Security: Replace `_shield/` urls with `_xpack/security` (elastic/elasticsearch#2174)

This changes the security endpoints to _xpack/security, fixes the rest api spec to also use
the xpack.security prefix and adds documentation and tests.

Original commit: elastic/x-pack-elasticsearch@7977575f0e

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/RestAuthenticateAction.java

@@ -34,8 +34,7 @@ public class RestAuthenticateAction extends BaseRestHandler {
     public RestAuthenticateAction(Settings settings, RestController controller, Client client, SecurityContext securityContext) {
         super(settings, client);
         this.securityContext = securityContext;
-        controller.registerHandler(GET, "/_shield/authenticate", this); // deprecate
+        controller.registerHandler(GET, "/_xpack/security/authenticate", this); // deprecate
-        controller.registerHandler(GET, "/_shield/_authenticate", this);
     }
 
     @Override

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/realm/RestClearRealmCacheAction.java

@@ -29,8 +29,8 @@ public class RestClearRealmCacheAction extends BaseRestHandler {
     @Inject
     public RestClearRealmCacheAction(Settings settings, RestController controller, Client client) {
         super(settings, client);
-        controller.registerHandler(POST, "/_shield/realm/{realms}/_cache/clear", this); // deprecated
+        controller.registerHandler(POST, "/_xpack/security/realm/{realms}/_cache/clear", this); // deprecated
-        controller.registerHandler(POST, "/_shield/realm/{realms}/_clear_cache", this);
+        controller.registerHandler(POST, "/_xpack/security/realm/{realms}/_clear_cache", this);
     }
 
     @Override

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestClearRolesCacheAction.java

@@ -32,7 +32,7 @@ public class RestClearRolesCacheAction extends BaseRestHandler {
     @Inject
     public RestClearRolesCacheAction(Settings settings, RestController controller, Client client) {
         super(settings, client);
-        controller.registerHandler(POST, "/_shield/role/{name}/_clear_cache", this);
+        controller.registerHandler(POST, "/_xpack/security/role/{name}/_clear_cache", this);
     }
 
     @Override

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestDeleteRoleAction.java

@@ -29,7 +29,7 @@ public class RestDeleteRoleAction extends BaseRestHandler {
     @Inject
     public RestDeleteRoleAction(Settings settings, RestController controller, Client client) {
         super(settings, client);
-        controller.registerHandler(RestRequest.Method.DELETE, "/_shield/role/{name}", this);
+        controller.registerHandler(RestRequest.Method.DELETE, "/_xpack/security/role/{name}", this);
     }
 
     @Override

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestGetRolesAction.java

@@ -30,8 +30,8 @@ public class RestGetRolesAction extends BaseRestHandler {
     @Inject
     public RestGetRolesAction(Settings settings, RestController controller, Client client) {
         super(settings, client);
-        controller.registerHandler(RestRequest.Method.GET, "/_shield/role/", this);
+        controller.registerHandler(RestRequest.Method.GET, "/_xpack/security/role/", this);
-        controller.registerHandler(RestRequest.Method.GET, "/_shield/role/{name}", this);
+        controller.registerHandler(RestRequest.Method.GET, "/_xpack/security/role/{name}", this);
     }
 
     @Override

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestPutRoleAction.java

@@ -29,8 +29,8 @@ public class RestPutRoleAction extends BaseRestHandler {
     @Inject
     public RestPutRoleAction(Settings settings, RestController controller, Client client) {
         super(settings, client);
-        controller.registerHandler(RestRequest.Method.POST, "/_shield/role/{name}", this);
+        controller.registerHandler(RestRequest.Method.POST, "/_xpack/security/role/{name}", this);
-        controller.registerHandler(RestRequest.Method.PUT, "/_shield/role/{name}", this);
+        controller.registerHandler(RestRequest.Method.PUT, "/_xpack/security/role/{name}", this);
     }
 
     @Override

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestChangePasswordAction.java

@@ -32,10 +32,10 @@ public class RestChangePasswordAction extends BaseRestHandler {
     public RestChangePasswordAction(Settings settings, Client client, RestController controller, SecurityContext securityContext) {
         super(settings, client);
         this.securityContext = securityContext;
-        controller.registerHandler(RestRequest.Method.POST, "/_shield/user/{username}/_password", this);
+        controller.registerHandler(RestRequest.Method.POST, "/_xpack/security/user/{username}/_password", this);
-        controller.registerHandler(RestRequest.Method.PUT, "/_shield/user/{username}/_password", this);
+        controller.registerHandler(RestRequest.Method.PUT, "/_xpack/security/user/{username}/_password", this);
-        controller.registerHandler(RestRequest.Method.POST, "/_shield/user/_password", this);
+        controller.registerHandler(RestRequest.Method.POST, "/_xpack/security/user/_password", this);
-        controller.registerHandler(RestRequest.Method.PUT, "/_shield/user/_password", this);
+        controller.registerHandler(RestRequest.Method.PUT, "/_xpack/security/user/_password", this);
     }
 
     @Override

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestDeleteUserAction.java

@@ -30,7 +30,7 @@ public class RestDeleteUserAction extends BaseRestHandler {
     @Inject
     public RestDeleteUserAction(Settings settings, RestController controller, Client client) {
         super(settings, client);
-        controller.registerHandler(RestRequest.Method.DELETE, "/_shield/user/{username}", this);
+        controller.registerHandler(RestRequest.Method.DELETE, "/_xpack/security/user/{username}", this);
     }
 
     @Override

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestGetUsersAction.java

@@ -31,8 +31,8 @@ public class RestGetUsersAction extends BaseRestHandler {
     @Inject
     public RestGetUsersAction(Settings settings, RestController controller, Client client) {
         super(settings, client);
-        controller.registerHandler(RestRequest.Method.GET, "/_shield/user/", this);
+        controller.registerHandler(RestRequest.Method.GET, "/_xpack/security/user/", this);
-        controller.registerHandler(RestRequest.Method.GET, "/_shield/user/{username}", this);
+        controller.registerHandler(RestRequest.Method.GET, "/_xpack/security/user/{username}", this);
     }
 
     @Override

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestPutUserAction.java

@@ -29,8 +29,8 @@ public class RestPutUserAction extends BaseRestHandler {
     @Inject
     public RestPutUserAction(Settings settings, RestController controller, Client client) {
         super(settings, client);
-        controller.registerHandler(RestRequest.Method.POST, "/_shield/user/{username}", this);
+        controller.registerHandler(RestRequest.Method.POST, "/_xpack/security/user/{username}", this);
-        controller.registerHandler(RestRequest.Method.PUT, "/_shield/user/{username}", this);
+        controller.registerHandler(RestRequest.Method.PUT, "/_xpack/security/user/{username}", this);
     }
 
     @Override

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRealmsCacheTests.java

@@ -106,7 +106,7 @@ public class ClearRealmsCacheTests extends ShieldIntegTestCase {
 
             @Override
             public void executeRequest() throws Exception {
-                executeHttpRequest("/_shield/realm/" + (randomBoolean() ? "*" : "_all") + "/_clear_cache",
+                executeHttpRequest("/_xpack/security/realm/" + (randomBoolean() ? "*" : "_all") + "/_clear_cache",
                         Collections.<String, String>emptyMap());
             }
         },
@@ -129,7 +129,7 @@ public class ClearRealmsCacheTests extends ShieldIntegTestCase {
 
             @Override
             public void executeRequest() throws Exception {
-                String path = "/_shield/realm/" + (randomBoolean() ? "*" : "_all") + "/_clear_cache";
+                String path = "/_xpack/security/realm/" + (randomBoolean() ? "*" : "_all") + "/_clear_cache";
                 Map<String, String> params = Collections.singletonMap("usernames", String.join(",", evicted_usernames));
                 executeHttpRequest(path, params);
             }

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRolesCacheTests.java

@@ -131,9 +131,9 @@ public class ClearRolesCacheTests extends NativeRealmIntegTestCase {
         if (useHttp) {
             String path;
             if (rolesToClear == null) {
-                path = "/_shield/role/" + (randomBoolean() ? "*" : "_all") + "/_clear_cache";
+                path = "/_xpack/security/role/" + (randomBoolean() ? "*" : "_all") + "/_clear_cache";
             } else {
-                path = "/_shield/role/" + Strings.arrayToCommaDelimitedString(rolesToClear) + "/_clear_cache";
+                path = "/_xpack/security/role/" + Strings.arrayToCommaDelimitedString(rolesToClear) + "/_clear_cache";
             }
             HttpResponse response = httpClient().path(path).method("POST")
                     .addHeader("Authorization",

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/rest/action/RestAuthenticateActionTests.java

@@ -47,7 +47,7 @@ public class RestAuthenticateActionTests extends ShieldIntegTestCase {
     }
 
     public void testAuthenticateApi() throws Exception {
-        HttpResponse response = httpClient().method("GET").path("/_shield/authenticate")
+        HttpResponse response = httpClient().method("GET").path("/_xpack/security/authenticate")
                 .addHeader("Authorization", basicAuthHeaderValue(ShieldSettingsSource.DEFAULT_USER_NAME,
                         new SecuredString(ShieldSettingsSource.DEFAULT_PASSWORD.toCharArray())))
                 .execute();
@@ -61,7 +61,7 @@ public class RestAuthenticateActionTests extends ShieldIntegTestCase {
     }
 
     public void testAuthenticateApiWithoutAuthentication() throws Exception {
-        HttpResponse response = httpClient().method("GET").path("/_shield/authenticate")
+        HttpResponse response = httpClient().method("GET").path("/_xpack/security/authenticate")
                 .execute();
 
         if (anonymousEnabled) {

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/api/xpack.security.authenticate.json

@@ -1,10 +1,10 @@
 {
-  "shield.authenticate": {
+  "xpack.security.authenticate": {
     "documentation": "Retrieve details about the currently authenticated user",
     "methods": [ "GET" ],
     "url": {
-      "path": "/_shield/authenticate",
+      "path": "/_xpack/security/authenticate",
-      "paths": [ "/_shield/authenticate" ],
+      "paths": [ "/_xpack/security/authenticate" ],
       "parts": {},
       "params": {}
     },

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/api/xpack.security.change_password.json

@@ -1,10 +1,10 @@
 {
-  "shield.change_password": {
+  "xpack.security.change_password": {
     "documentation": "Change the password of a user",
     "methods": [ "PUT", "POST" ],
     "url": {
-      "path": "/_shield/user/{username}/_password",
+      "path": "/_xpack/security/user/{username}/_password",
-      "paths": [ "/_shield/user/{username}/_password", "/_shield/user/_password" ],
+      "paths": [ "/_xpack/security/user/{username}/_password", "/_xpack/security/user/_password" ],
       "parts": {
         "username": {
           "type" : "string",

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/api/xpack.security.clear_cached_realms.json

@@ -1,10 +1,10 @@
 {
-  "shield.clear_cached_realms": {
+  "xpack.security.clear_cached_realms": {
     "documentation": "Clears the internal user caches for specified realms",
     "methods": [ "POST" ],
     "url": {
-      "path": "/_shield/realm/{realms}/_clear_cache",
+      "path": "/_xpack/security/realm/{realms}/_clear_cache",
-      "paths": [ "/_shield/realm/{realms}/_clear_cache" ],
+      "paths": [ "/_xpack/security/realm/{realms}/_clear_cache" ],
       "parts": {
         "realms": {
           "type" : "string",

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/api/xpack.security.clear_cached_roles.json

@@ -1,10 +1,10 @@
 {
-  "shield.clear_cached_roles": {
+  "xpack.security.clear_cached_roles": {
     "documentation": "Clears the internal caches for specified roles",
     "methods": [ "PUT", "POST" ],
     "url": {
-      "path": "/_shield/role/{name}/_clear_cache",
+      "path": "/_xpack/security/role/{name}/_clear_cache",
-      "paths": [ "/_shield/role/{name}/_clear_cache" ],
+      "paths": [ "/_xpack/security/role/{name}/_clear_cache" ],
       "parts": {
         "name": {
           "type" : "string",

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/api/xpack.security.delete_role.json

@@ -1,10 +1,10 @@
 {
-  "shield.delete_role": {
+  "xpack.security.delete_role": {
     "documentation": "Remove a role from the native shield realm",
     "methods": [ "DELETE" ],
     "url": {
-      "path": "/_shield/role/{name}",
+      "path": "/_xpack/security/role/{name}",
-      "paths": [ "/_shield/role/{name}" ],
+      "paths": [ "/_xpack/security/role/{name}" ],
       "parts": {
         "name": {
           "type" : "string",

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/api/xpack.security.delete_user.json

@@ -1,10 +1,10 @@
 {
-  "shield.delete_user": {
+  "xpack.security.delete_user": {
     "documentation": "Remove a user from the native shield realm",
     "methods": [ "DELETE" ],
     "url": {
-      "path": "/_shield/user/{username}",
+      "path": "/_xpack/security/user/{username}",
-      "paths": [ "/_shield/user/{username}" ],
+      "paths": [ "/_xpack/security/user/{username}" ],
       "parts": {
         "username": {
           "type" : "string",

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/api/xpack.security.get_role.json

@@ -1,10 +1,10 @@
 {
-  "shield.get_role": {
+  "xpack.security.get_role": {
     "documentation": "Retrieve one or more roles from the native shield realm",
     "methods": [ "GET" ],
     "url": {
-      "path": "/_shield/role/{name}",
+      "path": "/_xpack/security/role/{name}",
-      "paths": [ "/_shield/role/{name}", "/_shield/role" ],
+      "paths": [ "/_xpack/security/role/{name}", "/_xpack/security/role" ],
       "parts": {
         "name": {
           "type" : "string",

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/api/xpack.security.get_user.json

@@ -1,10 +1,10 @@
 {
-  "shield.get_user": {
+  "xpack.security.get_user": {
     "documentation": "Retrieve one or more users from the native shield realm",
     "methods": [ "GET" ],
     "url": {
-      "path": "/_shield/user/{username}",
+      "path": "/_xpack/security/user/{username}",
-      "paths": [ "/_shield/user/{username}", "/_shield/user" ],
+      "paths": [ "/_xpack/security/user/{username}", "/_xpack/security/user" ],
       "parts": {
         "username": {
           "type" : "list",

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/api/xpack.security.put_role.json

@@ -1,10 +1,10 @@
 {
-  "shield.put_role": {
+  "xpack.security.put_role": {
     "documentation": "Update or create a role for the native shield realm",
     "methods": [ "PUT", "POST" ],
     "url": {
-      "path": "/_shield/role/{name}",
+      "path": "/_xpack/security/role/{name}",
-      "paths": [ "/_shield/role/{name}" ],
+      "paths": [ "/_xpack/security/role/{name}" ],
       "parts": {
         "name": {
           "type" : "string",

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/api/xpack.security.put_user.json

@@ -1,10 +1,10 @@
 {
-  "shield.put_user": {
+  "xpack.security.put_user": {
     "documentation": "Update or create a user for the native shield realm",
     "methods": [ "PUT", "POST" ],
     "url": {
-      "path": "/_shield/user/{username}",
+      "path": "/_xpack/security/user/{username}",
-      "paths": [ "/_shield/user/{username}" ],
+      "paths": [ "/_xpack/security/user/{username}" ],
       "parts": {
         "username": {
           "type" : "string",

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/test/authenticate/10_basic.yaml

@@ -5,7 +5,7 @@
       cluster.health:
           wait_for_status: yellow
   - do:
-      shield.authenticate: {}
+      xpack.security.authenticate: {}
 
   - match: { username: "test_user" }
   - match: { roles.0:  "superuser" }

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/test/change_password/10_basic.yaml

@@ -8,7 +8,7 @@
         wait_for_status: yellow
 
   - do:
-      shield.put_user:
+      xpack.security.put_user:
         username: "joe"
         body:  >
             {
@@ -26,7 +26,7 @@
 
 # change password
   - do:
-      shield.change_password:
+      xpack.security.change_password:
         username: "joe"
         body:  >
             {
@@ -57,7 +57,7 @@
         wait_for_status: yellow
 
   - do:
-      shield.put_role:
+      xpack.security.put_role:
         name: "user"
         body:  >
             {
@@ -72,7 +72,7 @@
   - match: { role: { created: true } }
 
   - do:
-      shield.put_user:
+      xpack.security.put_user:
         username: "joe"
         body:  >
             {
@@ -92,7 +92,7 @@
   - do:
       headers:
         Authorization: "Basic am9lOnMza3JpdA=="
-      shield.change_password:
+      xpack.security.change_password:
         body:  >
             {
               "password" : "s3krit2"
@@ -122,7 +122,7 @@
         wait_for_status: yellow
 
   - do:
-      shield.put_role:
+      xpack.security.put_role:
         name: "user"
         body:  >
             {
@@ -137,7 +137,7 @@
   - match: { role: { created: true } }
 
   - do:
-      shield.put_user:
+      xpack.security.put_user:
         username: "joe"
         body:  >
             {
@@ -158,7 +158,7 @@
       headers:
         Authorization: "Basic am9lOnMza3JpdA=="
       catch: forbidden
-      shield.change_password:
+      xpack.security.change_password:
         username: "anotheruser"
         body:  >
             {

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/test/roles/10_basic.yaml

@@ -8,7 +8,7 @@
           wait_for_status: yellow
 
   - do:
-      shield.put_role:
+      xpack.security.put_role:
         name: "admin_role"
         body:  >
             {
@@ -23,7 +23,7 @@
   - match: { role: { created: true } }
 
   - do:
-      shield.put_user:
+      xpack.security.put_user:
         username: "joe"
         body:  >
             {
@@ -40,7 +40,7 @@
   - match: { timed_out: false }
 
   - do:
-      shield.get_role:
+      xpack.security.get_role:
         name: "admin_role"
   - match: { admin_role.cluster.0:  "all" }
   - match: { admin_role.indices.0.names.0: "*" }

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/test/roles/11_idx_arrays.yaml

@@ -8,7 +8,7 @@
           wait_for_status: yellow
 
   - do:
-      shield.put_role:
+      xpack.security.put_role:
         name: "admin_role2"
         body:  >
             {
@@ -23,7 +23,7 @@
   - match: { role: { created: true } }
 
   - do:
-      shield.put_user:
+      xpack.security.put_user:
         username: "joe"
         body:  >
             {
@@ -61,7 +61,7 @@
   - match: { timed_out: false }
 
   - do:
-      shield.get_role:
+      xpack.security.get_role:
         name: "admin_role2"
   - match: { admin_role2.cluster.0:  "all" }
   - match: { admin_role2.indices.0.names.0: "foo" }

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/test/roles/20_get_missing.yaml

@@ -1,12 +1,12 @@
 "Get missing role":
   - do:
       catch:  missing
-      shield.get_role:
+      xpack.security.get_role:
         name: 'foo'
 
 ---
 "Get missing (multiple) roles":
   - do:
       catch:  missing
-      shield.get_role:
+      xpack.security.get_role:
         name: [ 'foo', 'bar' ]

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/test/users/10_basic.yaml

@@ -8,7 +8,7 @@
           wait_for_status: yellow
 
   - do:
-      shield.put_user:
+      xpack.security.put_user:
         username: "joe"
         body:  >
             {
@@ -30,7 +30,7 @@
   - match: { timed_out: false }
 
   - do:
-      shield.get_user:
+      xpack.security.get_user:
         username: "joe"
   - match: { joe.username:  "joe" }
   - match: { joe.roles.0:  "superuser" }

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/test/users/15_overwrite_user.yaml

@@ -8,7 +8,7 @@
           wait_for_status: yellow
 
   - do:
-      shield.put_user:
+      xpack.security.put_user:
         username: "joe"
         body:  >
             {
@@ -18,7 +18,7 @@
   - match: { user: { created: true } }
 
   - do:
-      shield.get_user:
+      xpack.security.get_user:
         username: "joe"
   - match: { joe.username: "joe" }
   - match: { joe.roles.0:  "superuser" }
@@ -30,7 +30,7 @@
   - match: { timed_out: false }
 
   - do:
-      shield.put_user:
+      xpack.security.put_user:
         username: "joe"
         body:  >
             {
@@ -46,7 +46,7 @@
   - match: { user: { created: false } }
 
   - do:
-      shield.get_user:
+      xpack.security.get_user:
         username: "joe"
   - match: { joe.username:  "joe" }
   - match: { joe.roles.0:  "superuser" }

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/test/users/16_update_user.yaml

@@ -6,7 +6,7 @@
 
   - do:
       catch: request
-      shield.put_user:
+      xpack.security.put_user:
         username: "joe"
         body:  >
             {
@@ -24,7 +24,7 @@
         wait_for_status: yellow
 
   - do:
-      shield.put_user:
+      xpack.security.put_user:
         username: "joe"
         body:  >
             {
@@ -41,7 +41,7 @@
   - match: { timed_out: false }
 
   - do:
-      shield.get_user:
+      xpack.security.get_user:
         username: "joe"
   - match: { joe.username:  "joe" }
   - match: { joe.roles.0:  "superuser" }
@@ -51,7 +51,7 @@
 # update the user without a password
 
   - do:
-      shield.put_user:
+      xpack.security.put_user:
         username: "joe"
         body:  >
             {
@@ -74,7 +74,7 @@
 
 # validate other properties
   - do:
-      shield.get_user:
+      xpack.security.get_user:
         username: "joe"
   - match: { joe.username:  "joe" }
   - match: { joe.roles.0:  "superuser" }
@@ -86,7 +86,7 @@
 
 # update with password
   - do:
-      shield.put_user:
+      xpack.security.put_user:
         username: "joe"
         body:  >
             {
@@ -118,7 +118,7 @@
 
 # validate properties
   - do:
-      shield.get_user:
+      xpack.security.get_user:
         username: "joe"
   - match: { joe.username:  "joe" }
   - match: { joe.roles.0:  "superuser" }

elasticsearch/x-pack/shield/src/test/resources/rest-api-spec/test/users/20_get_missing.yaml

@@ -1,12 +1,12 @@
 "Get missing user":
   - do:
       catch:  missing
-      shield.get_user:
+      xpack.security.get_user:
         username: 'foo'
 
 ---
 "Get missing (multiple) users":
   - do:
       catch:  missing
-      shield.get_user:
+      xpack.security.get_user:
         username: [ 'foo', 'bar' ]

elasticsearch/x-pack/src/test/java/org/elasticsearch/xpack/test/rest/XPackRestTestCase.java

@@ -88,7 +88,7 @@ public abstract class XPackRestTestCase extends ESRestTestCase {
         // TODO remove this once the built-in SUPERUSER role is added that can delete the index and we use the built in admin user here
         try (CloseableHttpClient client = HttpClients.createMinimal(new BasicHttpClientConnectionManager())) {
             final URL url = getClusterUrls()[0];
-            HttpGet getUsersRequest = new HttpGet(new URI("http", null, url.getHost(), url.getPort(), "/_shield/user", null, null));
+            HttpGet getUsersRequest = new HttpGet(new URI("http", null, url.getHost(), url.getPort(), "/_xpack/security/user", null, null));
             getUsersRequest.addHeader("Authorization", BASIC_AUTH_VALUE);
             try (CloseableHttpResponse closeableHttpResponse = client.execute(getUsersRequest)) {
                 assertThat(closeableHttpResponse.getStatusLine().getStatusCode(), is(200));
@@ -99,14 +99,14 @@ public abstract class XPackRestTestCase extends ESRestTestCase {
                 // in the structure of this API, the users are the keyset
                 for (String user : responseMap.keySet()) {
                     HttpDelete delete = new HttpDelete(new URI("http", null, url.getHost(), url.getPort(),
-                            "/_shield/user/" + user, null, null));
+                            "/_xpack/security/user/" + user, null, null));
                     delete.addHeader("Authorization", BASIC_AUTH_VALUE);
                     try (CloseableHttpResponse deleteResponse = client.execute(delete)) {
                     }
                 }
             }
 
-            HttpGet getRolesRequest = new HttpGet(new URI("http", null, url.getHost(), url.getPort(), "/_shield/role",
+            HttpGet getRolesRequest = new HttpGet(new URI("http", null, url.getHost(), url.getPort(), "/_xpack/security/role",
                     null, null));
             getRolesRequest.addHeader("Authorization", BASIC_AUTH_VALUE);
             try (CloseableHttpResponse closeableHttpResponse = client.execute(getRolesRequest)) {
@@ -118,7 +118,7 @@ public abstract class XPackRestTestCase extends ESRestTestCase {
                 // in the structure of this API, the users are the keyset
                 for (String role : responseMap.keySet()) {
                     HttpDelete delete = new HttpDelete(new URI("http", null, url.getHost(), url.getPort(),
-                            "/_shield/role/" + role, null, null));
+                            "/_xpack/security/role/" + role, null, null));
                     delete.addHeader("Authorization", BASIC_AUTH_VALUE);
                     try (CloseableHttpResponse deleteResponse = client.execute(delete)) {
                     }