Merge branch 'master' into feature/sql

Original commit: elastic/x-pack-elasticsearch@c8368be422

docs/en/commands/setup-passwords.asciidoc

@@ -26,6 +26,17 @@ user, the bootstrap password is no longer active and you cannot use this command
 Instead, you can change passwords by using the *Management > Users* UI in {kib}
 or the <<security-api-change-password,Change Password API>>.
 
+This command uses an HTTP connection to connect to the cluster and run the user
+management requests. If your cluster uses TLS/SSL on the HTTP layer, the command
+automatically attempts to establish the connection by using the HTTPS protocol.
+It configures the connection by using the `xpack.security.http.ssl` settings in
+the `elasticsearch.yml` file. If you do not use the default config directory
+location, ensure that the *ES_PATH_CONF* environment variable returns the
+correct path before you run the `setup-passwords` command. You can override
+settings in your `elasticsearch.yml` file by using the `-E` command option.
+For more information about debugging connection failures, see
+{xpack-ref}/trb-security-setup.html[Setup-passwords command fails due to connection failure]. 
+
 [float]
 === Parameters
 
@@ -44,7 +55,8 @@ user.
 
 `-u, --url "<URL>"`:: Specifies the URL that the tool uses to submit the user management API
 requests. The default value is determined from the settings in your
-`elasticsearch.yml` file.
+`elasticsearch.yml` file. If `xpack.security.http.ssl.enabled`  is set to `true`,
+you must specify an HTTPS URL.
 
 `-v, --verbose`:: Shows verbose output.
 

docs/en/index.asciidoc

@@ -25,12 +25,11 @@ include::{es-repo-dir}/reference/index-shared3.asciidoc[]
 
 :edit_url!:
 include::sql/index.asciidoc[]
+include::monitoring/index.asciidoc[]
 include::rest-api/index.asciidoc[]
 
-# NOCOMMIT before merging SQL we should make a index-shared4 in core and
+# NOCOMMIT before merging SQL we need to fiddle with this to make sure it is right
-# put index-shared3 between sql and rest-api.
 
-:edit_url!:
 include::commands/index.asciidoc[]
 
 :edit_url:

docs/en/installing-xes.asciidoc

@@ -9,7 +9,10 @@ After you install {es}, you can optionally obtain and install {xpack}.
 For more information about how to obtain {xpack},
 see https://www.elastic.co/products/x-pack.
 
-You must run the version of {xpack} that matches the version of {es} you are running.
+You must run the version of {xpack} that matches the version of {es} you are
+running. See the
+https://www.elastic.co/support/matrix#matrix_compatibility[Elastic Support Matrix]
+for more information about product compatibility. 
 
 IMPORTANT: If you are installing {xpack} for the first time on an existing
 cluster, you must perform a full cluster restart. Installing {xpack} enables

docs/en/monitoring/http-export.asciidoc

@@ -0,0 +1,52 @@
+[role="xpack"]
+[[http-exporter]]
+== HTTP Exporter
+
+When you configure
+an exporter in `elasticsearch.yml`, the default `local` exporter is disabled.
+
+The `http` exporter uses the low-level {es} REST Client. This allows
+the `http` exporter to send its data to any {es} cluster it can access
+through the network.
+
+The `http` exporter supports a number of settings that control how it
+communicates over HTTP to remote clusters. In most cases, it is not
+necessary to explicitly configure these settings. For detailed
+descriptions, see {ref}/monitoring-settings.html[Monitoring Settings].
+
+[source,yaml]
+----------------------------------
+xpack.monitoring.exporters:
+  my_local: <1>
+    type: local
+  my_remote: <2>
+    type: http
+    host: [ "10.1.2.3", ... ] <3>
+    auth: <4>
+      username: my_username
+      password: changeme
+    connection:
+      timeout: 6s
+      read_timeout: 60s
+    ssl: ... <5>
+    proxy:
+      base_path: /some/base/path <6>
+    headers: <7>
+      My-Proxy-Header: abc123
+      My-Other-Thing: [ def456, ... ]
+    index.name.time_format: YYYY-MM <8>
+
+----------------------------------
+<1> A `local` exporter defined explicitly whose arbitrary name is `my_local`.
+<2> An `http` exporter defined whose arbitrary name is `my_remote`.
+<3> `host` is a required setting for `http` exporters, which can take a few
+    different forms as described in the table below.
+<4> User authentication for those using {security} or some other
+    form of user authentication protecting the cluster.
+<5> See below for all TLS / SSL settings. If not supplied, the default
+    node-level TLS / SSL settings will be used.
+<6> Optional base path to prefix any outgoing request with in order to
+    work with proxies.
+<7> Arbitrary key/value pairs to define as headers to send with every request.
+    The array-based key/value format sends one header per value.
+<8> A mechanism for changing the date suffix used by default.

docs/en/monitoring/index.asciidoc

@@ -0,0 +1,23 @@
+[role="xpack"]
+[[es-monitoring]]
+= Monitoring {es}
+
+[partintro]
+--
+{monitoring} enables you to easily monitor the health of your {es} cluster. The
+monitoring metrics are collected from each node and stored in {es} indices. You
+can then view the data from {kib} where it’s easy to spot issues at a glance or
+delve into the system behavior over time to diagnose operational issues. In
+addition to the built-in status warnings, you can also set up custom alerts
+based on the data in the monitoring indices.
+
+This section focuses on the {es} monitoring infrastructure and setup. For an
+introduction to monitoring your Elastic stack, including Logstash and {kib}, see
+{xpack-ref}/xpack-monitoring.html[Monitoring the Elastic Stack].
+//For information about using the Monitoring UI, see Monitoring in the Kibana guide.
+
+--
+
+include::stats-export.asciidoc[]
+include::http-export.asciidoc[]
+include::tribe.asciidoc[]

docs/en/monitoring/stats-export.asciidoc

@@ -0,0 +1,18 @@
+[role="xpack"]
+[[stats-export]]
+== Collecting Data from Particular Indices
+
+By default, the monitoring agent collects data from all {es} indices.
+To collect data from particular indices, configure the
+`xpack.monitoring.collection.indices` setting in `elasticsearch.yml`.
+You can specify multiple indices as a comma-separated list or
+use an index pattern to match multiple indices:
+
+[source,yaml]
+----------------------------------
+xpack.monitoring.collection.indices: logstash-*, index1, test2
+----------------------------------
+
+You can prepend `+` or `-` to explicitly include or exclude index
+names or patterns. For example, to include all indices that
+start with `test` except `test3`, you could specify `+test*,-test3`.

docs/en/monitoring/tribe.asciidoc

@@ -0,0 +1,40 @@
+[role="xpack"]
+[[monitoring-tribe]]
+== Configuring a Tribe Node to Work with Monitoring
+
+If you connect to a cluster through a <<modules-tribe,tribe node>>,
+and you want to monitor the tribe node, then you will need to install {xpack} on
+that node as well.
+
+With this configuration, the tribe node is included in the node count displayed
+in the Monitoring UI, but is not included in the node list because it does not
+export any data to the monitoring cluster.
+
+To include the tribe node in the monitoring data, enable Monitoring data
+collection at the tribe level:
+
+[source,yaml]
+----------------------------------
+node.name: my-tribe-node1
+
+tribe:
+  on_conflict: prefer_cluster1
+  c1:
+    cluster.name: cluster1
+    discovery.zen.ping.unicast.hosts: [ "cluster1-node1:9300", "cluster1-node2:9300", "cluster1-node2:9300" ]
+    xpack.monitoring.enabled: true <1>
+  c2:
+    cluster.name: cluster2
+    discovery.zen.ping.unicast.hosts: [ "cluster2-node3:9300", "cluster2-node3:9300", "cluster2-node3:9300" ]
+    xpack.monitoring: <2>
+      enabled: true
+      exporters:
+        id1:
+          type: http
+          host: [ "monitoring-cluster:9200" ]
+----------------------------------
+<1> Enable data collection from the tribe node using a Local Exporter.
+<2> Enable data collection from the tribe node using an HTTP Exporter.
+
+When you enable data collection from the tribe node, it is included in both the
+node count and node list.

docs/en/settings/configuring-xes.asciidoc

@@ -1,8 +1,12 @@
 [role="xpack"]
 [[settings-xpack]]
-== Configuring X-Pack
+== {xpack} Settings in {es}
+++++
+<titleabbrev>{xpack} Settings</titleabbrev>
+++++
 
-include::x-pack-settings.asciidoc[]
+include::{asciidoc-dir}/../../shared/settings.asciidoc[]
+include::license-settings.asciidoc[]
 include::ml-settings.asciidoc[]
 include::monitoring-settings.asciidoc[]
 include::security-settings.asciidoc[]

docs/en/settings/license-settings.asciidoc

@@ -0,0 +1,19 @@
+[role="xpack"]
+[[license-settings]]
+=== {xpack} License Settings
+++++
+<titleabbrev>License Settings</titleabbrev>
+++++
+
+You can configure this licensing setting in the `elasticsearch.yml` file.
+For more information, see
+{xpack-ref}/license-management.html[{xpack} License Management].
+
+`xpack.license.self_generated.type`::
+Set to `trial` (default) to enable all {xpack} features. +
++
+--
+If set to `basic`, the self-generated license gives access only to the features
+of a standard basic license. You can later upgrade the cluster to a trial
+license.
+--

docs/en/settings/x-pack-settings.asciidoc

@@ -1,14 +0,0 @@
-You configure settings for X-Pack features in the `elasticsearch.yml`,
-`kibana.yml`, and `logstash.yml` configuration files.
-
-[options="header,footer"]
-|=======================
-|{xpack} Feature   |{es} Settings                  |{kib} Settings                                |Logstash Settings
-|Development Tools |No                             |{kibana-ref}/dev-settings-kb.html[Yes]        |No
-|Graph             |No                             |{kibana-ref}/graph-settings-kb.html[Yes]      |No
-|Machine learning  |{ref}/ml-settings.html[Yes]    |{kibana-ref}/ml-settings-kb.html[Yes]         |No
-|Monitoring        |{ref}/monitoring-settings.html[Yes]    |{kibana-ref}/monitoring-settings-kb.html[Yes] |{logstash-ref}/settings-xpack.html#monitoring-settings[Yes]
-|Reporting         |No                             |{kibana-ref}/reporting-settings-kb.html[Yes]  |No
-|Security          |{ref}/security-settings.html[Yes]      |{kibana-ref}/security-settings-kb.html[Yes]   |No
-|Watcher           |{ref}/notification-settings.html[Yes]    |No                                  |No
-|=======================

docs/en/watcher/actions/email.asciidoc

@@ -67,7 +67,7 @@ killed by firewalls or load balancers inbetween.
 "actions" : {
   "email_admin" : {
     "email": {
-      "to": "'John Doe <john.doe@example.com>'",
+      "to": "John Doe <john.doe@example.com>",
       "attachments" : {
         "my_image.png" : { <1>
           "http" : { <2>
@@ -151,7 +151,7 @@ killed by firewalls or load balancers inbetween.
 [[email-action-reports]]
 ===== Attaching Reports to an Email
 
-You can use the `http` attachment type in an `email` action to automatically
+You can use the `reporting` attachment type in an `email` action to automatically
 generate a Kibana report and distribute it via email.
 
 include::{xkb-repo-dir}/reporting/watch-example.asciidoc[]

plugin/src/main/java/org/elasticsearch/xpack/XPackPlugin.java

@@ -632,7 +632,7 @@ public class XPackPlugin extends Plugin implements ScriptPlugin, ActionPlugin, I
     @Override
     public List<BootstrapCheck> getBootstrapChecks() {
         return Collections.unmodifiableList(
-                Stream.of(security.getBootstrapChecks(), watcher.getBootstrapChecks())
+                Stream.of(security.getBootstrapChecks(), watcher.getBootstrapChecks(env))
                         .flatMap(Collection::stream)
                         .collect(Collectors.toList()));
     }

plugin/src/main/java/org/elasticsearch/xpack/ml/MachineLearning.java

@@ -313,7 +313,7 @@ public class MachineLearning implements ActionPlugin {
         NormalizerProcessFactory normalizerProcessFactory;
         if (AUTODETECT_PROCESS.get(settings) && MachineLearningFeatureSet.isRunningOnMlPlatform(true)) {
             try {
-                NativeController nativeController = NativeControllerHolder.getNativeController(settings);
+                NativeController nativeController = NativeControllerHolder.getNativeController(env);
                 if (nativeController == null) {
                     // This will only only happen when path.home is not set, which is disallowed in production
                     throw new ElasticsearchException("Failed to create native process controller for Machine Learning");
@@ -341,7 +341,7 @@ public class MachineLearning implements ActionPlugin {
         DatafeedJobBuilder datafeedJobBuilder = new DatafeedJobBuilder(internalClient, jobProvider, auditor, System::currentTimeMillis);
         DatafeedManager datafeedManager = new DatafeedManager(threadPool, internalClient, clusterService, datafeedJobBuilder,
                 System::currentTimeMillis, auditor, persistentTasksService);
-        MlLifeCycleService mlLifeCycleService = new MlLifeCycleService(settings, clusterService, datafeedManager, autodetectProcessManager);
+        MlLifeCycleService mlLifeCycleService = new MlLifeCycleService(env, clusterService, datafeedManager, autodetectProcessManager);
         InvalidLicenseEnforcer invalidLicenseEnforcer =
                 new InvalidLicenseEnforcer(settings, licenseState, threadPool, datafeedManager, autodetectProcessManager);
         PersistentTasksExecutorRegistry persistentTasksExecutorRegistry = new PersistentTasksExecutorRegistry(Settings.EMPTY, Arrays.asList(

plugin/src/main/java/org/elasticsearch/xpack/ml/MachineLearningFeatureSet.java

@@ -20,6 +20,7 @@ import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.xcontent.XContentBuilder;
+import org.elasticsearch.env.Environment;
 import org.elasticsearch.license.XPackLicenseState;
 import org.elasticsearch.plugins.Platforms;
 import org.elasticsearch.xpack.XPackFeatureSet;
@@ -64,9 +65,9 @@ public class MachineLearningFeatureSet implements XPackFeatureSet {
     private final Map<String, Object> nativeCodeInfo;
 
     @Inject
-    public MachineLearningFeatureSet(Settings settings, ClusterService clusterService, Client client,
+    public MachineLearningFeatureSet(Environment environment, ClusterService clusterService, Client client,
                                      @Nullable XPackLicenseState licenseState) {
-        this.enabled = XPackSettings.MACHINE_LEARNING_ENABLED.get(settings);
+        this.enabled = XPackSettings.MACHINE_LEARNING_ENABLED.get(environment.settings());
         this.clusterService = Objects.requireNonNull(clusterService);
         this.client = Objects.requireNonNull(client);
         this.licenseState = licenseState;
@@ -74,10 +75,11 @@ public class MachineLearningFeatureSet implements XPackFeatureSet {
         // Don't try to get the native code version if ML is disabled - it causes too much controversy
         // if ML has been disabled because of some OS incompatibility.  Also don't try to get the native
         // code version in the transport or tribe client - the controller process won't be running.
-        if (enabled && XPackPlugin.transportClientMode(settings) == false && XPackPlugin.isTribeClientNode(settings) == false) {
+        if (enabled && XPackPlugin.transportClientMode(environment.settings()) == false
+                && XPackPlugin.isTribeClientNode(environment.settings()) == false) {
             try {
                 if (isRunningOnMlPlatform(true)) {
-                    NativeController nativeController = NativeControllerHolder.getNativeController(settings);
+                    NativeController nativeController = NativeControllerHolder.getNativeController(environment);
                     if (nativeController != null) {
                         nativeCodeInfo = nativeController.getNativeCodeInfo();
                     }

plugin/src/main/java/org/elasticsearch/xpack/ml/MlLifeCycleService.java

@@ -8,7 +8,7 @@ package org.elasticsearch.xpack.ml;
 import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.component.AbstractComponent;
 import org.elasticsearch.common.component.LifecycleListener;
-import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.env.Environment;
 import org.elasticsearch.xpack.ml.datafeed.DatafeedManager;
 import org.elasticsearch.xpack.ml.job.process.NativeController;
 import org.elasticsearch.xpack.ml.job.process.NativeControllerHolder;
@@ -18,16 +18,18 @@ import java.io.IOException;
 
 public class MlLifeCycleService extends AbstractComponent {
 
+    private final Environment environment;
     private final DatafeedManager datafeedManager;
     private final AutodetectProcessManager autodetectProcessManager;
 
-    public MlLifeCycleService(Settings settings, ClusterService clusterService) {
+    public MlLifeCycleService(Environment environment, ClusterService clusterService) {
-        this(settings, clusterService, null, null);
+        this(environment, clusterService, null, null);
     }
 
-    public MlLifeCycleService(Settings settings, ClusterService clusterService, DatafeedManager datafeedManager,
+    public MlLifeCycleService(Environment environment, ClusterService clusterService, DatafeedManager datafeedManager,
                               AutodetectProcessManager autodetectProcessManager) {
-        super(settings);
+        super(environment.settings());
+        this.environment = environment;
         this.datafeedManager = datafeedManager;
         this.autodetectProcessManager = autodetectProcessManager;
         clusterService.addLifecycleListener(new LifecycleListener() {
@@ -47,7 +49,7 @@ public class MlLifeCycleService extends AbstractComponent {
                 if (datafeedManager != null) {
                     datafeedManager.isolateAllDatafeedsOnThisNode();
                 }
-                NativeController nativeController = NativeControllerHolder.getNativeController(settings);
+                NativeController nativeController = NativeControllerHolder.getNativeController(environment);
                 if (nativeController != null) {
                     // This kills autodetect processes WITHOUT closing the jobs, so they get reallocated.
                     if (autodetectProcessManager != null) {

plugin/src/main/java/org/elasticsearch/xpack/ml/job/process/NativeControllerHolder.java

@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.xpack.ml.job.process;
 
-import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.xpack.ml.MachineLearning;
 import org.elasticsearch.xpack.ml.utils.NamedPipeHelper;
@@ -29,16 +28,16 @@ public class NativeControllerHolder {
      *
      * The NativeController is created lazily to allow time for the C++ process to be started before connection is attempted.
      *
-     * null is returned to tests that haven't bothered to set up path.home and all runs where xpack.ml.autodetect_process=false.
+     * <code>null</code> is returned to tests where xpack.ml.autodetect_process=false.
      *
      * Calls may throw an exception if initial connection to the C++ process fails.
      */
-    public static NativeController getNativeController(Settings settings) throws IOException {
+    public static NativeController getNativeController(Environment environment) throws IOException {
 
-        if (Environment.PATH_HOME_SETTING.exists(settings) && MachineLearning.AUTODETECT_PROCESS.get(settings)) {
+        if (MachineLearning.AUTODETECT_PROCESS.get(environment.settings())) {
             synchronized (lock) {
                 if (nativeController == null) {
-                    nativeController = new NativeController(new Environment(settings), new NamedPipeHelper());
+                    nativeController = new NativeController(environment, new NamedPipeHelper());
                     nativeController.tailLogsInThread();
                 }
             }
@@ -51,7 +50,7 @@ public class NativeControllerHolder {
      * Get a reference to the singleton native process controller.
      *
      * Assumes that if it is possible for a native controller to exist that it will already have been created.
-     * Designed for use by objects that don't have access to settings but know a native controller must exist
+     * Designed for use by objects that don't have access to the environment but know a native controller must exist
      * for the object calling this method to exist.
      */
     public static NativeController getNativeController() {

plugin/src/main/java/org/elasticsearch/xpack/monitoring/collector/cluster/ClusterStatsCollector.java

@@ -30,6 +30,9 @@ import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 
+import static org.elasticsearch.xpack.XPackSettings.SECURITY_ENABLED;
+import static org.elasticsearch.xpack.XPackSettings.TRANSPORT_SSL_ENABLED;
+
 /**
  * Collector for cluster stats.
  * <p>
@@ -80,11 +83,15 @@ public class ClusterStatsCollector extends Collector {
         final ClusterState clusterState = clusterService.state();
         final License license = licenseService.getLicense();
         final List<XPackFeatureSet.Usage> usage = collect(usageSupplier);
+        // if they have any other type of license, then they are either okay or already know
+        final boolean clusterNeedsTLSEnabled = license.operationMode() == License.OperationMode.TRIAL &&
+                                               SECURITY_ENABLED.get(settings) &&
+                                               TRANSPORT_SSL_ENABLED.get(settings) == false;
 
         // Adds a cluster stats document
         return Collections.singleton(
                 new ClusterStatsMonitoringDoc(clusterUUID(), timestamp(), interval, node, clusterName, version,  clusterStats.getStatus(),
-                        license, usage, clusterStats, clusterState));
+                        license, usage, clusterStats, clusterState, clusterNeedsTLSEnabled));
     }
 
     @Nullable

plugin/src/main/java/org/elasticsearch/xpack/monitoring/collector/cluster/ClusterStatsMonitoringDoc.java

@@ -55,6 +55,7 @@ public class ClusterStatsMonitoringDoc extends MonitoringDoc {
     private final ClusterStatsResponse clusterStats;
     private final ClusterState clusterState;
     private final ClusterHealthStatus status;
+    private final boolean clusterNeedsTLSEnabled;
 
     ClusterStatsMonitoringDoc(final String cluster,
                               final long timestamp,
@@ -66,7 +67,8 @@ public class ClusterStatsMonitoringDoc extends MonitoringDoc {
                               @Nullable final License license,
                               @Nullable final List<XPackFeatureSet.Usage> usages,
                               @Nullable final ClusterStatsResponse clusterStats,
-                              @Nullable final ClusterState clusterState) {
+                              @Nullable final ClusterState clusterState,
+                              final boolean clusterNeedsTLSEnabled) {
 
         super(cluster, timestamp, intervalMillis, node, MonitoredSystem.ES, TYPE, null);
         this.clusterName = Objects.requireNonNull(clusterName);
@@ -76,6 +78,7 @@ public class ClusterStatsMonitoringDoc extends MonitoringDoc {
         this.usages = usages;
         this.clusterStats = clusterStats;
         this.clusterState = clusterState;
+        this.clusterNeedsTLSEnabled = clusterNeedsTLSEnabled;
     }
 
     String getClusterName() {
@@ -106,6 +109,10 @@ public class ClusterStatsMonitoringDoc extends MonitoringDoc {
         return status;
     }
 
+    boolean getClusterNeedsTLSEnabled() {
+        return clusterNeedsTLSEnabled;
+    }
+
     @Override
     protected void innerToXContent(XContentBuilder builder, Params params) throws IOException {
         builder.field("cluster_name", clusterName);
@@ -119,6 +126,9 @@ public class ClusterStatsMonitoringDoc extends MonitoringDoc {
             params = new ToXContent.DelegatingMapParams(extraParams, params);
             license.toInnerXContent(builder, params);
             builder.field("hkey", hash(license, getCluster()));
+            if (clusterNeedsTLSEnabled) {
+                builder.field("cluster_needs_tls", true);
+            }
             builder.endObject();
         }
 

plugin/src/main/java/org/elasticsearch/xpack/security/Security.java

@@ -254,7 +254,7 @@ public class Security implements ActionPlugin, IngestPlugin, NetworkPlugin, Clus
                     new TokenSSLBootstrapCheck(),
                     new PkiRealmBootstrapCheck(sslService),
                     new TLSLicenseBootstrapCheck()));
-            checks.addAll(InternalRealms.getBootstrapChecks(settings));
+            checks.addAll(InternalRealms.getBootstrapChecks(settings, env));
             this.bootstrapChecks = Collections.unmodifiableList(checks);
         } else {
             this.bootstrapChecks = Collections.emptyList();

plugin/src/main/java/org/elasticsearch/xpack/security/authc/InternalRealms.java

@@ -17,6 +17,7 @@ import java.util.Set;
 import org.elasticsearch.bootstrap.BootstrapCheck;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.env.Environment;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.security.SecurityLifecycleService;
@@ -101,11 +102,11 @@ public class InternalRealms {
     private InternalRealms() {
     }
 
-    public static List<BootstrapCheck> getBootstrapChecks(final Settings globalSettings) {
+    public static List<BootstrapCheck> getBootstrapChecks(final Settings globalSettings, final Environment env) {
         final List<BootstrapCheck> checks = new ArrayList<>();
         final Map<String, Settings> settingsByRealm = RealmSettings.getRealmSettings(globalSettings);
         settingsByRealm.forEach((name, settings) -> {
-            final RealmConfig realmConfig = new RealmConfig(name, settings, globalSettings, null);
+            final RealmConfig realmConfig = new RealmConfig(name, settings, globalSettings, env, null);
             switch (realmConfig.type()) {
                 case LdapRealm.AD_TYPE:
                 case LdapRealm.LDAP_TYPE:

plugin/src/main/java/org/elasticsearch/xpack/security/authc/RealmConfig.java

@@ -23,11 +23,6 @@ public class RealmConfig {
     private final Settings globalSettings;
     private final ThreadContext threadContext;
 
-    public RealmConfig(String name, Settings settings, Settings globalSettings,
-                       ThreadContext threadContext) {
-        this(name, settings, globalSettings, new Environment(globalSettings), threadContext);
-    }
-
     public RealmConfig(String name, Settings settings, Settings globalSettings, Environment env,
                        ThreadContext threadContext) {
         this.name = name;

plugin/src/main/java/org/elasticsearch/xpack/watcher/Watcher.java

@@ -517,7 +517,7 @@ public class Watcher implements ActionPlugin {
         };
     }
 
-    public List<BootstrapCheck> getBootstrapChecks() {
+    public List<BootstrapCheck> getBootstrapChecks(Environment env) {
-        return Collections.singletonList(new EncryptSensitiveDataBootstrapCheck(new Environment(settings)));
+        return Collections.singletonList(new EncryptSensitiveDataBootstrapCheck(env));
     }
 }

plugin/src/test/java/org/elasticsearch/xpack/ml/MachineLearningFeatureSetTests.java

@@ -17,6 +17,7 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.xcontent.ToXContent;
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.common.xcontent.XContentFactory;
+import org.elasticsearch.env.Environment;
 import org.elasticsearch.license.XPackLicenseState;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.XPackFeatureSet;
@@ -53,12 +54,17 @@ import static org.mockito.Mockito.when;
 
 public class MachineLearningFeatureSetTests extends ESTestCase {
 
+    private Settings commonSettings;
     private ClusterService clusterService;
     private Client client;
     private XPackLicenseState licenseState;
 
     @Before
     public void init() throws Exception {
+        commonSettings = Settings.builder()
+                .put(Environment.PATH_HOME_SETTING.getKey(), createTempDir().toAbsolutePath())
+                .put(MachineLearning.AUTODETECT_PROCESS.getKey(), false)
+                .build();
         clusterService = mock(ClusterService.class);
         client = mock(Client.class);
         licenseState = mock(XPackLicenseState.class);
@@ -82,7 +88,8 @@ public class MachineLearningFeatureSetTests extends ESTestCase {
     }
 
     public void testAvailable() throws Exception {
-        MachineLearningFeatureSet featureSet = new MachineLearningFeatureSet(Settings.EMPTY, clusterService, client, licenseState);
+        MachineLearningFeatureSet featureSet = new MachineLearningFeatureSet(new Environment(commonSettings), clusterService, client,
+                licenseState);
         boolean available = randomBoolean();
         when(licenseState.isMachineLearningAllowed()).thenReturn(available);
         assertThat(featureSet.available(), is(available));
@@ -100,13 +107,14 @@ public class MachineLearningFeatureSetTests extends ESTestCase {
     public void testEnabled() throws Exception {
         boolean useDefault = randomBoolean();
         boolean enabled = true;
-        Settings.Builder settings = Settings.builder();
+        Settings.Builder settings = Settings.builder().put(commonSettings);
         if (useDefault == false) {
             enabled = randomBoolean();
             settings.put("xpack.ml.enabled", enabled);
         }
         boolean expected = enabled || useDefault;
-        MachineLearningFeatureSet featureSet = new MachineLearningFeatureSet(settings.build(), clusterService, client, licenseState);
+        MachineLearningFeatureSet featureSet = new MachineLearningFeatureSet(new Environment(settings.build()), clusterService, client,
+                licenseState);
         assertThat(featureSet.enabled(), is(expected));
         PlainActionFuture<Usage> future = new PlainActionFuture<>();
         featureSet.usage(future);
@@ -121,7 +129,7 @@ public class MachineLearningFeatureSetTests extends ESTestCase {
 
     public void testUsage() throws Exception {
         when(licenseState.isMachineLearningAllowed()).thenReturn(true);
-        Settings.Builder settings = Settings.builder();
+        Settings.Builder settings = Settings.builder().put(commonSettings);
         settings.put("xpack.ml.enabled", true);
 
         Job opened1 = buildJob("opened1", Arrays.asList(buildMinDetector("foo")));
@@ -139,7 +147,8 @@ public class MachineLearningFeatureSetTests extends ESTestCase {
                 buildDatafeedStats(DatafeedState.STOPPED)
         ));
 
-        MachineLearningFeatureSet featureSet = new MachineLearningFeatureSet(settings.build(), clusterService, client, licenseState);
+        MachineLearningFeatureSet featureSet = new MachineLearningFeatureSet(new Environment(settings.build()), clusterService, client,
+                licenseState);
         PlainActionFuture<Usage> future = new PlainActionFuture<>();
         featureSet.usage(future);
         XPackFeatureSet.Usage mlUsage = future.get();
@@ -201,11 +210,11 @@ public class MachineLearningFeatureSetTests extends ESTestCase {
 
     public void testUsageGivenMlMetadataNotInstalled() throws Exception {
         when(licenseState.isMachineLearningAllowed()).thenReturn(true);
-        Settings.Builder settings = Settings.builder();
+        Settings.Builder settings = Settings.builder().put(commonSettings);
         settings.put("xpack.ml.enabled", true);
         when(clusterService.state()).thenReturn(ClusterState.EMPTY_STATE);
 
-        MachineLearningFeatureSet featureSet = new MachineLearningFeatureSet(settings.build(),
+        MachineLearningFeatureSet featureSet = new MachineLearningFeatureSet(new Environment(settings.build()),
                 clusterService, client, licenseState);
         PlainActionFuture<Usage> future = new PlainActionFuture<>();
         featureSet.usage(future);

plugin/src/test/java/org/elasticsearch/xpack/monitoring/collector/cluster/ClusterStatsCollectorTests.java

@@ -29,9 +29,12 @@ import org.elasticsearch.xpack.monitoring.collector.BaseCollectorTestCase;
 import org.elasticsearch.xpack.monitoring.exporter.MonitoringDoc;
 
 import java.util.Collection;
+import java.util.Locale;
 import java.util.UUID;
 
 import static java.util.Collections.singletonList;
+import static org.elasticsearch.xpack.XPackSettings.SECURITY_ENABLED;
+import static org.elasticsearch.xpack.XPackSettings.TRANSPORT_SSL_ENABLED;
 import static org.elasticsearch.xpack.monitoring.MonitoringTestUtils.randomMonitoringNode;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.greaterThan;
@@ -80,6 +83,36 @@ public class ClusterStatsCollectorTests extends BaseCollectorTestCase {
     }
 
     public void testDoCollect() throws Exception {
+        final Settings.Builder settings = Settings.builder();
+        final License.OperationMode mode =
+                randomValueOtherThan(License.OperationMode.MISSING, () -> randomFrom(License.OperationMode.values()));
+        final boolean securityEnabled = randomBoolean();
+        final boolean transportTLSEnabled;
+
+        if (securityEnabled) {
+            switch (mode) {
+                case TRIAL:
+                    transportTLSEnabled = randomBoolean();
+                    break;
+                case BASIC:
+                    transportTLSEnabled = false;
+                    break;
+                case STANDARD:
+                case GOLD:
+                case PLATINUM:
+                    transportTLSEnabled = true;
+                    break;
+                default:
+                    throw new AssertionError("Unknown mode [" + mode + "]");
+            }
+
+            settings.put(TRANSPORT_SSL_ENABLED.getKey(), transportTLSEnabled);
+        } else {
+            transportTLSEnabled = false;
+
+            settings.put(SECURITY_ENABLED.getKey(), false);
+        }
+
         final TimeValue timeout = TimeValue.timeValueSeconds(randomIntBetween(1, 120));
         withCollectionTimeout(ClusterStatsCollector.CLUSTER_STATS_TIMEOUT, timeout);
 
@@ -95,7 +128,7 @@ public class ClusterStatsCollectorTests extends BaseCollectorTestCase {
 
         final License license = License.builder()
                                         .uid(UUID.randomUUID().toString())
-                                        .type("trial")
+                                        .type(mode.name().toLowerCase(Locale.ROOT))
                                         .issuer("elasticsearch")
                                         .issuedTo("elastic")
                                         .issueDate(System.currentTimeMillis())
@@ -161,6 +194,9 @@ public class ClusterStatsCollectorTests extends BaseCollectorTestCase {
         assertThat(document.getLicense(), equalTo(license));
         assertThat(document.getStatus(), equalTo(clusterStatus));
 
+        assertThat(document.getClusterNeedsTLSEnabled(),
+                   equalTo(mode == License.OperationMode.TRIAL && securityEnabled && transportTLSEnabled == false));
+
         assertThat(document.getClusterStats(), notNullValue());
         assertThat(document.getClusterStats().getStatus(), equalTo(clusterStatus));
         assertThat(document.getClusterStats().getIndicesStats().getIndexCount(), equalTo(nbIndices));

plugin/src/test/java/org/elasticsearch/xpack/monitoring/collector/cluster/ClusterStatsMonitoringDocTests.java

@@ -76,6 +76,7 @@ public class ClusterStatsMonitoringDocTests extends BaseMonitoringDocTestCase<Cl
     private ClusterStatsResponse clusterStats;
     private ClusterState clusterState;
     private License license;
+    private final boolean needToEnableTLS = randomBoolean();
 
     @Override
     @Before
@@ -111,7 +112,8 @@ public class ClusterStatsMonitoringDocTests extends BaseMonitoringDocTestCase<Cl
     protected ClusterStatsMonitoringDoc createMonitoringDoc(String cluster, long timestamp, long interval, MonitoringDoc.Node node,
                                                             MonitoredSystem system, String type, String id) {
         return new ClusterStatsMonitoringDoc(cluster, timestamp, interval, node,
-                                             clusterName, version, clusterStatus, license, usages, clusterStats, clusterState);
+                                             clusterName, version, clusterStatus, license, usages, clusterStats, clusterState,
+                                             needToEnableTLS);
     }
 
     @Override
@@ -132,19 +134,22 @@ public class ClusterStatsMonitoringDocTests extends BaseMonitoringDocTestCase<Cl
     public void testConstructorClusterNameMustNotBeNull() {
         expectThrows(NullPointerException.class,
                 () -> new ClusterStatsMonitoringDoc(cluster, timestamp, interval, node,
-                        null, version, clusterStatus, license, usages, clusterStats, clusterState));
+                        null, version, clusterStatus, license, usages, clusterStats, clusterState,
+                        needToEnableTLS));
     }
 
     public void testConstructorVersionMustNotBeNull() {
         expectThrows(NullPointerException.class,
                 () -> new ClusterStatsMonitoringDoc(cluster, timestamp, interval, node,
-                        clusterName, null, clusterStatus, license, usages, clusterStats, clusterState));
+                        clusterName, null, clusterStatus, license, usages, clusterStats, clusterState,
+                        needToEnableTLS));
     }
 
     public void testConstructorClusterHealthStatusMustNotBeNull() {
         expectThrows(NullPointerException.class,
                 () -> new ClusterStatsMonitoringDoc(cluster, timestamp, interval, node,
-                        clusterName, version, null, license, usages, clusterStats, clusterState));
+                        clusterName, version, null, license, usages, clusterStats, clusterState,
+                        needToEnableTLS));
     }
 
     public void testNodesHash() {
@@ -339,7 +344,8 @@ public class ClusterStatsMonitoringDocTests extends BaseMonitoringDocTestCase<Cl
                                                                             license,
                                                                             usages,
                                                                             clusterStats,
-                                                                            clusterState);
+                                                                            clusterState,
+                                                                            needToEnableTLS);
 
         final BytesReference xContent = XContentHelper.toXContent(doc, XContentType.JSON, false);
         assertEquals("{"
@@ -370,6 +376,7 @@ public class ClusterStatsMonitoringDocTests extends BaseMonitoringDocTestCase<Cl
                     + "\"issuer\":\"elasticsearch\","
                     + "\"start_date_in_millis\":-1,"
                     + "\"hkey\":\"e05627254d639cf36346bf99934dc4a4ac9f37bdc9100cee450c10fa6322a6dd\""
+                    + (needToEnableTLS ? ",\"cluster_needs_tls\":true" : "")
                   + "},"
                   + "\"cluster_stats\":{"
                     + "\"timestamp\":1451606400000,"

plugin/src/test/java/org/elasticsearch/xpack/monitoring/integration/MonitoringIT.java

@@ -60,6 +60,7 @@ import static org.hamcrest.Matchers.greaterThanOrEqualTo;
 import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.isEmptyOrNullString;
+import static org.hamcrest.Matchers.isOneOf;
 import static org.hamcrest.Matchers.not;
 import static org.hamcrest.Matchers.notNullValue;
 import static org.hamcrest.Matchers.nullValue;
@@ -321,6 +322,9 @@ public class MonitoringIT extends ESRestTestCase {
         Long expiryDate = (Long) license.get(License.Fields.EXPIRY_DATE_IN_MILLIS);
         assertThat(expiryDate, greaterThan(0L));
 
+        Boolean clusterNeedsTLS = (Boolean) license.get("cluster_needs_tls");
+        assertThat(clusterNeedsTLS, isOneOf(true, null));
+
         // We basically recompute the hash here
         assertThat("Hash key should be the same",
                 license.get("hkey"), equalTo(hash(status, uid, type, String.valueOf(expiryDate), (String) source.get("cluster_uuid"))));

plugin/src/test/java/org/elasticsearch/xpack/security/authc/InternalRealmsTests.java

@@ -7,6 +7,7 @@ package org.elasticsearch.xpack.security.authc;
 
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.env.Environment;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
@@ -38,10 +39,12 @@ public class InternalRealmsTests extends ESTestCase {
         verifyZeroInteractions(lifecycleService);
 
         Settings settings = Settings.builder().put("path.home", createTempDir()).build();
-        factories.get(NativeRealm.TYPE).create(new RealmConfig("test", Settings.EMPTY, settings, new ThreadContext(settings)));
+        factories.get(NativeRealm.TYPE).create(new RealmConfig("test", Settings.EMPTY, settings, new Environment(settings),
+                new ThreadContext(settings)));
         verify(lifecycleService).addSecurityIndexHealthChangeListener(isA(BiConsumer.class));
 
-        factories.get(NativeRealm.TYPE).create(new RealmConfig("test", Settings.EMPTY, settings, new ThreadContext(settings)));
+        factories.get(NativeRealm.TYPE).create(new RealmConfig("test", Settings.EMPTY, settings, new Environment(settings),
+                new ThreadContext(settings)));
         verify(lifecycleService, times(2)).addSecurityIndexHealthChangeListener(isA(BiConsumer.class));
     }
 }

plugin/src/test/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmTests.java

@@ -9,6 +9,7 @@ import org.elasticsearch.cluster.health.ClusterHealthStatus;
 import org.elasticsearch.cluster.health.ClusterIndexHealth;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.env.Environment;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.security.authc.RealmConfig;
 
@@ -23,7 +24,7 @@ public class NativeRealmTests extends ESTestCase {
         final AtomicInteger numInvalidation = new AtomicInteger(0);
         int expectedInvalidation = 0;
         Settings settings = Settings.builder().put("path.home", createTempDir()).build();
-        RealmConfig config = new RealmConfig("native", Settings.EMPTY, settings, new ThreadContext(settings));
+        RealmConfig config = new RealmConfig("native", Settings.EMPTY, settings, new Environment(settings), new ThreadContext(settings));
         final NativeRealm nativeRealm = new NativeRealm(config, mock(NativeUsersStore.class)) {
             @Override
             void clearCache() {

plugin/src/test/java/org/elasticsearch/xpack/security/authc/ldap/ActiveDirectorySessionFactoryTests.java

@@ -62,7 +62,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryI
     public void testAdAuth() throws Exception {
         RealmConfig config = new RealmConfig("ad-test",
                 buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false),
-                globalSettings, new ThreadContext(Settings.EMPTY));
+                globalSettings, new Environment(globalSettings), new ThreadContext(Settings.EMPTY));
         try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
 
             String userName = "ironman";
@@ -410,7 +410,7 @@ public class ActiveDirectorySessionFactoryTests extends AbstractActiveDirectoryI
     public void testADLookup() throws Exception {
         RealmConfig config = new RealmConfig("ad-test",
                 buildAdSettings(AD_LDAP_URL, AD_DOMAIN, false, true),
-                globalSettings, new ThreadContext(Settings.EMPTY));
+                globalSettings, new Environment(globalSettings), new ThreadContext(Settings.EMPTY));
         try (ActiveDirectorySessionFactory sessionFactory = getActiveDirectorySessionFactory(config, sslService, threadPool)) {
 
             List<String> users = randomSubsetOf(Arrays.asList("cap", "hawkeye", "hulk", "ironman", "thor", "blackwidow",

plugin/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/LdapTestCase.java

@@ -15,6 +15,7 @@ import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.env.Environment;
 import org.elasticsearch.xpack.security.authc.RealmConfig;
 import org.elasticsearch.xpack.security.authc.ldap.LdapSessionFactory;
 import org.elasticsearch.xpack.security.authc.support.DnRoleMapper;
@@ -135,7 +136,7 @@ public abstract class LdapTestCase extends ESTestCase {
                 .put(DnRoleMapper.USE_UNMAPPED_GROUPS_AS_ROLES_SETTING.getKey(), true)
                 .build();
         Settings global = Settings.builder().put("path.home", createTempDir()).build();
-        RealmConfig config = new RealmConfig("ldap1", settings, global, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig("ldap1", settings, global, new Environment(global), new ThreadContext(Settings.EMPTY));
 
         return new DnRoleMapper(config, resourceWatcherService);
     }

plugin/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryLoadBalancingTests.java

@@ -222,8 +222,9 @@ public class SessionFactoryLoadBalancingTests extends LdapTestCase {
         String userTemplate = "cn={0},ou=people,o=sevenSeas";
         Settings settings = buildLdapSettings(ldapUrls(), new String[] { userTemplate }, groupSearchBase,
                 LdapSearchScope.SUB_TREE, loadBalancing);
-        RealmConfig config = new RealmConfig("test-session-factory", settings, Settings.builder().put("path.home",
+        Settings globalSettings = Settings.builder().put("path.home", createTempDir()).build();
-                createTempDir()).build(), new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig("test-session-factory", settings, globalSettings, new Environment(globalSettings),
+                new ThreadContext(Settings.EMPTY));
         return new TestSessionFactory(config, new SSLService(Settings.EMPTY, new Environment(config.globalSettings())), threadPool);
     }
 

plugin/src/test/java/org/elasticsearch/xpack/security/authc/ldap/support/SessionFactoryTests.java

@@ -107,7 +107,7 @@ public class SessionFactoryTests extends ESTestCase {
     private SessionFactory createSessionFactory() {
         Settings global = Settings.builder().put("path.home", createTempDir()).build();
         final RealmConfig realmConfig = new RealmConfig("_name", Settings.builder().put("url", "ldap://localhost:389").build(),
-                global, new ThreadContext(Settings.EMPTY));
+                global, new Environment(global), new ThreadContext(Settings.EMPTY));
         return new SessionFactory(realmConfig, null, threadPool) {
 
             @Override

plugin/src/test/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealmTests.java

@@ -11,6 +11,7 @@ import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.env.Environment;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.test.SecuritySettingsSource;
 import org.elasticsearch.xpack.security.authc.AuthenticationResult;
@@ -55,7 +56,8 @@ public class CachingUsernamePasswordRealmTests extends ESTestCase {
                 .put(CachingUsernamePasswordRealm.CACHE_TTL_SETTING.getKey(), ttl)
                 .build();
 
-        RealmConfig config = new RealmConfig("test_realm", settings, globalSettings, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig("test_realm", settings, globalSettings, new Environment(globalSettings),
+                new ThreadContext(Settings.EMPTY));
         CachingUsernamePasswordRealm realm = new CachingUsernamePasswordRealm("test", config) {
             @Override
             protected void doAuthenticate(UsernamePasswordToken token, ActionListener<AuthenticationResult> listener) {
@@ -226,7 +228,8 @@ public class CachingUsernamePasswordRealmTests extends ESTestCase {
         Settings settings = Settings.builder()
                 .put(CachingUsernamePasswordRealm.CACHE_TTL_SETTING.getKey(), ttl)
                 .build();
-        RealmConfig config = new RealmConfig("test_cache_ttl", settings, globalSettings, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig("test_cache_ttl", settings, globalSettings, new Environment(globalSettings),
+                new ThreadContext(Settings.EMPTY));
         AlwaysAuthenticateCachingRealm realm = new AlwaysAuthenticateCachingRealm(config);
 
         final UsernamePasswordToken authToken = new UsernamePasswordToken("the-user", new SecureString("the-password"));
@@ -254,7 +257,8 @@ public class CachingUsernamePasswordRealmTests extends ESTestCase {
         Settings settings = Settings.builder()
                 .put(CachingUsernamePasswordRealm.CACHE_TTL_SETTING.getKey(), ttl)
                 .build();
-        RealmConfig config = new RealmConfig("test_cache_ttl", settings, globalSettings, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig("test_cache_ttl", settings, globalSettings, new Environment(globalSettings),
+                new ThreadContext(Settings.EMPTY));
         AlwaysAuthenticateCachingRealm realm = new AlwaysAuthenticateCachingRealm(config);
 
         final UsernamePasswordToken authToken = new UsernamePasswordToken("the-user", new SecureString("the-password"));
@@ -330,7 +334,8 @@ public class CachingUsernamePasswordRealmTests extends ESTestCase {
         final SecureString randomPassword = new SecureString(randomAlphaOfLength(password.length()).toCharArray());
 
         final String passwordHash = new String(Hasher.BCRYPT.hash(password));
-        RealmConfig config = new RealmConfig("test_realm", Settings.EMPTY, globalSettings, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig("test_realm", Settings.EMPTY, globalSettings, new Environment(globalSettings),
+                new ThreadContext(Settings.EMPTY));
         final CachingUsernamePasswordRealm realm = new CachingUsernamePasswordRealm("test", config) {
             @Override
             protected void doAuthenticate(UsernamePasswordToken token, ActionListener<AuthenticationResult> listener) {
@@ -393,7 +398,8 @@ public class CachingUsernamePasswordRealmTests extends ESTestCase {
     public void testUserLookupConcurrency() throws Exception {
         final String username = "username";
 
-        RealmConfig config = new RealmConfig("test_realm", Settings.EMPTY, globalSettings, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig("test_realm", Settings.EMPTY, globalSettings, new Environment(globalSettings),
+                new ThreadContext(Settings.EMPTY));
         final CachingUsernamePasswordRealm realm = new CachingUsernamePasswordRealm("test", config) {
             @Override
             protected void doAuthenticate(UsernamePasswordToken token, ActionListener<AuthenticationResult> listener) {
@@ -446,7 +452,8 @@ public class CachingUsernamePasswordRealmTests extends ESTestCase {
     static class FailingAuthenticationRealm extends CachingUsernamePasswordRealm {
 
         FailingAuthenticationRealm(Settings settings, Settings global) {
-            super("failing", new RealmConfig("failing-test", settings, global, new ThreadContext(Settings.EMPTY)));
+            super("failing", new RealmConfig("failing-test", settings, global, new Environment(global),
+                    new ThreadContext(Settings.EMPTY)));
         }
 
         @Override
@@ -463,7 +470,8 @@ public class CachingUsernamePasswordRealmTests extends ESTestCase {
     static class ThrowingAuthenticationRealm extends CachingUsernamePasswordRealm {
 
         ThrowingAuthenticationRealm(Settings settings, Settings globalSettings) {
-            super("throwing", new RealmConfig("throwing-test", settings, globalSettings, new ThreadContext(Settings.EMPTY)));
+            super("throwing", new RealmConfig("throwing-test", settings, globalSettings, new Environment(globalSettings),
+                    new ThreadContext(Settings.EMPTY)));
         }
 
         @Override
@@ -485,7 +493,8 @@ public class CachingUsernamePasswordRealmTests extends ESTestCase {
         private boolean usersEnabled = true;
 
         AlwaysAuthenticateCachingRealm(Settings globalSettings) {
-            this(new RealmConfig("always-test", Settings.EMPTY, globalSettings, new ThreadContext(Settings.EMPTY)));
+            this(new RealmConfig("always-test", Settings.EMPTY, globalSettings, new Environment(globalSettings),
+                    new ThreadContext(Settings.EMPTY)));
         }
 
         AlwaysAuthenticateCachingRealm(RealmConfig config) {
@@ -516,7 +525,8 @@ public class CachingUsernamePasswordRealmTests extends ESTestCase {
         public final AtomicInteger lookupInvocationCounter = new AtomicInteger(0);
 
         LookupNotSupportedRealm(Settings globalSettings) {
-            super("lookup", new RealmConfig("lookup-notsupported-test", Settings.EMPTY, globalSettings, new ThreadContext(Settings.EMPTY)));
+            super("lookup", new RealmConfig("lookup-notsupported-test", Settings.EMPTY, globalSettings, new Environment(globalSettings),
+                    new ThreadContext(Settings.EMPTY)));
         }
 
         @Override

plugin/src/test/java/org/elasticsearch/xpack/security/authc/support/DnRoleMapperTests.java

@@ -283,7 +283,7 @@ public class DnRoleMapperTests extends ESTestCase {
         Settings ldapSettings = Settings.builder()
                 .put(ROLE_MAPPING_FILE_SETTING, file.toAbsolutePath())
                 .build();
-        RealmConfig config = new RealmConfig("ldap1", ldapSettings, settings, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig("ldap1", ldapSettings, settings, new Environment(settings), new ThreadContext(Settings.EMPTY));
 
         DnRoleMapper mapper = new DnRoleMapper(config, new ResourceWatcherService(settings, threadPool));
 
@@ -297,7 +297,7 @@ public class DnRoleMapperTests extends ESTestCase {
         Settings ldapSettings = Settings.builder()
                 .put(USE_UNMAPPED_GROUPS_AS_ROLES_SETTING_KEY, true)
                 .build();
-        RealmConfig config = new RealmConfig("ldap1", ldapSettings, settings, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig("ldap1", ldapSettings, settings, new Environment(settings), new ThreadContext(Settings.EMPTY));
 
         DnRoleMapper mapper = new DnRoleMapper(config, new ResourceWatcherService(settings, threadPool));
 
@@ -311,7 +311,8 @@ public class DnRoleMapperTests extends ESTestCase {
                 .put(ROLE_MAPPING_FILE_SETTING, file.toAbsolutePath())
                 .put(USE_UNMAPPED_GROUPS_AS_ROLES_SETTING_KEY, false)
                 .build();
-        RealmConfig config = new RealmConfig("ldap-userdn-role", ldapSettings, settings, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig("ldap-userdn-role", ldapSettings, settings, new Environment(settings),
+                new ThreadContext(Settings.EMPTY));
 
         DnRoleMapper mapper = new DnRoleMapper(config, new ResourceWatcherService(settings, threadPool));
 

plugin/src/test/java/org/elasticsearch/xpack/security/authc/support/RoleMappingFileBootstrapCheckTests.java

@@ -15,6 +15,7 @@ import org.elasticsearch.bootstrap.BootstrapCheck;
 import org.elasticsearch.bootstrap.BootstrapContext;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
+import org.elasticsearch.env.Environment;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.security.authc.RealmConfig;
 import org.junit.Before;
@@ -42,7 +43,8 @@ public class RoleMappingFileBootstrapCheckTests extends ESTestCase {
         Settings ldapSettings = Settings.builder()
                 .put(ROLE_MAPPING_FILE_SETTING, file.toAbsolutePath())
                 .build();
-        RealmConfig config = new RealmConfig("ldap1", ldapSettings, settings, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig("ldap1", ldapSettings, settings, new Environment(settings),
+                new ThreadContext(Settings.EMPTY));
         final BootstrapCheck check = RoleMappingFileBootstrapCheck.create(config);
         assertThat(check, notNullValue());
         assertThat(check.alwaysEnforce(), equalTo(true));
@@ -55,7 +57,8 @@ public class RoleMappingFileBootstrapCheckTests extends ESTestCase {
         Settings ldapSettings = Settings.builder()
                 .put(ROLE_MAPPING_FILE_SETTING, file.toAbsolutePath())
                 .build();
-        RealmConfig config = new RealmConfig("the-realm-name", ldapSettings, settings, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig("the-realm-name", ldapSettings, settings, new Environment(settings),
+                new ThreadContext(Settings.EMPTY));
         final BootstrapCheck check = RoleMappingFileBootstrapCheck.create(config);
         assertThat(check, notNullValue());
         assertThat(check.alwaysEnforce(), equalTo(true));
@@ -74,7 +77,8 @@ public class RoleMappingFileBootstrapCheckTests extends ESTestCase {
         Settings ldapSettings = Settings.builder()
                 .put(ROLE_MAPPING_FILE_SETTING, file.toAbsolutePath())
                 .build();
-        RealmConfig config = new RealmConfig("the-realm-name", ldapSettings, settings, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig("the-realm-name", ldapSettings, settings, new Environment(settings),
+                new ThreadContext(Settings.EMPTY));
         final BootstrapCheck check = RoleMappingFileBootstrapCheck.create(config);
         assertThat(check, notNullValue());
         assertThat(check.alwaysEnforce(), equalTo(true));
@@ -93,7 +97,8 @@ public class RoleMappingFileBootstrapCheckTests extends ESTestCase {
         Settings ldapSettings = Settings.builder()
                 .put(ROLE_MAPPING_FILE_SETTING, file.toAbsolutePath())
                 .build();
-        RealmConfig config = new RealmConfig("the-realm-name", ldapSettings, settings, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig("the-realm-name", ldapSettings, settings, new Environment(settings),
+                new ThreadContext(Settings.EMPTY));
         final BootstrapCheck check = RoleMappingFileBootstrapCheck.create(config);
         assertThat(check, notNullValue());
         assertThat(check.alwaysEnforce(), equalTo(true));

qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java

@@ -108,7 +108,7 @@ public class OpenLdapTests extends ESTestCase {
         String groupSearchBase = "ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com";
         String userTemplate = "uid={0},ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com";
         RealmConfig config = new RealmConfig("oldap-test", buildLdapSettings(OPEN_LDAP_URL, userTemplate, groupSearchBase,
-                LdapSearchScope.ONE_LEVEL), globalSettings, new ThreadContext(Settings.EMPTY));
+                LdapSearchScope.ONE_LEVEL), globalSettings, new Environment(globalSettings), new ThreadContext(Settings.EMPTY));
         LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
 
         String[] users = new String[] { "blackwidow", "cap", "hawkeye", "hulk", "ironman", "thor" };
@@ -126,7 +126,7 @@ public class OpenLdapTests extends ESTestCase {
         String groupSearchBase = "cn=Avengers,ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com";
         String userTemplate = "uid={0},ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com";
         RealmConfig config = new RealmConfig("oldap-test", buildLdapSettings(OPEN_LDAP_URL, userTemplate, groupSearchBase,
-                LdapSearchScope.BASE), globalSettings, new ThreadContext(Settings.EMPTY));
+                LdapSearchScope.BASE), globalSettings, new Environment(globalSettings), new ThreadContext(Settings.EMPTY));
         LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
 
         String[] users = new String[] { "blackwidow", "cap", "hawkeye", "hulk", "ironman", "thor" };
@@ -145,7 +145,8 @@ public class OpenLdapTests extends ESTestCase {
                 .put("group_search.filter", "(&(objectclass=posixGroup)(memberUid={0}))")
                 .put("group_search.user_attribute", "uid")
                 .build();
-        RealmConfig config = new RealmConfig("oldap-test", settings, globalSettings, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig("oldap-test", settings, globalSettings, new Environment(globalSettings),
+                new ThreadContext(Settings.EMPTY));
         LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
 
         try (LdapSession ldap = session(sessionFactory, "selvig", PASSWORD_SECURE_STRING)){
@@ -163,7 +164,8 @@ public class OpenLdapTests extends ESTestCase {
                 .put("ssl.verification_mode", VerificationMode.CERTIFICATE)
                 .put(SessionFactory.TIMEOUT_TCP_READ_SETTING, "1ms") //1 millisecond
                 .build();
-        RealmConfig config = new RealmConfig("oldap-test", settings, globalSettings, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig("oldap-test", settings, globalSettings, new Environment(globalSettings),
+                new ThreadContext(Settings.EMPTY));
         LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
 
         LDAPException expected = expectThrows(LDAPException.class,
@@ -180,7 +182,8 @@ public class OpenLdapTests extends ESTestCase {
                 .put("ssl.verification_mode", VerificationMode.FULL)
                 .build();
 
-        RealmConfig config = new RealmConfig("oldap-test", settings, globalSettings, new ThreadContext(Settings.EMPTY));
+        RealmConfig config = new RealmConfig("oldap-test", settings, globalSettings, new Environment(globalSettings),
+                new ThreadContext(Settings.EMPTY));
         LdapSessionFactory sessionFactory = new LdapSessionFactory(config, sslService, threadPool);
 
         String user = "blackwidow";