolean enabled(Settings settings) {
        return ShieldPlugin.shieldEnabled(settings);
    }
 }
--- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/MarvelShieldModule.java
+++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/shield/MarvelShieldModule.java
@ -1,32 +0,0 @@
 /*
 * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
 * or more contributor license agreements. Licensed under the Elastic License;
 * you may not use this file except in compliance with the Elastic License.
 */
 package org.elasticsearch.marvel.shield;
 import org.elasticsearch.common.inject.AbstractModule;
 import org.elasticsearch.common.settings.Settings;
 /**
 *
 */
 public class MarvelShieldModule extends AbstractModule {
    private final boolean shieldEnabled;
    public MarvelShieldModule(Settings settings) {
        this.shieldEnabled = MarvelShieldIntegration.enabled(settings);
    }
    @Override
    protected void configure() {
        bind(MarvelShieldIntegration.class).asEagerSingleton();
        if (shieldEnabled) {
            bind(MarvelSettingsFilter.Shield.class).asEagerSingleton();
            bind(MarvelSettingsFilter.class).to(MarvelSettingsFilter.Shield.class);
        } else {
            bind(MarvelSettingsFilter.class).toInstance(MarvelSettingsFilter.Noop.INSTANCE);
        }
    }
 }
--- a/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/MarvelPluginClientTests.java
+++ b/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/MarvelPluginClientTests.java
@ -35,6 +35,6 @@ public class MarvelPluginClientTests extends ESTestCase {
        MarvelPlugin plugin = new MarvelPlugin(settings);
        assertThat(plugin.isEnabled(), is(true));
        Collection<Module> modules = plugin.nodeModules();
-        assertThat(modules.size(), is(6));
+        assertThat(modules.size(), is(5));
    }
 }
--- a/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/MarvelPluginTests.java
+++ b/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/MarvelPluginTests.java
@ -10,7 +10,6 @@ import org.elasticsearch.action.admin.cluster.node.info.NodesInfoResponse;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.marvel.agent.AgentService;
 import org.elasticsearch.marvel.agent.settings.MarvelSettings;
 import org.elasticsearch.marvel.shield.MarvelShieldIntegration;
 import org.elasticsearch.marvel.test.MarvelIntegTestCase;
 import org.elasticsearch.plugins.PluginInfo;
 import org.elasticsearch.test.ESIntegTestCase.ClusterScope;
@ -45,14 +44,12 @@ public class MarvelPluginTests extends MarvelIntegTestCase {
        internalCluster().startNode(Settings.builder().put(MarvelPlugin.ENABLED, true).put(MarvelPlugin.TRIBE_NAME_SETTING, "t1").build());
        assertPluginIsLoaded();
        assertServiceIsBound(AgentService.class);
        assertServiceIsBound(MarvelShieldIntegration.class);
    }
    public void testMarvelDisabledOnTribeNode() {
        internalCluster().startNode(Settings.builder().put(MarvelPlugin.TRIBE_NAME_SETTING, "t1").build());
        assertPluginIsLoaded();
        assertServiceIsNotBound(AgentService.class);
        assertServiceIsBound(MarvelShieldIntegration.class);
    }
    private void assertPluginIsLoaded() {
--- a/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/exporter/ExportersTests.java
+++ b/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/exporter/ExportersTests.java
@ -15,7 +15,6 @@ import org.elasticsearch.marvel.agent.exporter.local.LocalExporter;
 import org.elasticsearch.marvel.agent.renderer.RendererRegistry;
 import org.elasticsearch.marvel.agent.settings.MarvelSettings;
 import org.elasticsearch.marvel.cleaner.CleanerService;
 import org.elasticsearch.marvel.shield.MarvelSettingsFilter;
 import org.elasticsearch.shield.InternalClient;
 import org.elasticsearch.test.ESTestCase;
 import org.junit.Before;
@ -46,7 +45,6 @@ import static org.mockito.Mockito.when;
 public class ExportersTests extends ESTestCase {
    private Exporters exporters;
    private Map<String, Exporter.Factory> factories;
    private MarvelSettingsFilter settingsFilter;
    private ClusterService clusterService;
    private ClusterSettings clusterSettings;
@ -61,8 +59,7 @@ public class ExportersTests extends ESTestCase {
        // we always need to have the local exporter as it serves as the default one
        factories.put(LocalExporter.TYPE, new LocalExporter.Factory(new InternalClient.Insecure(client), clusterService, mock(RendererRegistry.class), mock(CleanerService.class)));
        clusterSettings = new ClusterSettings(Settings.EMPTY, new HashSet<>(Arrays.asList(MarvelSettings.COLLECTORS_SETTING, MarvelSettings.INTERVAL_SETTING, Exporters.EXPORTERS_SETTING)));
-        settingsFilter = mock(MarvelSettingsFilter.class);
+        exporters = new Exporters(Settings.EMPTY, factories, clusterService, clusterSettings);
        exporters = new Exporters(Settings.EMPTY, factories, settingsFilter, clusterService, clusterSettings);
    }
    public void testInitExportersDefault() throws Exception {
@ -178,7 +175,7 @@ public class ExportersTests extends ESTestCase {
        exporters = new Exporters(Settings.builder()
                .put("marvel.agent.exporters._name0.type", "_type")
                .put("marvel.agent.exporters._name1.type", "_type")
-                .build(), factories, settingsFilter, clusterService, clusterSettings) {
+                .build(), factories, clusterService, clusterSettings) {
            @Override
            CurrentExporters initExporters(Settings settings) {
                settingsHolder.set(settings);
@ -215,7 +212,7 @@ public class ExportersTests extends ESTestCase {
        Exporters exporters = new Exporters(Settings.builder()
                .put("marvel.agent.exporters._name0.type", "mock")
                .put("marvel.agent.exporters._name1.type", "mock_master_only")
-                .build(), factories, settingsFilter, clusterService, clusterSettings);
+                .build(), factories, clusterService, clusterSettings);
        exporters.start();
        DiscoveryNode localNode = mock(DiscoveryNode.class);
@ -239,7 +236,7 @@ public class ExportersTests extends ESTestCase {
        Exporters exporters = new Exporters(Settings.builder()
                .put("marvel.agent.exporters._name0.type", "mock")
                .put("marvel.agent.exporters._name1.type", "mock_master_only")
-                .build(), factories, settingsFilter, clusterService, clusterSettings);
+                .build(), factories, clusterService, clusterSettings);
        exporters.start();
        DiscoveryNode localNode = mock(DiscoveryNode.class);
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldModule.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldModule.java
@ -23,9 +23,7 @@ public class ShieldModule extends AbstractShieldModule {
            bind(SecurityContext.Secure.class).asEagerSingleton();
            bind(SecurityContext.class).to(SecurityContext.Secure.class);
            bind(ShieldLifecycleService.class).asEagerSingleton();
            bind(ShieldSettingsFilter.class).asEagerSingleton();
            bind(ShieldTemplateService.class).asEagerSingleton();
            bind(InternalClient.Secure.class).asEagerSingleton();
            bind(InternalClient.class).to(InternalClient.Secure.class);
        }
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldPlugin.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldPlugin.java
@ -39,6 +39,7 @@ import org.elasticsearch.shield.audit.AuditTrailModule;
 import org.elasticsearch.shield.audit.logfile.LoggingAuditTrail;
 import org.elasticsearch.shield.authc.AuthenticationModule;
 import org.elasticsearch.shield.authc.Realms;
 import org.elasticsearch.shield.authc.ldap.support.SessionFactory;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
 import org.elasticsearch.shield.authz.AuthorizationModule;
@ -186,6 +187,19 @@ public class ShieldPlugin extends Plugin {
        settingsModule.registerSetting(Setting.boolSetting("plugins.load_classpath_plugins", true, false, Setting.Scope.CLUSTER));
        // TODO add real settings for this wildcard here
        settingsModule.registerSetting(Setting.groupSetting("shield.", false, Setting.Scope.CLUSTER));
        String[] asArray = settings.getAsArray("shield.hide_settings");
        for (String pattern : asArray) {
            settingsModule.registerSettingsFilter(pattern);
        }
        settingsModule.registerSettingsFilter("shield.hide_settings");
        settingsModule.registerSettingsFilter("shield.ssl.*");
        settingsModule.registerSettingsFilter("shield.authc.realms.*.bind_dn");
        settingsModule.registerSettingsFilter("shield.authc.realms.*.bind_password");
        settingsModule.registerSettingsFilter("shield.authc.realms.*." + SessionFactory.HOSTNAME_VERIFICATION_SETTING);
        settingsModule.registerSettingsFilter("shield.authc.realms.*.truststore.password");
        settingsModule.registerSettingsFilter("shield.authc.realms.*.truststore.path");
        settingsModule.registerSettingsFilter("shield.authc.realms.*.truststore.algorithm");
        settingsModule.registerSettingsFilter("transport.profiles.*.shield.*");
    }
    @Override
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldSettingsFilter.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldSettingsFilter.java
@ -1,33 +0,0 @@
 /*
 * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
 * or more contributor license agreements. Licensed under the Elastic License;
 * you may not use this file except in compliance with the Elastic License.
 */
 package org.elasticsearch.shield;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsFilter;
 /**
 *
 */
 public class ShieldSettingsFilter {
    static final String HIDE_SETTINGS_SETTING = "shield.hide_settings";
    private final SettingsFilter filter;
    @Inject
    public ShieldSettingsFilter(Settings settings, SettingsFilter settingsFilter) {
        this.filter = settingsFilter;
        filter.addFilter(HIDE_SETTINGS_SETTING);
        filterOut(settings.getAsArray(HIDE_SETTINGS_SETTING));
    }
    public void filterOut(String... patterns) {
        for (String pattern : patterns) {
            filter.addFilter(pattern);
        }
    }
 }
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realm.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realm.java
@ -7,7 +7,6 @@ package org.elasticsearch.shield.authc;
 import org.elasticsearch.common.logging.ESLogger;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.shield.ShieldSettingsFilter;
 import org.elasticsearch.shield.User;
 /**
@ -122,9 +121,6 @@ public abstract class Realm<T extends AuthenticationToken> implements Comparable
            return internal;
        }
        public void filterOutSensitiveSettings(String realmName, ShieldSettingsFilter filter) {
        }
        /**
         * Creates a new realm based on the given settigns.
         *
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/Realms.java
@ -10,7 +10,6 @@ import org.elasticsearch.common.component.AbstractLifecycleComponent;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.shield.ShieldSettingsFilter;
 import org.elasticsearch.shield.authc.esnative.ESNativeRealm;
 import org.elasticsearch.shield.authc.esusers.ESUsersRealm;
 import org.elasticsearch.shield.license.ShieldLicenseState;
@ -30,7 +29,6 @@ public class Realms extends AbstractLifecycleComponent<Realms> implements Iterab
    private final Environment env;
    private final Map<String, Realm.Factory> factories;
    private final ShieldSettingsFilter settingsFilter;
    private final ShieldLicenseState shieldLicenseState;
    protected List<Realm> realms = Collections.emptyList();
@ -38,12 +36,10 @@ public class Realms extends AbstractLifecycleComponent<Realms> implements Iterab
    protected List<Realm> internalRealmsOnly = Collections.emptyList();
    @Inject
-    public Realms(Settings settings, Environment env, Map<String, Realm.Factory> factories,
+    public Realms(Settings settings, Environment env, Map<String, Realm.Factory> factories, ShieldLicenseState shieldLicenseState) {
                  ShieldSettingsFilter settingsFilter, ShieldLicenseState shieldLicenseState) {
        super(settings);
        this.env = env;
        this.factories = factories;
        this.settingsFilter = settingsFilter;
        this.shieldLicenseState = shieldLicenseState;
    }
@ -108,7 +104,6 @@ public class Realms extends AbstractLifecycleComponent<Realms> implements Iterab
            if (factory == null) {
                throw new IllegalArgumentException("unknown realm type [" + type + "] set for realm [" + name + "]");
            }
            factory.filterOutSensitiveSettings(name, settingsFilter);
            RealmConfig config = new RealmConfig(name, realmSettings, settings, env);
            if (!config.enabled()) {
                if (logger.isDebugEnabled()) {
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryRealm.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectoryRealm.java
@ -7,7 +7,6 @@ package org.elasticsearch.shield.authc.activedirectory;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.rest.RestController;
 import org.elasticsearch.shield.ShieldSettingsFilter;
 import org.elasticsearch.shield.authc.RealmConfig;
 import org.elasticsearch.shield.authc.ldap.support.AbstractLdapRealm;
 import org.elasticsearch.shield.authc.support.DnRoleMapper;
@ -40,11 +39,6 @@ public class ActiveDirectoryRealm extends AbstractLdapRealm {
            this.clientSSLService = clientSSLService;
        }
        @Override
        public void filterOutSensitiveSettings(String realmName, ShieldSettingsFilter filter) {
            ActiveDirectorySessionFactory.filterOutSensitiveSettings(realmName, filter);
        }
        @Override
        public ActiveDirectoryRealm create(RealmConfig config) {
            ActiveDirectorySessionFactory connectionFactory = new ActiveDirectorySessionFactory(config, clientSSLService);
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactory.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactory.java
@ -11,7 +11,6 @@ import com.unboundid.ldap.sdk.SearchRequest;
 import com.unboundid.ldap.sdk.SearchResult;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.shield.ShieldSettingsFilter;
 import org.elasticsearch.shield.authc.RealmConfig;
 import org.elasticsearch.shield.authc.ldap.support.LdapSearchScope;
 import org.elasticsearch.shield.authc.ldap.support.LdapSession;
@ -62,9 +61,6 @@ public class ActiveDirectorySessionFactory extends SessionFactory {
        groupResolver = new ActiveDirectoryGroupsResolver(settings.getAsSettings("group_search"), domainDN);
    }
    static void filterOutSensitiveSettings(String realmName, ShieldSettingsFilter filter) {
        filter.filterOut("shield.authc.realms." + realmName + "." + HOSTNAME_VERIFICATION_SETTING);
    }
    @Override
    protected LDAPServers ldapServers(Settings settings) {
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/ldap/LdapRealm.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/ldap/LdapRealm.java
@ -9,7 +9,6 @@ import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.rest.RestController;
 import org.elasticsearch.shield.ShieldSettingsFilter;
 import org.elasticsearch.shield.authc.RealmConfig;
 import org.elasticsearch.shield.authc.ldap.support.AbstractLdapRealm;
 import org.elasticsearch.shield.authc.ldap.support.SessionFactory;
@ -42,11 +41,6 @@ public class LdapRealm extends AbstractLdapRealm {
            this.clientSSLService = clientSSLService;
        }
        @Override
        public void filterOutSensitiveSettings(String realmName, ShieldSettingsFilter filter) {
            LdapUserSearchSessionFactory.filterOutSensitiveSettings(realmName, filter);
        }
        @Override
        public LdapRealm create(RealmConfig config) {
            try {
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactory.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactory.java
@ -17,7 +17,6 @@ import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.logging.ESLogger;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.shield.ShieldSettingsFilter;
 import org.elasticsearch.shield.authc.RealmConfig;
 import org.elasticsearch.shield.authc.ldap.support.LdapSearchScope;
 import org.elasticsearch.shield.authc.ldap.support.LdapSession;
@ -73,12 +72,6 @@ public class LdapUserSearchSessionFactory extends SessionFactory {
        return connectionPool;
    }
    static void filterOutSensitiveSettings(String realmName, ShieldSettingsFilter filter) {
        filter.filterOut("shield.authc.realms." + realmName + ".bind_dn");
        filter.filterOut("shield.authc.realms." + realmName + ".bind_password");
        filter.filterOut("shield.authc.realms." + realmName + "." + HOSTNAME_VERIFICATION_SETTING);
    }
    static LDAPConnectionPool createConnectionPool(RealmConfig config, ServerSet serverSet, TimeValue timeout, ESLogger logger) {
        Settings settings = config.settings();
        SimpleBindRequest bindRequest = bindRequest(settings);
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/pki/PkiRealm.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/pki/PkiRealm.java
@ -11,7 +11,6 @@ import org.elasticsearch.common.logging.ESLogger;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.shield.ShieldSettingsFilter;
 import org.elasticsearch.shield.User;
 import org.elasticsearch.shield.authc.AuthenticationToken;
 import org.elasticsearch.shield.authc.Realm;
@ -183,12 +182,6 @@ public class PkiRealm extends Realm<X509AuthenticationToken> {
        return trustManagerList.toArray(new X509TrustManager[trustManagerList.size()]);
    }
    static void filterOutSensitiveSettings(String realmName, ShieldSettingsFilter filter) {
        filter.filterOut("shield.authc.realms." + realmName + "." + "truststore.password");
        filter.filterOut("shield.authc.realms." + realmName + "." + "truststore.path");
        filter.filterOut("shield.authc.realms." + realmName + "." + "truststore.algorithm");
    }
    /**
     * Checks to see if both SSL and Client authentication are enabled on at least one network communication layer. If
     * not an error message will be logged
@ -234,11 +227,6 @@ public class PkiRealm extends Realm<X509AuthenticationToken> {
            this.watcherService = watcherService;
        }
        @Override
        public void filterOutSensitiveSettings(String realmName, ShieldSettingsFilter filter) {
            PkiRealm.filterOutSensitiveSettings(realmName, filter);
        }
        @Override
        public PkiRealm create(RealmConfig config) {
            DnRoleMapper roleMapper = new DnRoleMapper(TYPE, config, watcherService, null);
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/ServerSSLService.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ssl/ServerSSLService.java
@ -8,17 +8,12 @@ package org.elasticsearch.shield.ssl;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.shield.ShieldSettingsFilter;
 public class ServerSSLService extends AbstractSSLService {
    @Inject
-    public ServerSSLService(Settings settings, ShieldSettingsFilter settingsFilter, Environment environment) {
+    public ServerSSLService(Settings settings, Environment environment) {
        super(settings, environment);
        // we need to filter out all this sensitive information from all rest
        // responses
        settingsFilter.filterOut("shield.ssl.*");
    }
    @Override
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransport.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransport.java
@ -13,7 +13,6 @@ import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
 import org.elasticsearch.common.network.NetworkService;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.BigArrays;
 import org.elasticsearch.shield.ShieldSettingsFilter;
 import org.elasticsearch.shield.ssl.ClientSSLService;
 import org.elasticsearch.shield.ssl.ServerSSLService;
 import org.elasticsearch.shield.transport.SSLClientAuth;
@ -51,20 +50,18 @@ public class ShieldNettyTransport extends NettyTransport {
    private final ServerSSLService serverSslService;
    private final ClientSSLService clientSSLService;
    private final ShieldSettingsFilter settingsFilter;
    private final @Nullable IPFilter authenticator;
    private final boolean ssl;
    @Inject
    public ShieldNettyTransport(Settings settings, ThreadPool threadPool, NetworkService networkService, BigArrays bigArrays, Version version,
                                @Nullable IPFilter authenticator, @Nullable ServerSSLService serverSSLService, ClientSSLService clientSSLService,
-                                ShieldSettingsFilter settingsFilter, NamedWriteableRegistry namedWriteableRegistry) {
+                                NamedWriteableRegistry namedWriteableRegistry) {
        super(settings, threadPool, networkService, bigArrays, version, namedWriteableRegistry);
        this.authenticator = authenticator;
        this.ssl = settings.getAsBoolean(TRANSPORT_SSL_SETTING, TRANSPORT_SSL_DEFAULT);
        this.serverSslService = serverSSLService;
        this.clientSSLService = clientSSLService;
        this.settingsFilter = settingsFilter;
    }
    @Override
@ -120,7 +117,6 @@ public class ShieldNettyTransport extends NettyTransport {
        public SslServerChannelPipelineFactory(NettyTransport nettyTransport, String name, Settings settings, Settings profileSettings) {
            super(nettyTransport, name, settings);
            this.profileSettings = profileSettings;
            settingsFilter.filterOut("transport.profiles." + name + ".shield.*");
        }
        @Override
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/AuditTrailModuleTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/AuditTrailModuleTests.java
@ -12,7 +12,6 @@ import org.elasticsearch.common.network.NetworkModule;
 import org.elasticsearch.common.network.NetworkService;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsFilter;
 import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.indices.breaker.CircuitBreakerModule;
 import org.elasticsearch.shield.audit.logfile.LoggingAuditTrail;
@ -35,7 +34,7 @@ public class AuditTrailModuleTests extends ESTestCase {
                .put("client.type", "node")
                .put("shield.audit.enabled", false)
                .build();
-        SettingsModule settingsModule = new SettingsModule(settings, new SettingsFilter(settings));
+        SettingsModule settingsModule = new SettingsModule(settings);
        settingsModule.registerSetting(Setting.boolSetting("shield.audit.enabled", true, false, Setting.Scope.CLUSTER));
        Injector injector = Guice.createInjector(settingsModule, new AuditTrailModule(settings));
        AuditTrail auditTrail = injector.getInstance(AuditTrail.class);
@ -45,7 +44,7 @@ public class AuditTrailModuleTests extends ESTestCase {
    public void testDisabledByDefault() throws Exception {
        Settings settings = Settings.builder()
                .put("client.type", "node").build();
-        Injector injector = Guice.createInjector(new SettingsModule(settings, new SettingsFilter(settings)), new AuditTrailModule(settings));
+        Injector injector = Guice.createInjector(new SettingsModule(settings), new AuditTrailModule(settings));
        AuditTrail auditTrail = injector.getInstance(AuditTrail.class);
        assertThat(auditTrail, is(AuditTrail.NOOP));
    }
@ -57,7 +56,7 @@ public class AuditTrailModuleTests extends ESTestCase {
                .build();
        ThreadPool pool = new ThreadPool("testLogFile");
        try {
-            SettingsModule settingsModule = new SettingsModule(settings, new SettingsFilter(settings));
+            SettingsModule settingsModule = new SettingsModule(settings);
            settingsModule.registerSetting(Setting.boolSetting("shield.audit.enabled", true, false, Setting.Scope.CLUSTER));
            Injector injector = Guice.createInjector(
                    settingsModule,
@ -89,7 +88,7 @@ public class AuditTrailModuleTests extends ESTestCase {
                .put("shield.audit.outputs" , "foo")
                .put("client.type", "node")
                .build();
-        SettingsModule settingsModule = new SettingsModule(settings, new SettingsFilter(settings));
+        SettingsModule settingsModule = new SettingsModule(settings);
        settingsModule.registerSetting(Setting.boolSetting("shield.audit.enabled", true, false, Setting.Scope.CLUSTER));
        settingsModule.registerSetting(Setting.simpleString("shield.audit.outputs", false, Setting.Scope.CLUSTER));
        try {
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java
@ -13,7 +13,6 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.rest.RestRequest;
 import org.elasticsearch.shield.ShieldSettingsFilter;
 import org.elasticsearch.shield.SystemUser;
 import org.elasticsearch.shield.User;
 import org.elasticsearch.shield.audit.AuditTrail;
@ -86,7 +85,7 @@ public class InternalAuthenticationServiceTests extends ESTestCase {
        Settings settings = Settings.builder().put("path.home", createTempDir()).build();
        ShieldLicenseState shieldLicenseState = mock(ShieldLicenseState.class);
        when(shieldLicenseState.customRealmsEnabled()).thenReturn(true);
-        realms = new Realms(Settings.EMPTY, new Environment(settings), Collections.<String, Realm.Factory>emptyMap(), mock(ShieldSettingsFilter.class), shieldLicenseState) {
+        realms = new Realms(Settings.EMPTY, new Environment(settings), Collections.<String, Realm.Factory>emptyMap(), shieldLicenseState) {
            @Override
            protected void doStart() {
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RealmsTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/RealmsTests.java
@ -8,7 +8,6 @@ package org.elasticsearch.shield.authc;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.shield.ShieldSettingsFilter;
 import org.elasticsearch.shield.User;
 import org.elasticsearch.shield.authc.esusers.ESUsersRealm;
 import org.elasticsearch.shield.authc.ldap.LdapRealm;
@ -36,7 +35,6 @@ import static org.mockito.Mockito.when;
 */
 public class RealmsTests extends ESTestCase {
    private Map<String, Realm.Factory> factories;
    private ShieldSettingsFilter settingsFilter;
    private ShieldLicenseState shieldLicenseState;
    @Before
@ -47,7 +45,6 @@ public class RealmsTests extends ESTestCase {
            DummyRealm.Factory factory = new DummyRealm.Factory("type_" + i, rarely());
            factories.put("type_" + i, factory);
        }
        settingsFilter = mock(ShieldSettingsFilter.class);
        shieldLicenseState = mock(ShieldLicenseState.class);
        when(shieldLicenseState.customRealmsEnabled()).thenReturn(true);
    }
@ -68,7 +65,7 @@ public class RealmsTests extends ESTestCase {
        }
        Settings settings = builder.build();
        Environment env = new Environment(settings);
-        Realms realms = new Realms(settings, env, factories, settingsFilter, shieldLicenseState);
+        Realms realms = new Realms(settings, env, factories, shieldLicenseState);
        realms.start();
        int i = 0;
        for (Realm realm : realms) {
@ -90,7 +87,7 @@ public class RealmsTests extends ESTestCase {
                .build();
        Environment env = new Environment(settings);
        try {
-            new Realms(settings, env, factories, settingsFilter, shieldLicenseState).start();
+            new Realms(settings, env, factories, shieldLicenseState).start();
            fail("Expected IllegalArgumentException");
        } catch (IllegalArgumentException e) {
            assertThat(e.getMessage(), containsString("multiple [esusers] realms are configured"));
@ -99,7 +96,7 @@ public class RealmsTests extends ESTestCase {
    public void testWithEmptySettings() throws Exception {
        Realms realms = new Realms(Settings.EMPTY, new Environment(Settings.builder().put("path.home", createTempDir()).build()),
-                factories, settingsFilter, shieldLicenseState);
+                factories, shieldLicenseState);
        realms.start();
        Iterator<Realm> iter = realms.iterator();
        assertThat(iter.hasNext(), is(true));
@ -126,7 +123,7 @@ public class RealmsTests extends ESTestCase {
        }
        Settings settings = builder.build();
        Environment env = new Environment(settings);
-        Realms realms = new Realms(settings, env, factories, settingsFilter, shieldLicenseState);
+        Realms realms = new Realms(settings, env, factories, shieldLicenseState);
        realms.start();
        int i = 0;
        // this is the iterator when licensed
@ -158,7 +155,7 @@ public class RealmsTests extends ESTestCase {
                .put("shield.authc.realms.custom.order", "1");
        Settings settings = builder.build();
        Environment env = new Environment(settings);
-        Realms realms = new Realms(settings, env, factories, settingsFilter, shieldLicenseState);
+        Realms realms = new Realms(settings, env, factories, shieldLicenseState);
        realms.start();
        int i = 0;
        // this is the iterator when licensed
@ -199,7 +196,7 @@ public class RealmsTests extends ESTestCase {
        }
        Settings settings = builder.build();
        Environment env = new Environment(settings);
-        Realms realms = new Realms(settings, env, factories, mock(ShieldSettingsFilter.class), shieldLicenseState);
+        Realms realms = new Realms(settings, env, factories, shieldLicenseState);
        realms.start();
        Iterator<Realm> iterator = realms.iterator();
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ServerSSLServiceTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ssl/ServerSSLServiceTests.java
@ -9,7 +9,6 @@ import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.shield.ShieldSettingsFilter;
 import org.elasticsearch.test.ESTestCase;
 import org.junit.Before;
@ -37,13 +36,11 @@ import static org.mockito.Mockito.mock;
 public class ServerSSLServiceTests extends ESTestCase {
    Path testnodeStore;
    ShieldSettingsFilter settingsFilter;
    Environment env;
    @Before
    public void setup() throws Exception {
        testnodeStore = getDataPath("/org/elasticsearch/shield/transport/ssl/certs/simple/testnode.jks");
        settingsFilter = mock(ShieldSettingsFilter.class);
        env = new Environment(settingsBuilder().put("path.home", createTempDir()).build());
    }
@ -56,7 +53,7 @@ public class ServerSSLServiceTests extends ESTestCase {
                .put("shield.ssl.truststore.password", "testnode")
                .build();
        try {
-            new ServerSSLService(settings, settingsFilter, env).createSSLEngine();
+            new ServerSSLService(settings, env).createSSLEngine();
            fail("expected an exception");
        } catch (ElasticsearchException e) {
            assertThat(e.getMessage(), containsString("failed to initialize the SSLContext"));
@ -70,7 +67,7 @@ public class ServerSSLServiceTests extends ESTestCase {
                .put("shield.ssl.keystore.path", testnodeStore)
                .put("shield.ssl.keystore.password", "testnode")
                .build();
-        ServerSSLService sslService = new ServerSSLService(settings, settingsFilter, env);
+        ServerSSLService sslService = new ServerSSLService(settings, env);
        Settings.Builder settingsBuilder = settingsBuilder()
                .put("truststore.path", testClientStore)
@ -87,7 +84,7 @@ public class ServerSSLServiceTests extends ESTestCase {
        ServerSSLService sslService = new ServerSSLService(settingsBuilder()
            .put("shield.ssl.keystore.path", testnodeStore)
            .put("shield.ssl.keystore.password", "testnode")
-            .build(), settingsFilter, env);
+            .build(), env);
        SSLContext sslContext = sslService.sslContext();
        SSLContext cachedSslContext = sslService.sslContext();
@ -101,7 +98,7 @@ public class ServerSSLServiceTests extends ESTestCase {
                .put("shield.ssl.keystore.path", differentPasswordsStore)
                .put("shield.ssl.keystore.password", "testnode")
                .put("shield.ssl.keystore.key_password", "testnode1")
-                .build(), settingsFilter, env).createSSLEngine();
+                .build(), env).createSSLEngine();
    }
    public void testIncorrectKeyPasswordThrowsException() throws Exception {
@ -110,7 +107,7 @@ public class ServerSSLServiceTests extends ESTestCase {
            new ServerSSLService(settingsBuilder()
                    .put("shield.ssl.keystore.path", differentPasswordsStore)
                    .put("shield.ssl.keystore.password", "testnode")
-                    .build(), settingsFilter, env).createSSLEngine();
+                    .build(), env).createSSLEngine();
            fail("expected an exception");
        } catch (ElasticsearchException e) {
            assertThat(e.getMessage(), containsString("failed to initialize a KeyManagerFactory"));
@ -121,7 +118,7 @@ public class ServerSSLServiceTests extends ESTestCase {
        ServerSSLService sslService = new ServerSSLService(settingsBuilder()
                .put("shield.ssl.keystore.path", testnodeStore)
                .put("shield.ssl.keystore.password", "testnode")
-                .build(), settingsFilter, env);
+                .build(), env);
        SSLEngine engine = sslService.createSSLEngine();
        assertThat(Arrays.asList(engine.getEnabledProtocols()), not(hasItem("SSLv3")));
    }
@ -130,7 +127,7 @@ public class ServerSSLServiceTests extends ESTestCase {
        ServerSSLService sslService = new ServerSSLService(settingsBuilder()
                .put("shield.ssl.keystore.path", testnodeStore)
                .put("shield.ssl.keystore.password", "testnode")
-                .build(), settingsFilter, env);
+                .build(), env);
        SSLSessionContext context = sslService.sslContext().getServerSessionContext();
        assertThat(context.getSessionCacheSize(), equalTo(1000));
        assertThat(context.getSessionTimeout(), equalTo((int) TimeValue.timeValueHours(24).seconds()));
@ -142,14 +139,14 @@ public class ServerSSLServiceTests extends ESTestCase {
                .put("shield.ssl.keystore.password", "testnode")
                .put("shield.ssl.session.cache_size", "300")
                .put("shield.ssl.session.cache_timeout", "600s")
-                .build(), settingsFilter, env);
+                .build(), env);
        SSLSessionContext context = sslService.sslContext().getServerSessionContext();
        assertThat(context.getSessionCacheSize(), equalTo(300));
        assertThat(context.getSessionTimeout(), equalTo(600));
    }
    public void testThatCreateSSLEngineWithoutAnySettingsDoesNotWork() throws Exception {
-        ServerSSLService sslService = new ServerSSLService(Settings.EMPTY, settingsFilter, env);
+        ServerSSLService sslService = new ServerSSLService(Settings.EMPTY, env);
        try {
            sslService.createSSLEngine();
            fail("Expected IllegalArgumentException");
@ -162,7 +159,7 @@ public class ServerSSLServiceTests extends ESTestCase {
        ServerSSLService sslService = new ServerSSLService(settingsBuilder()
                .put("shield.ssl.truststore.path", testnodeStore)
                .put("shield.ssl.truststore.password", "testnode")
-                .build(), settingsFilter, env);
+                .build(), env);
        try {
            sslService.createSSLEngine();
            fail("Expected IllegalArgumentException");
@ -176,7 +173,7 @@ public class ServerSSLServiceTests extends ESTestCase {
                .put("shield.ssl.keystore.path", testnodeStore)
                .put("shield.ssl.keystore.password", "testnode")
                .put("shield.ssl.truststore.path", testnodeStore)
-                .build(), settingsFilter, env);
+                .build(), env);
        try {
            sslService.sslContext();
            fail("Expected IllegalArgumentException");
@ -188,7 +185,7 @@ public class ServerSSLServiceTests extends ESTestCase {
    public void testThatKeystorePasswordIsRequired() throws Exception {
        ServerSSLService sslService = new ServerSSLService(settingsBuilder()
                .put("shield.ssl.keystore.path", testnodeStore)
-                .build(), settingsFilter, env);
+                .build(), env);
        try {
            sslService.sslContext();
            fail("Expected IllegalArgumentException");
@ -205,7 +202,7 @@ public class ServerSSLServiceTests extends ESTestCase {
                .put("shield.ssl.keystore.path", testnodeStore)
                .put("shield.ssl.keystore.password", "testnode")
                .putArray("shield.ssl.ciphers", ciphers.toArray(new String[ciphers.size()]))
-                .build(), settingsFilter, env);
+                .build(), env);
        SSLEngine engine = sslService.createSSLEngine();
        assertThat(engine, is(notNullValue()));
        String[] enabledCiphers = engine.getEnabledCipherSuites();
@ -217,7 +214,7 @@ public class ServerSSLServiceTests extends ESTestCase {
                .put("shield.ssl.keystore.path", testnodeStore)
                .put("shield.ssl.keystore.password", "testnode")
                .putArray("shield.ssl.ciphers", new String[] { "foo", "bar" })
-                .build(), settingsFilter, env);
+                .build(), env);
        try {
            sslService.createSSLEngine();
            fail("Expected IllegalArgumentException");
@ -231,7 +228,7 @@ public class ServerSSLServiceTests extends ESTestCase {
        ServerSSLService sslService = new ServerSSLService(settingsBuilder()
                .put("shield.ssl.keystore.path", testnodeStore)
                .put("shield.ssl.keystore.password", "testnode")
-                .build(), settingsFilter, env);
+                .build(), env);
        SSLSocketFactory factory = sslService.sslSocketFactory();
        assertThat(factory.getDefaultCipherSuites(), is(sslService.ciphers()));
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/HandshakeWaitingHandlerTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/HandshakeWaitingHandlerTests.java
@ -9,7 +9,6 @@ import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsFilter;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.shield.ShieldSettingsFilter;
 import org.elasticsearch.shield.ssl.ServerSSLService;
 import org.elasticsearch.test.ESTestCase;
 import org.jboss.netty.bootstrap.ClientBootstrap;
@ -77,8 +76,7 @@ public class HandshakeWaitingHandlerTests extends ESTestCase {
                .put("shield.ssl.keystore.password", "testnode")
                .build();
        Environment env = new Environment(settingsBuilder().put("path.home", createTempDir()).build());
-        ShieldSettingsFilter settingsFilter = new ShieldSettingsFilter(settings, new SettingsFilter(settings));
+        ServerSSLService sslService = new ServerSSLService(settings, env);
        ServerSSLService sslService = new ServerSSLService(settings, settingsFilter, env);
        sslContext = sslService.sslContext();
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransportTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransportTests.java
@ -11,7 +11,6 @@ import org.elasticsearch.common.settings.SettingsFilter;
 import org.elasticsearch.common.util.BigArrays;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.http.netty.NettyHttpMockUtil;
 import org.elasticsearch.shield.ShieldSettingsFilter;
 import org.elasticsearch.shield.ssl.ServerSSLService;
 import org.elasticsearch.shield.transport.SSLClientAuth;
 import org.elasticsearch.shield.transport.filter.IPFilter;
@ -40,8 +39,7 @@ public class ShieldNettyHttpServerTransportTests extends ESTestCase {
                .put("shield.ssl.keystore.password", "testnode")
                .build();
        Environment env = new Environment(settingsBuilder().put("path.home", createTempDir()).build());
-        ShieldSettingsFilter settingsFilter = new ShieldSettingsFilter(settings, new SettingsFilter(settings));
+        serverSSLService = new ServerSSLService(settings, env);
        serverSSLService = new ServerSSLService(settings, settingsFilter, env);
    }
    public void testDefaultClientAuth() throws Exception {
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransportTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/netty/ShieldNettyTransportTests.java
@ -12,7 +12,6 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsFilter;
 import org.elasticsearch.common.util.BigArrays;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.shield.ShieldSettingsFilter;
 import org.elasticsearch.shield.ssl.ClientSSLService;
 import org.elasticsearch.shield.ssl.ServerSSLService;
 import org.elasticsearch.shield.transport.SSLClientAuth;
@ -35,7 +34,6 @@ import static org.mockito.Mockito.mock;
 public class ShieldNettyTransportTests extends ESTestCase {
    private ServerSSLService serverSSLService;
    private ClientSSLService clientSSLService;
    private ShieldSettingsFilter settingsFilter;
    @Before
    public void createSSLService() throws Exception {
@ -45,15 +43,14 @@ public class ShieldNettyTransportTests extends ESTestCase {
                .put("shield.ssl.keystore.password", "testnode")
                .build();
        Environment env = new Environment(settingsBuilder().put("path.home", createTempDir()).build());
-        settingsFilter = new ShieldSettingsFilter(settings, new SettingsFilter(settings));
+        serverSSLService = new ServerSSLService(settings, env);
        serverSSLService = new ServerSSLService(settings, settingsFilter, env);
        clientSSLService = new ClientSSLService(settings);
        clientSSLService.setEnvironment(env);
    }
    public void testThatSSLCanBeDisabledByProfile() throws Exception {
        Settings settings = settingsBuilder().put("shield.transport.ssl", true).build();
-        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, settingsFilter, mock(NamedWriteableRegistry.class));
+        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class));
        NettyMockUtil.setOpenChannelsHandlerToMock(transport);
        ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", settingsBuilder().put("shield.ssl", false).build());
        assertThat(factory.getPipeline().get(SslHandler.class), nullValue());
@ -61,7 +58,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
    public void testThatSSLCanBeEnabledByProfile() throws Exception {
        Settings settings = settingsBuilder().put("shield.transport.ssl", false).build();
-        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, settingsFilter, mock(NamedWriteableRegistry.class));
+        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class));
        NettyMockUtil.setOpenChannelsHandlerToMock(transport);
        ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", settingsBuilder().put("shield.ssl", true).build());
        assertThat(factory.getPipeline().get(SslHandler.class), notNullValue());
@ -69,7 +66,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
    public void testThatProfileTakesDefaultSSLSetting() throws Exception {
        Settings settings = settingsBuilder().put("shield.transport.ssl", true).build();
-        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, settingsFilter, mock(NamedWriteableRegistry.class));
+        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class));
        NettyMockUtil.setOpenChannelsHandlerToMock(transport);
        ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
        assertThat(factory.getPipeline().get(SslHandler.class).getEngine(), notNullValue());
@ -77,7 +74,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
    public void testDefaultClientAuth() throws Exception {
        Settings settings = settingsBuilder().put("shield.transport.ssl", true).build();
-        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, settingsFilter, mock(NamedWriteableRegistry.class));
+        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class));
        NettyMockUtil.setOpenChannelsHandlerToMock(transport);
        ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
        assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(true));
@ -89,7 +86,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
        Settings settings = settingsBuilder()
                .put("shield.transport.ssl", true)
                .put(ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_SETTING, value).build();
-        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, settingsFilter, mock(NamedWriteableRegistry.class));
+        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class));
        NettyMockUtil.setOpenChannelsHandlerToMock(transport);
        ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
        assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(true));
@ -101,7 +98,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
        Settings settings = settingsBuilder()
                .put("shield.transport.ssl", true)
                .put(ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_SETTING, value).build();
-        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, settingsFilter, mock(NamedWriteableRegistry.class));
+        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class));
        NettyMockUtil.setOpenChannelsHandlerToMock(transport);
        ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
        assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
@ -113,7 +110,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
        Settings settings = settingsBuilder()
                .put("shield.transport.ssl", true)
                .put(ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_SETTING, value).build();
-        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, settingsFilter, mock(NamedWriteableRegistry.class));
+        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class));
        NettyMockUtil.setOpenChannelsHandlerToMock(transport);
        ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.EMPTY);
        assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
@ -123,7 +120,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
    public void testProfileRequiredClientAuth() throws Exception {
        String value = randomFrom(SSLClientAuth.REQUIRED.name(), SSLClientAuth.REQUIRED.name().toLowerCase(Locale.ROOT), "true", "TRUE");
        Settings settings = settingsBuilder().put("shield.transport.ssl", true).build();
-        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, settingsFilter, mock(NamedWriteableRegistry.class));
+        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class));
        NettyMockUtil.setOpenChannelsHandlerToMock(transport);
        ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.builder().put(ShieldNettyTransport.TRANSPORT_PROFILE_CLIENT_AUTH_SETTING, value).build());
        assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(true));
@ -133,7 +130,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
    public void testProfileNoClientAuth() throws Exception {
        String value = randomFrom(SSLClientAuth.NO.name(), "false", "FALSE", SSLClientAuth.NO.name().toLowerCase(Locale.ROOT));
        Settings settings = settingsBuilder().put("shield.transport.ssl", true).build();
-        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, settingsFilter, mock(NamedWriteableRegistry.class));
+        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class));
        NettyMockUtil.setOpenChannelsHandlerToMock(transport);
        ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.builder().put(ShieldNettyTransport.TRANSPORT_PROFILE_CLIENT_AUTH_SETTING, value).build());
        assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
@ -143,7 +140,7 @@ public class ShieldNettyTransportTests extends ESTestCase {
    public void testProfileOptionalClientAuth() throws Exception {
        String value = randomFrom(SSLClientAuth.OPTIONAL.name(), SSLClientAuth.OPTIONAL.name().toLowerCase(Locale.ROOT));
        Settings settings = settingsBuilder().put("shield.transport.ssl", true).build();
-        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, settingsFilter, mock(NamedWriteableRegistry.class));
+        ShieldNettyTransport transport = new ShieldNettyTransport(settings, mock(ThreadPool.class), mock(NetworkService.class), mock(BigArrays.class), Version.CURRENT, null, serverSSLService, clientSSLService, mock(NamedWriteableRegistry.class));
        NettyMockUtil.setOpenChannelsHandlerToMock(transport);
        ChannelPipelineFactory factory = transport.configureServerChannelPipelineFactory("client", Settings.builder().put(ShieldNettyTransport.TRANSPORT_PROFILE_CLIENT_AUTH_SETTING, value).build());
        assertThat(factory.getPipeline().get(SslHandler.class).getEngine().getNeedClientAuth(), is(false));
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherPlugin.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherPlugin.java
@ -28,6 +28,7 @@ import org.elasticsearch.watcher.actions.email.service.InternalEmailService;
 import org.elasticsearch.watcher.actions.hipchat.service.HipChatService;
 import org.elasticsearch.watcher.actions.hipchat.service.InternalHipChatService;
 import org.elasticsearch.watcher.actions.pagerduty.service.InternalPagerDutyService;
 import org.elasticsearch.watcher.actions.pagerduty.service.PagerDutyAccount;
 import org.elasticsearch.watcher.actions.pagerduty.service.PagerDutyService;
 import org.elasticsearch.watcher.actions.slack.service.InternalSlackService;
 import org.elasticsearch.watcher.actions.slack.service.SlackService;
@ -217,6 +218,14 @@ public class WatcherPlugin extends Plugin {
        module.registerSetting(Setting.simpleString("watcher.execution.scroll.timeout", false, Setting.Scope.CLUSTER));
        module.registerSetting(Setting.simpleString("watcher.start_immediately", false, Setting.Scope.CLUSTER));
        module.registerSetting(Setting.simpleString("watcher.http.default_connection_timeout", false, Setting.Scope.CLUSTER));
        module.registerSettingsFilter("watcher.actions.email.service.account.*.smtp.password");
        module.registerSettingsFilter("watcher.actions.slack.service.account.*.url");
        module.registerSettingsFilter("watcher.actions.hipchat.service.account.*.url");
        module.registerSettingsFilter("watcher.actions.pagerduty.service.account.*.url");
        module.registerSettingsFilter("watcher.actions.pagerduty.service." + PagerDutyAccount.SERVICE_KEY_SETTING);
        module.registerSettingsFilter("watcher.actions.pagerduty.service.account.*." + PagerDutyAccount.SERVICE_KEY_SETTING);
        module.registerSettingsFilter("watcher.actions.hipchat.service.account.*.auth_token");
    }
    public void onModule(NetworkModule module) {
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/actions/email/service/InternalEmailService.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/actions/email/service/InternalEmailService.java
@ -12,7 +12,6 @@ import org.elasticsearch.common.logging.ESLogger;
 import org.elasticsearch.common.settings.ClusterSettings;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.watcher.shield.WatcherSettingsFilter;
 import org.elasticsearch.watcher.support.secret.SecretService;
 import javax.mail.MessagingException;
@ -30,11 +29,10 @@ public class InternalEmailService extends AbstractLifecycleComponent<EmailServic
    @Inject
-    public InternalEmailService(Settings settings, SecretService secretService, ClusterSettings clusterSettings, WatcherSettingsFilter settingsFilter) {
+    public InternalEmailService(Settings settings, SecretService secretService, ClusterSettings clusterSettings) {
        super(settings);
        this.secretService = secretService;
        clusterSettings.addSettingsUpdateConsumer(EMAIL_ACCOUNT_SETTING, this::setEmailAccountSettings);
        settingsFilter.filterOut("watcher.actions.email.service.account.*.smtp.password");
        setEmailAccountSettings(EMAIL_ACCOUNT_SETTING.get(settings));
    }
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/actions/hipchat/service/InternalHipChatService.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/actions/hipchat/service/InternalHipChatService.java
@ -10,7 +10,6 @@ import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.ClusterSettings;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.watcher.shield.WatcherSettingsFilter;
 import org.elasticsearch.watcher.support.http.HttpClient;
 /**
@ -23,10 +22,9 @@ public class InternalHipChatService extends AbstractLifecycleComponent<HipChatSe
    public static final Setting<Settings> HIPCHAT_ACCOUNT_SETTING = Setting.groupSetting("watcher.actions.hipchat.service.", true, Setting.Scope.CLUSTER);
    @Inject
-    public InternalHipChatService(Settings settings, HttpClient httpClient, ClusterSettings clusterSettings, WatcherSettingsFilter settingsFilter) {
+    public InternalHipChatService(Settings settings, HttpClient httpClient, ClusterSettings clusterSettings) {
        super(settings);
        this.httpClient = httpClient;
        settingsFilter.filterOut("watcher.actions.hipchat.service.account.*.auth_token");
        clusterSettings.addSettingsUpdateConsumer(HIPCHAT_ACCOUNT_SETTING, this::setHipchatAccountSetting);
    }
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/actions/pagerduty/service/InternalPagerDutyService.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/actions/pagerduty/service/InternalPagerDutyService.java
@ -10,7 +10,6 @@ import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.ClusterSettings;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.watcher.shield.WatcherSettingsFilter;
 import org.elasticsearch.watcher.support.http.HttpClient;
 /**
@ -24,14 +23,9 @@ public class InternalPagerDutyService extends AbstractLifecycleComponent<PagerDu
    private volatile PagerDutyAccounts accounts;
    @Inject
-    public InternalPagerDutyService(Settings settings, HttpClient httpClient, ClusterSettings clusterSettings,
+    public InternalPagerDutyService(Settings settings, HttpClient httpClient, ClusterSettings clusterSettings) {
                                    WatcherSettingsFilter settingsFilter) {
        super(settings);
        this.httpClient = httpClient;
        settingsFilter.filterOut(
                "watcher.actions.pagerduty.service." + PagerDutyAccount.SERVICE_KEY_SETTING,
                "watcher.actions.pagerduty.service.account.*." + PagerDutyAccount.SERVICE_KEY_SETTING
        );
        clusterSettings.addSettingsUpdateConsumer(PAGERDUTY_ACCOUNT_SETTING, this::setPagerDutyAccountSetting);
    }
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/actions/slack/service/InternalSlackService.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/actions/slack/service/InternalSlackService.java
@ -10,7 +10,6 @@ import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.ClusterSettings;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.watcher.shield.WatcherSettingsFilter;
 import org.elasticsearch.watcher.support.http.HttpClient;
 /**
@ -23,10 +22,9 @@ public class InternalSlackService extends AbstractLifecycleComponent<SlackServic
    private volatile SlackAccounts accounts;
    @Inject
-    public InternalSlackService(Settings settings, HttpClient httpClient, ClusterSettings clusterSettings, WatcherSettingsFilter settingsFilter) {
+    public InternalSlackService(Settings settings, HttpClient httpClient, ClusterSettings clusterSettings) {
        super(settings);
        this.httpClient = httpClient;
        settingsFilter.filterOut("watcher.actions.slack.service.account.*.url");
        clusterSettings.addSettingsUpdateConsumer(SLACK_ACCOUNT_SETTING, this::setSlackAccountSetting);
    }
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/ShieldIntegration.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/ShieldIntegration.java
@ -1,37 +0,0 @@
 /*
 * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
 * or more contributor license agreements. Licensed under the Elastic License;
 * you may not use this file except in compliance with the Elastic License.
 */
 package org.elasticsearch.watcher.shield;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.inject.Injector;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.shield.ShieldSettingsFilter;
 /**
 *
 */
 public class ShieldIntegration {
    private final ShieldSettingsFilter settingsFilter;
    @Inject
    public ShieldIntegration(Settings settings, Injector injector) {
        boolean enabled = enabled(settings);
        settingsFilter = enabled ? injector.getInstance(ShieldSettingsFilter.class) : null;
    }
    public void filterOutSettings(String... patterns) {
        if (settingsFilter != null) {
            settingsFilter.filterOut(patterns);
        }
    }
    public static boolean enabled(Settings settings) {
        return ShieldPlugin.shieldEnabled(settings);
    }
 }
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherSettingsFilter.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherSettingsFilter.java
@ -1,43 +0,0 @@
 /*
 * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
 * or more contributor license agreements. Licensed under the Elastic License;
 * you may not use this file except in compliance with the Elastic License.
 */
 package org.elasticsearch.watcher.shield;
 import org.elasticsearch.common.inject.Inject;
 /**
 *
 */
 public interface WatcherSettingsFilter {
    void filterOut(String... patterns);
    class Noop implements WatcherSettingsFilter {
        public static Noop INSTANCE = new Noop();
        private Noop() {
        }
        @Override
        public void filterOut(String... patterns) {
        }
    }
    class Shield implements WatcherSettingsFilter {
        private final ShieldIntegration shieldIntegration;
        @Inject
        public Shield(ShieldIntegration shieldIntegration) {
            this.shieldIntegration = shieldIntegration;
        }
        @Override
        public void filterOut(String... patterns) {
            shieldIntegration.filterOutSettings(patterns);
        }
    }
 }
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherShieldModule.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherShieldModule.java
@ -9,6 +9,7 @@ import org.elasticsearch.common.inject.AbstractModule;
 import org.elasticsearch.common.logging.ESLogger;
 import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.shield.authz.privilege.ClusterPrivilege;
 /**
@ -18,12 +19,9 @@ public class WatcherShieldModule extends AbstractModule {
    private final ESLogger logger;
    private final boolean enabled;
    public WatcherShieldModule(Settings settings) {
        this.logger = Loggers.getLogger(WatcherShieldModule.class, settings);
-        this.enabled = ShieldIntegration.enabled(settings);
+        if (ShieldPlugin.shieldEnabled(settings)) {
        if (enabled) {
            registerClusterPrivilege("manage_watcher", "cluster:admin/watcher/*", "cluster:monitor/watcher/*");
            registerClusterPrivilege("monitor_watcher", "cluster:monitor/watcher/*");
        }
@ -43,12 +41,5 @@ public class WatcherShieldModule extends AbstractModule {
    @Override
    protected void configure() {
        bind(ShieldIntegration.class).asEagerSingleton();
        if (enabled) {
            bind(WatcherSettingsFilter.Shield.class).asEagerSingleton();
            bind(WatcherSettingsFilter.class).to(WatcherSettingsFilter.Shield.class);
        } else {
            bind(WatcherSettingsFilter.class).toInstance(WatcherSettingsFilter.Noop.INSTANCE);
        }
    }
 }
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretModule.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretModule.java
@ -7,7 +7,7 @@ package org.elasticsearch.watcher.support.secret;
 import org.elasticsearch.common.inject.AbstractModule;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.watcher.shield.ShieldIntegration;
+import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.watcher.shield.ShieldSecretService;
 /**
@ -18,7 +18,7 @@ public class SecretModule extends AbstractModule {
    private final boolean shieldEnabled;
    public SecretModule(Settings settings) {
-        shieldEnabled = ShieldIntegration.enabled(settings);
+        shieldEnabled = ShieldPlugin.shieldEnabled(settings);
    }
    @Override
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/InternalEmailServiceTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/InternalEmailServiceTests.java
@ -9,7 +9,6 @@ import org.elasticsearch.common.logging.ESLogger;
 import org.elasticsearch.common.settings.ClusterSettings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.watcher.shield.WatcherSettingsFilter;
 import org.elasticsearch.watcher.support.secret.Secret;
 import org.elasticsearch.watcher.support.secret.SecretService;
 import org.junit.After;
@ -34,7 +33,7 @@ public class InternalEmailServiceTests extends ESTestCase {
    @Before
    public void init() throws Exception {
        accounts = mock(Accounts.class);
-        service = new InternalEmailService(Settings.EMPTY, new SecretService.PlainText(), new ClusterSettings(Settings.EMPTY, Collections.singleton(InternalEmailService.EMAIL_ACCOUNT_SETTING)), WatcherSettingsFilter.Noop.INSTANCE) {
+        service = new InternalEmailService(Settings.EMPTY, new SecretService.PlainText(), new ClusterSettings(Settings.EMPTY, Collections.singleton(InternalEmailService.EMAIL_ACCOUNT_SETTING))) {
            @Override
            protected Accounts createAccounts(Settings settings, ESLogger logger) {
                return accounts;
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/ManualPublicSmtpServersTester.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/ManualPublicSmtpServersTester.java
@ -12,7 +12,6 @@ import org.elasticsearch.common.settings.ClusterSettings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.xcontent.ToXContent;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.watcher.shield.WatcherSettingsFilter;
 import org.elasticsearch.watcher.support.secret.SecretService;
 import java.io.IOException;
@ -130,7 +129,7 @@ public class ManualPublicSmtpServersTester {
    static InternalEmailService startEmailService(Settings.Builder builder) {
        Settings settings = builder.build();
-        InternalEmailService service = new InternalEmailService(settings, new SecretService.PlainText(), new ClusterSettings(settings, Collections.singleton(InternalEmailService.EMAIL_ACCOUNT_SETTING)), WatcherSettingsFilter.Noop.INSTANCE);
+        InternalEmailService service = new InternalEmailService(settings, new SecretService.PlainText(), new ClusterSettings(settings, Collections.singleton(InternalEmailService.EMAIL_ACCOUNT_SETTING)));
        service.start();
        return service;
    }
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/hipchat/service/InternalHipChatServiceTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/hipchat/service/InternalHipChatServiceTests.java
@ -9,7 +9,6 @@ import org.elasticsearch.common.settings.ClusterSettings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsException;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.watcher.shield.WatcherSettingsFilter;
 import org.elasticsearch.watcher.support.http.HttpClient;
 import org.junit.Before;
@ -31,12 +30,10 @@ import static org.mockito.Mockito.verify;
 */
 public class InternalHipChatServiceTests extends ESTestCase {
    private HttpClient httpClient;
    private WatcherSettingsFilter settingsFilter;
    @Before
    public void init() throws Exception {
        httpClient = mock(HttpClient.class);
        settingsFilter = mock(WatcherSettingsFilter.class);
    }
    public void testSingleAccountV1() throws Exception {
@ -58,7 +55,7 @@ public class InternalHipChatServiceTests extends ESTestCase {
            settingsBuilder.put("watcher.actions.hipchat.service.account." + accountName + ".port", port);
        }
        buildMessageDefaults(accountName, settingsBuilder, defaultRoom, null, defaultFrom, defaultColor, defaultFormat, defaultNotify);
-        InternalHipChatService service = new InternalHipChatService(settingsBuilder.build(), httpClient, new ClusterSettings(settingsBuilder.build(), Collections.singleton(InternalHipChatService.HIPCHAT_ACCOUNT_SETTING)), settingsFilter);
+        InternalHipChatService service = new InternalHipChatService(settingsBuilder.build(), httpClient, new ClusterSettings(settingsBuilder.build(), Collections.singleton(InternalHipChatService.HIPCHAT_ACCOUNT_SETTING)));
        service.start();
        HipChatAccount account = service.getAccount(accountName);
@ -83,8 +80,6 @@ public class InternalHipChatServiceTests extends ESTestCase {
        // with a single account defined, making sure that that account is set to the default one.
        assertThat(service.getDefaultAccount(), sameInstance(account));
        assertThatSettingsFilterWasAdded();
    }
    public void testSingleAccountIntegration() throws Exception {
@ -107,7 +102,7 @@ public class InternalHipChatServiceTests extends ESTestCase {
            settingsBuilder.put("watcher.actions.hipchat.service.account." + accountName + ".port", port);
        }
        buildMessageDefaults(accountName, settingsBuilder, null, null, defaultFrom, defaultColor, defaultFormat, defaultNotify);
-        InternalHipChatService service = new InternalHipChatService(settingsBuilder.build(), httpClient, new ClusterSettings(settingsBuilder.build(), Collections.singleton(InternalHipChatService.HIPCHAT_ACCOUNT_SETTING)), settingsFilter);
+        InternalHipChatService service = new InternalHipChatService(settingsBuilder.build(), httpClient, new ClusterSettings(settingsBuilder.build(), Collections.singleton(InternalHipChatService.HIPCHAT_ACCOUNT_SETTING)));
        service.start();
        HipChatAccount account = service.getAccount(accountName);
@ -127,8 +122,6 @@ public class InternalHipChatServiceTests extends ESTestCase {
        // with a single account defined, making sure that that account is set to the default one.
        assertThat(service.getDefaultAccount(), sameInstance(account));
        assertThatSettingsFilterWasAdded();
    }
    public void testSingleAccountIntegrationNoRoomSetting() throws Exception {
@ -136,8 +129,7 @@ public class InternalHipChatServiceTests extends ESTestCase {
        Settings.Builder settingsBuilder = Settings.builder()
                .put("watcher.actions.hipchat.service.account." + accountName + ".profile", HipChatAccount.Profile.INTEGRATION.value())
                .put("watcher.actions.hipchat.service.account." + accountName + ".auth_token", "_token");
-        try (InternalHipChatService service = new InternalHipChatService(settingsBuilder.build(), httpClient, new ClusterSettings(settingsBuilder.build(), Collections.singleton(InternalHipChatService.HIPCHAT_ACCOUNT_SETTING)),
+        try (InternalHipChatService service = new InternalHipChatService(settingsBuilder.build(), httpClient, new ClusterSettings(settingsBuilder.build(), Collections.singleton(InternalHipChatService.HIPCHAT_ACCOUNT_SETTING)))) {
                settingsFilter)) {
            service.start();
            fail("Expected SettingsException");
        } catch (SettingsException e) {
@ -164,7 +156,7 @@ public class InternalHipChatServiceTests extends ESTestCase {
            settingsBuilder.put("watcher.actions.hipchat.service.account." + accountName + ".port", port);
        }
        buildMessageDefaults(accountName, settingsBuilder, defaultRoom, defaultUser, null, defaultColor, defaultFormat, defaultNotify);
-        InternalHipChatService service = new InternalHipChatService(settingsBuilder.build(), httpClient, new ClusterSettings(settingsBuilder.build(), Collections.singleton(InternalHipChatService.HIPCHAT_ACCOUNT_SETTING)), settingsFilter);
+        InternalHipChatService service = new InternalHipChatService(settingsBuilder.build(), httpClient, new ClusterSettings(settingsBuilder.build(), Collections.singleton(InternalHipChatService.HIPCHAT_ACCOUNT_SETTING)));
        service.start();
        HipChatAccount account = service.getAccount(accountName);
@ -193,8 +185,6 @@ public class InternalHipChatServiceTests extends ESTestCase {
        // with a single account defined, making sure that that account is set to the default one.
        assertThat(service.getDefaultAccount(), sameInstance(account));
        assertThatSettingsFilterWasAdded();
    }
    public void testMultipleAccounts() throws Exception {
@ -227,7 +217,7 @@ public class InternalHipChatServiceTests extends ESTestCase {
            buildMessageDefaults(name, settingsBuilder, null, null, null, defaultColor, defaultFormat, defaultNotify);
        }
-        InternalHipChatService service = new InternalHipChatService(settingsBuilder.build(), httpClient, new ClusterSettings(settingsBuilder.build(), Collections.singleton(InternalHipChatService.HIPCHAT_ACCOUNT_SETTING)), settingsFilter);
+        InternalHipChatService service = new InternalHipChatService(settingsBuilder.build(), httpClient, new ClusterSettings(settingsBuilder.build(), Collections.singleton(InternalHipChatService.HIPCHAT_ACCOUNT_SETTING)));
        service.start();
        for (int i = 0; i < 5; i++) {
@ -256,12 +246,6 @@ public class InternalHipChatServiceTests extends ESTestCase {
        }
        assertThat(service.getDefaultAccount(), sameInstance(service.getAccount(defaultAccount)));
        assertThatSettingsFilterWasAdded();
    }
    private void assertThatSettingsFilterWasAdded() {
        verify(settingsFilter, times(1)).filterOut("watcher.actions.hipchat.service.account.*.auth_token");
    }
    private void buildMessageDefaults(String account, Settings.Builder settingsBuilder, String room, String user, String from, HipChatMessage.Color color, HipChatMessage.Format format, Boolean notify) {
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/integration/WatcherSettingsFilterTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/integration/WatcherSettingsFilterTests.java
@ -59,11 +59,7 @@ public class WatcherSettingsFilterTests extends AbstractWatcherIntegrationTestCa
        for (Object node : nodes.values()) {
            Map<String, Object> settings = (Map<String, Object>) ((Map<String, Object>) node).get("settings");
            assertThat(XContentMapValues.extractValue("watcher.actions.email.service.account._email.smtp.user", settings), is((Object) "_user"));
-            if (shieldEnabled()) {
+            assertThat(XContentMapValues.extractValue("watcher.actions.email.service.account._email.smtp.password", settings), nullValue());
                assertThat(XContentMapValues.extractValue("watcher.actions.email.service.account._email.smtp.password", settings), nullValue());
            } else {
                assertThat(XContentMapValues.extractValue("watcher.actions.email.service.account._email.smtp.password", settings), is((Object) "_passwd"));
            }
        }
    }