Merge branch 'master' into config-prefix

Original commit: elastic/x-pack-elasticsearch@d65b27d7cc

elasticsearch/qa/messy-test-xpack-with-mustache/src/test/java/org/elasticsearch/messy/tests/ShieldCachePermissionIT.java

@@ -53,7 +53,8 @@ public class ShieldCachePermissionIT extends ShieldIntegTestCase {
         return super.configRoles()
                 + "\nread_one_idx:\n"
                 + "  indices:\n"
-                + "    'data': READ\n";
+                + "    'data':\n"
+                + "      - read\n";
     }
 
     @Override

elasticsearch/qa/shield-reindex-tests/roles.yml

@@ -13,13 +13,13 @@ minimal:
   indices:
     - names: source
       privileges:
-        - search
+        - read
         - write
         - create_index
         - indices:admin/refresh
     - names: dest
       privileges:
-        - search
+        - read
         - write
         - create_index
         - indices:admin/refresh
@@ -28,7 +28,7 @@ minimal:
 readonly:
   indices:
     - names: '*'
-      privileges: [ search ]
+      privileges: [ read ]
 
 # Write operations on destination index, none on source index
 dest_only:
@@ -41,7 +41,7 @@ can_not_see_hidden_docs:
   indices:
     - names: source
       privileges:
-        - search
+        - read
         - write
         - create_index
         - indices:admin/refresh
@@ -52,7 +52,7 @@ can_not_see_hidden_docs:
               hidden: true
     - names: dest
       privileges:
-        - search
+        - read
         - write
         - create_index
         - indices:admin/refresh
@@ -62,7 +62,7 @@ can_not_see_hidden_fields:
   indices:
     - names: source
       privileges:
-        - search
+        - read
         - write
         - create_index
         - indices:admin/refresh
@@ -71,7 +71,7 @@ can_not_see_hidden_fields:
          - bar
     - names: dest
       privileges:
-        - search
+        - read
         - write
         - create_index
         - indices:admin/refresh

elasticsearch/qa/smoke-test-found-license-with-shield-and-watcher/watcher-with-shield-roles.yml

@@ -4,12 +4,12 @@ admin:
     '*': all
 
 watcher_manager:
-  cluster: manage_watcher, cluster:monitor/nodes/info, cluster:monitor/health
+  cluster: manage
   indices:
     '.watcher-history-*': all
 
 watcher_monitor:
-  cluster: monitor_watcher
+  cluster: monitor
   indices:
     '.watcher-history-*': read
 

elasticsearch/qa/smoke-test-graph-with-shield/roles.yml

@@ -12,8 +12,8 @@ graph_explorer:
   indices:
     - names: '*'
       privileges:
-        - graph
+        - read
-        - indices:data/write/index
+        - write
         - indices:admin/refresh
         - indices:admin/create
     

elasticsearch/qa/smoke-test-graph-with-shield/src/test/java/org/elasticsearch/smoketest/GraphWithShieldInsufficientRoleIT.java

@@ -24,7 +24,7 @@ public class GraphWithShieldInsufficientRoleIT extends GraphWithShieldIT {
             super.test();
             fail();
         } catch(AssertionError ae) {
-            assertThat(ae.getMessage(), containsString("action [indices:data/read/graph/explore"));
+            assertThat(ae.getMessage(), containsString("action [indices:data/read/xpack/graph/explore"));
             assertThat(ae.getMessage(), containsString("returned [403 Forbidden]"));
             assertThat(ae.getMessage(), containsString("is unauthorized for user [no_graph_explorer]"));
         }

elasticsearch/qa/smoke-test-watcher-with-shield/roles.yml

@@ -8,9 +8,7 @@ admin:
 
 watcher_manager:
   cluster:
-    - manage_watcher
+    - manage
-    - cluster:monitor/nodes/info
-    - cluster:monitor/health
   indices:
     - names: '.watcher-history-*'
       privileges:
@@ -21,7 +19,7 @@ watcher_manager:
 
 watcher_monitor:
   cluster:
-    - monitor_watcher
+    - monitor
   indices:
     - names: '.watcher-history-*'
       privileges:

elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/Graph.java

@@ -10,7 +10,6 @@ import java.util.Collection;
 import java.util.Collections;
 
 import org.elasticsearch.action.ActionModule;
-import org.elasticsearch.action.search.SearchAction;
 import org.elasticsearch.common.component.LifecycleComponent;
 import org.elasticsearch.common.inject.Module;
 import org.elasticsearch.common.network.NetworkModule;
@@ -23,8 +22,6 @@ import org.elasticsearch.graph.license.GraphLicensee;
 import org.elasticsearch.graph.license.GraphModule;
 import org.elasticsearch.graph.rest.action.RestGraphAction;
 import org.elasticsearch.plugins.Plugin;
-import org.elasticsearch.search.action.SearchTransportService;
-import org.elasticsearch.shield.Shield;
 import org.elasticsearch.xpack.XPackPlugin;
 
 public class Graph extends Plugin {
@@ -37,11 +34,6 @@ public class Graph extends Plugin {
     public Graph(Settings settings) {
         this.transportClientMode = XPackPlugin.transportClientMode(settings);
         enabled = enabled(settings);
-        // adding the graph privileges to shield
-        if (Shield.enabled(settings)) {
-            Shield.registerIndexPrivilege( "graph", GraphExploreAction.NAME, SearchTransportService.QUERY_ACTION_NAME, 
-                    SearchAction.NAME, SearchTransportService.QUERY_FETCH_ACTION_NAME);
-        }        
     }    
     
     @Override

elasticsearch/x-pack/graph/src/main/java/org/elasticsearch/graph/action/GraphExploreAction.java

@@ -12,7 +12,7 @@ public class GraphExploreAction extends Action<GraphExploreRequest, GraphExplore
     GraphExploreRequestBuilder> {
 
     public static final GraphExploreAction INSTANCE = new GraphExploreAction();
-    public static final String NAME = "indices:data/read/graph/explore";
+    public static final String NAME = "indices:data/read/xpack/graph/explore";
 
     private GraphExploreAction() {
         super(NAME);

elasticsearch/x-pack/graph/src/test/resources/rest-api-spec/test/graph/10_basic.yaml

@@ -7,6 +7,7 @@
          settings:
            index:
              number_of_replicas: 0
+             number_of_shards: 1
          mappings:
            test:
              properties:

elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/action/delete/TransportDeleteLicenseAction.java

@@ -9,7 +9,7 @@ import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.support.ActionFilters;
 import org.elasticsearch.action.support.master.TransportMasterNodeAction;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.ack.ClusterStateUpdateResponse;
 import org.elasticsearch.cluster.block.ClusterBlockException;

elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/action/get/TransportGetLicenseAction.java

@@ -9,7 +9,7 @@ import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.support.ActionFilters;
 import org.elasticsearch.action.support.master.TransportMasterNodeReadAction;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.block.ClusterBlockException;
 import org.elasticsearch.cluster.block.ClusterBlockLevel;

elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/action/put/TransportPutLicenseAction.java

@@ -9,7 +9,7 @@ import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.support.ActionFilters;
 import org.elasticsearch.action.support.master.TransportMasterNodeAction;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.block.ClusterBlockException;
 import org.elasticsearch.cluster.block.ClusterBlockLevel;

elasticsearch/x-pack/license-plugin/src/main/java/org/elasticsearch/license/plugin/core/LicensesService.java

@@ -9,7 +9,7 @@ import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.cluster.AckedClusterStateUpdateTask;
 import org.elasticsearch.cluster.ClusterChangedEvent;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.ClusterStateListener;
 import org.elasticsearch.cluster.ClusterStateUpdateTask;

elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/AbstractLicensesIntegrationTestCase.java

@@ -5,7 +5,7 @@
  */
 package org.elasticsearch.license.plugin;
 
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.ClusterStateUpdateTask;
 import org.elasticsearch.cluster.metadata.MetaData;

elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/consumer/LazyLicenseRegistrationPluginService.java

@@ -5,7 +5,7 @@
  */
 package org.elasticsearch.license.plugin.consumer;
 
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.inject.Singleton;
 import org.elasticsearch.common.settings.Settings;

elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/consumer/TestPluginServiceBase.java

@@ -7,7 +7,7 @@ package org.elasticsearch.license.plugin.consumer;
 
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.cluster.ClusterChangedEvent;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterStateListener;
 import org.elasticsearch.common.component.AbstractLifecycleComponent;
 import org.elasticsearch.common.settings.Settings;

elasticsearch/x-pack/license-plugin/src/test/java/org/elasticsearch/license/plugin/core/LicensesManagerServiceTests.java

@@ -6,7 +6,7 @@
 package org.elasticsearch.license.plugin.core;
 
 import org.elasticsearch.action.ActionListener;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ack.ClusterStateUpdateResponse;
 import org.elasticsearch.cluster.metadata.MetaData;
 import org.elasticsearch.common.unit.TimeValue;

elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/AbstractCollector.java

@@ -7,7 +7,7 @@ package org.elasticsearch.marvel.agent.collector;
 
 import org.elasticsearch.ElasticsearchTimeoutException;
 import org.elasticsearch.Version;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.common.component.AbstractLifecycleComponent;
 import org.elasticsearch.common.inject.Inject;

elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/cluster/ClusterStateCollector.java

@@ -7,7 +7,7 @@ package org.elasticsearch.marvel.agent.collector.cluster;
 
 import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
 import org.elasticsearch.client.Client;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.cluster.node.DiscoveryNodes;

elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/cluster/ClusterStatsCollector.java

@@ -10,7 +10,7 @@ import org.elasticsearch.Version;
 import org.elasticsearch.action.admin.cluster.stats.ClusterStatsResponse;
 import org.elasticsearch.client.Client;
 import org.elasticsearch.cluster.ClusterName;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Settings;

elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexRecoveryCollector.java

@@ -8,7 +8,7 @@ package org.elasticsearch.marvel.agent.collector.indices;
 import org.elasticsearch.action.admin.indices.recovery.RecoveryResponse;
 import org.elasticsearch.action.support.IndicesOptions;
 import org.elasticsearch.client.Client;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Settings;

elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexStatsCollector.java

@@ -9,7 +9,7 @@ import org.elasticsearch.action.admin.indices.stats.IndexStats;
 import org.elasticsearch.action.admin.indices.stats.IndicesStatsResponse;
 import org.elasticsearch.action.support.IndicesOptions;
 import org.elasticsearch.client.Client;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.common.inject.Inject;

elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndicesStatsCollector.java

@@ -8,7 +8,7 @@ package org.elasticsearch.marvel.agent.collector.indices;
 import org.elasticsearch.action.admin.indices.stats.IndicesStatsResponse;
 import org.elasticsearch.action.support.IndicesOptions;
 import org.elasticsearch.client.Client;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Settings;

elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/node/NodeStatsCollector.java

@@ -11,7 +11,7 @@ import org.elasticsearch.action.admin.cluster.node.stats.NodesStatsRequest;
 import org.elasticsearch.action.admin.indices.stats.CommonStatsFlags;
 import org.elasticsearch.bootstrap.BootstrapInfo;
 import org.elasticsearch.client.Client;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.cluster.routing.allocation.decider.DiskThresholdDecider;
 import org.elasticsearch.common.inject.Inject;

elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/shards/ShardsCollector.java

@@ -5,7 +5,7 @@
  */
 package org.elasticsearch.marvel.agent.collector.shards;
 
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
 import org.elasticsearch.cluster.routing.RoutingTable;

elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/exporter/Exporters.java

@@ -6,7 +6,7 @@
 package org.elasticsearch.marvel.agent.exporter;
 
 import org.elasticsearch.ElasticsearchException;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.component.AbstractLifecycleComponent;
 import org.elasticsearch.common.component.Lifecycle;
 import org.elasticsearch.common.inject.Inject;

elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/exporter/local/LocalExporter.java

@@ -15,7 +15,7 @@ import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateReque
 import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateResponse;
 import org.elasticsearch.client.Client;
 import org.elasticsearch.cluster.ClusterChangedEvent;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.ClusterStateListener;
 import org.elasticsearch.cluster.block.ClusterBlockLevel;

elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/collector/cluster/ClusterStateCollectorTests.java

@@ -6,7 +6,7 @@
 package org.elasticsearch.marvel.agent.collector.cluster;
 
 import org.elasticsearch.Version;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.metadata.IndexMetaData;
 import org.elasticsearch.common.settings.Settings;

elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/collector/cluster/ClusterStatsCollectorTests.java

@@ -8,7 +8,7 @@ package org.elasticsearch.marvel.agent.collector.cluster;
 import org.apache.lucene.util.LuceneTestCase.BadApple;
 import org.elasticsearch.Version;
 import org.elasticsearch.cluster.ClusterName;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.license.plugin.core.LicensesManagerService;
 import org.elasticsearch.marvel.MarvelSettings;

elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/collector/indices/IndexRecoveryCollectorTests.java

@@ -7,7 +7,7 @@ package org.elasticsearch.marvel.agent.collector.indices;
 
 import org.elasticsearch.Version;
 import org.elasticsearch.action.admin.indices.recovery.RecoveryResponse;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.metadata.MetaData;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.Settings;

elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/collector/indices/IndexStatsCollectorTests.java

@@ -7,7 +7,7 @@ package org.elasticsearch.marvel.agent.collector.indices;
 
 import org.elasticsearch.Version;
 import org.elasticsearch.action.admin.indices.stats.IndexStats;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.metadata.MetaData;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.index.IndexNotFoundException;

elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/collector/indices/IndicesStatsCollectorTests.java

@@ -8,7 +8,7 @@ package org.elasticsearch.marvel.agent.collector.indices;
 import org.elasticsearch.Version;
 import org.elasticsearch.action.admin.indices.stats.IndexStats;
 import org.elasticsearch.action.admin.indices.stats.IndicesStatsResponse;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.metadata.MetaData;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.Settings;

elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/collector/node/NodeStatsCollectorTests.java

@@ -7,7 +7,7 @@ package org.elasticsearch.marvel.agent.collector.node;
 
 import org.elasticsearch.Version;
 import org.elasticsearch.bootstrap.BootstrapInfo;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.routing.allocation.decider.DiskThresholdDecider;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.NodeEnvironment;

elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/collector/shards/ShardsCollectorTests.java

@@ -6,7 +6,7 @@
 package org.elasticsearch.marvel.agent.collector.shards;
 
 import org.elasticsearch.Version;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.routing.ShardRouting;
 import org.elasticsearch.common.settings.Settings;

elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/agent/exporter/ExportersTests.java

@@ -7,7 +7,7 @@ package org.elasticsearch.marvel.agent.exporter;
 
 import org.elasticsearch.Version;
 import org.elasticsearch.client.Client;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.common.settings.ClusterSettings;
 import org.elasticsearch.common.settings.Settings;

elasticsearch/x-pack/shield/config/xpack/roles.yml

@@ -26,101 +26,46 @@ user:
 # Defines the required permissions for transport clients
 transport_client:
   cluster:
-      - cluster:monitor/nodes/liveness
+      - transport_client
-      #uncomment the following for sniffing
-      #- cluster:monitor/state
-
-# The required permissions for kibana 4 users.
-kibana4:
-  cluster: 
-      - cluster:monitor/nodes/info
-      - cluster:monitor/health 
-  indices:
-    - names: '*'
-      privileges:
-        - indices:admin/mappings/fields/get
-        - indices:admin/validate/query
-        - indices:data/read/search
-        - indices:data/read/msearch
-        - indices:data/read/field_stats
-        - indices:admin/get
-    - names: '.kibana'
-      privileges:
-        - indices:admin/exists
-        - indices:admin/mapping/put
-        - indices:admin/mappings/fields/get
-        - indices:admin/refresh
-        - indices:admin/validate/query
-        - indices:data/read/get
-        - indices:data/read/mget
-        - indices:data/read/search
-        - indices:data/write/delete
-        - indices:data/write/index
-        - indices:data/write/update
 
 # The required permissions for the kibana 4 server
 kibana4_server:
   cluster:
-      - cluster:monitor/nodes/info
+      - monitor
-      - cluster:monitor/health
   indices:
     - names: '.kibana'
       privileges:
-        - indices:admin/create
+        - all
-        - indices:admin/exists
-        - indices:admin/mapping/put
-        - indices:admin/mappings/fields/get
-        - indices:admin/refresh
-        - indices:admin/validate/query
-        - indices:data/read/get
-        - indices:data/read/mget
-        - indices:data/read/search
-        - indices:data/write/delete
-        - indices:data/write/index
-        - indices:data/write/update
 
 # The required role for logstash users
 logstash:
   cluster:
-    - indices:admin/template/get
+    - manage_index_templates
-    - indices:admin/template/put
   indices:
     - names: 'logstash-*'
       privileges:
-        - indices:data/write/bulk
+        - write
-        - indices:data/write/delete
+        - read
-        - indices:data/write/update
-        - indices:data/read/search
-        - indices:data/read/scroll
         - create_index
 
-# Monitoring user role. Assign to monitoring users.
+# Marvel user role. Assign to marvel users.
 monitoring_user:
   indices:
-    - names: '.monitoring-*'
+    - names:
-      privileges:
+        - '.marvel-es-*'
-        - read
+        - '.monitoring-*'
+      privileges: [ "read" ]
     - names: '.kibana'
       privileges:
-        - indices:admin/exists
+        - view_index_metadata
-        - indices:admin/mappings/fields/get
+        - read
-        - indices:admin/validate/query
-        - indices:data/read/get
-        - indices:data/read/mget
-        - indices:data/read/search
 
-# Monitoring remote agent role. Assign to the agent user on the remote monitoring cluster
+# Marvel remote agent role. Assign to the agent user on the remote marvel cluster
-# to which the monitoring agent will export all its data
+# to which the marvel agent will export all its data
 remote_monitoring_agent:
-  cluster:
+  cluster: [ "manage_index_templates" ]
-    - indices:admin/template/put
-    - indices:admin/template/get
   indices:
-    - names: '.monitoring-*'
+    - names:
-      privileges:
+        - '.marvel-es-*'
-        - all
+        - '.monitoring-*'
-
+      privileges: [ "all" ]
-# Allows all operations required to manage ingest pipelines
-ingest_admin:
-  cluster:
-    - manage_pipeline

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/Shield.java

@@ -290,30 +290,6 @@ public class Shield {
         }
     }
 
-    public static void registerClusterPrivilege(String name, String... patterns) {
-        try {
-            ClusterPrivilege.addCustom(name, patterns);
-        } catch (Exception se) {
-            logger.warn("could not register cluster privilege [{}]", name);
-
-            // we need to prevent bubbling the shield exception here for the tests. In the tests
-            // we create multiple nodes in the same jvm and since the custom cluster is a static binding
-            // multiple nodes will try to add the same privileges multiple times.
-        }
-    }
-    
-    public static void registerIndexPrivilege(String name, String... patterns) {
-        try {
-            IndexPrivilege.addCustom(name, patterns);
-        } catch (Exception se) {
-            logger.warn("could not register index privilege [{}]", name);
-
-            // we need to prevent bubbling the shield exception here for the tests. In the tests
-            // we create multiple nodes in the same jvm and since the custom cluster is a static binding
-            // multiple nodes will try to add the same privileges multiple times.
-        }
-    }    
-
     private void addUserSettings(Settings.Builder settingsBuilder) {
         String authHeaderSettingName = ThreadContext.PREFIX + "." + UsernamePasswordToken.BASIC_AUTH_HEADER;
         if (settings.get(authHeaderSettingName) != null) {

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldLifecycleService.java

@@ -6,7 +6,7 @@
 package org.elasticsearch.shield;
 
 import org.elasticsearch.cluster.ClusterChangedEvent;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterStateListener;
 import org.elasticsearch.common.component.AbstractComponent;
 import org.elasticsearch.common.component.LifecycleListener;

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldTemplateService.java

@@ -10,7 +10,7 @@ import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateReque
 import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateResponse;
 import org.elasticsearch.client.Client;
 import org.elasticsearch.cluster.ClusterChangedEvent;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.ClusterStateListener;
 import org.elasticsearch.cluster.metadata.IndexTemplateMetaData;

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/realm/ClearRealmCacheAction.java

@@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
 public class ClearRealmCacheAction extends Action<ClearRealmCacheRequest, ClearRealmCacheResponse, ClearRealmCacheRequestBuilder> {
 
     public static final ClearRealmCacheAction INSTANCE = new ClearRealmCacheAction();
-    public static final String NAME = "cluster:admin/shield/realm/cache/clear";
+    public static final String NAME = "cluster:admin/xpack/security/realm/cache/clear";
 
     protected ClearRealmCacheAction() {
         super(NAME);

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/realm/TransportClearRealmCacheAction.java

@@ -9,7 +9,7 @@ import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.action.support.ActionFilters;
 import org.elasticsearch.action.support.nodes.TransportNodesAction;
 import org.elasticsearch.cluster.ClusterName;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Settings;

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/role/ClearRolesCacheAction.java

@@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
 public class ClearRolesCacheAction extends Action<ClearRolesCacheRequest, ClearRolesCacheResponse, ClearRolesCacheRequestBuilder> {
 
     public static final ClearRolesCacheAction INSTANCE = new ClearRolesCacheAction();
-    public static final String NAME = "cluster:admin/shield/roles/cache/clear";
+    public static final String NAME = "cluster:admin/xpack/security/roles/cache/clear";
 
     protected ClearRolesCacheAction() {
         super(NAME);

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/role/DeleteRoleAction.java

@@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
 public class DeleteRoleAction extends Action<DeleteRoleRequest, DeleteRoleResponse, DeleteRoleRequestBuilder> {
 
     public static final DeleteRoleAction INSTANCE = new DeleteRoleAction();
-    public static final String NAME = "cluster:admin/shield/role/delete";
+    public static final String NAME = "cluster:admin/xpack/security/role/delete";
 
 
     protected DeleteRoleAction() {

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/role/GetRolesAction.java

@@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
 public class GetRolesAction extends Action<GetRolesRequest, GetRolesResponse, GetRolesRequestBuilder> {
 
     public static final GetRolesAction INSTANCE = new GetRolesAction();
-    public static final String NAME = "cluster:admin/shield/role/get";
+    public static final String NAME = "cluster:admin/xpack/security/role/get";
 
 
     protected GetRolesAction() {

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/role/PutRoleAction.java

@@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
 public class PutRoleAction extends Action<PutRoleRequest, PutRoleResponse, PutRoleRequestBuilder> {
 
     public static final PutRoleAction INSTANCE = new PutRoleAction();
-    public static final String NAME = "cluster:admin/shield/role/put";
+    public static final String NAME = "cluster:admin/xpack/security/role/put";
 
 
     protected PutRoleAction() {

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/role/TransportClearRolesCacheAction.java

@@ -8,7 +8,7 @@ package org.elasticsearch.shield.action.role;
 import org.elasticsearch.action.support.ActionFilters;
 import org.elasticsearch.action.support.nodes.TransportNodesAction;
 import org.elasticsearch.cluster.ClusterName;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Settings;

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/DeleteUserAction.java

@@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
 public class DeleteUserAction extends Action<DeleteUserRequest, DeleteUserResponse, DeleteUserRequestBuilder> {
 
     public static final DeleteUserAction INSTANCE = new DeleteUserAction();
-    public static final String NAME = "cluster:admin/shield/user/delete";
+    public static final String NAME = "cluster:admin/xpack/security/user/delete";
 
     protected DeleteUserAction() {
         super(NAME);

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/GetUsersAction.java

@@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
 public class GetUsersAction extends Action<GetUsersRequest, GetUsersResponse, GetUsersRequestBuilder> {
 
     public static final GetUsersAction INSTANCE = new GetUsersAction();
-    public static final String NAME = "cluster:admin/shield/user/get";
+    public static final String NAME = "cluster:admin/xpack/security/user/get";
 
     protected GetUsersAction() {
         super(NAME);

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/user/PutUserAction.java

@@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
 public class PutUserAction extends Action<PutUserRequest, PutUserResponse, PutUserRequestBuilder> {
 
     public static final PutUserAction INSTANCE = new PutUserAction();
-    public static final String NAME = "cluster:admin/shield/user/put";
+    public static final String NAME = "cluster:admin/xpack/security/user/put";
 
     protected PutUserAction() {
         super(NAME);

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java

@@ -19,7 +19,7 @@ import org.elasticsearch.action.index.IndexRequest;
 import org.elasticsearch.client.Client;
 import org.elasticsearch.client.transport.TransportClient;
 import org.elasticsearch.cluster.ClusterChangedEvent;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.ClusterStateListener;
 import org.elasticsearch.cluster.metadata.IndexMetaData;

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java

@@ -6,6 +6,7 @@
 package org.elasticsearch.shield.authc;
 
 import org.elasticsearch.ElasticsearchSecurityException;
+import org.elasticsearch.Version;
 import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.component.AbstractComponent;
@@ -224,6 +225,8 @@ public class InternalAuthenticationService extends AbstractComponent implements
         try {
             byte[] bytes = Base64.decode(text);
             StreamInput input = StreamInput.wrap(bytes);
+            Version version = Version.readVersion(input);
+            input.setVersion(version);
             return User.readFrom(input);
         } catch (IOException ioe) {
             throw authenticationError("could not read authenticated user", ioe);
@@ -233,6 +236,7 @@ public class InternalAuthenticationService extends AbstractComponent implements
     static String encodeUser(User user, ESLogger logger) {
         try {
             BytesStreamOutput output = new BytesStreamOutput();
+            Version.writeVersion(Version.CURRENT, output);
             User.writeTo(user, output);
             byte[] bytes = output.bytes().toBytes();
             return Base64.encodeBytes(bytes);

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/InternalAuthorizationService.java

@@ -12,7 +12,7 @@ import org.elasticsearch.action.admin.indices.alias.Alias;
 import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
 import org.elasticsearch.action.search.ClearScrollAction;
 import org.elasticsearch.action.search.SearchScrollAction;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.metadata.AliasOrIndex;
 import org.elasticsearch.cluster.metadata.MetaData;

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapper.java

@@ -40,7 +40,6 @@ import org.elasticsearch.index.query.QueryShardContext;
 import org.elasticsearch.index.shard.IndexSearcherWrapper;
 import org.elasticsearch.index.shard.ShardId;
 import org.elasticsearch.index.shard.ShardUtils;
-import org.elasticsearch.percolator.PercolatorService;
 import org.elasticsearch.shield.authz.InternalAuthorizationService;
 import org.elasticsearch.shield.authz.accesscontrol.DocumentSubsetReader.DocumentSubsetDirectoryReader;
 import org.elasticsearch.shield.license.ShieldLicenseState;
@@ -229,9 +228,10 @@ public class ShieldIndexSearcherWrapper extends IndexSearcherWrapper {
     }
 
     private void resolvePercolatorFields(Set<String> allowedFields) {
-        if (mapperService.hasMapping(PercolatorService.TYPE_NAME)) {
+        if (mapperService.hasMapping(PercolatorFieldMapper.TYPE_NAME)) {
             allowedFields.add(PercolatorFieldMapper.EXTRACTED_TERMS_FULL_FIELD_NAME);
             allowedFields.add(PercolatorFieldMapper.UNKNOWN_QUERY_FULL_FIELD_NAME);
+            allowedFields.add(PercolatorFieldMapper.EXTRACTED_TERMS_FULL_FIELD_NAME);
         }
     }
 

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/ClusterPrivilege.java

@@ -6,8 +6,8 @@
 package org.elasticsearch.shield.authz.privilege;
 
 import dk.brics.automaton.Automaton;
-import dk.brics.automaton.BasicAutomata;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.shield.support.Automatons;
 
 import java.util.Locale;
 import java.util.Set;
@@ -15,16 +15,30 @@ import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.CopyOnWriteArraySet;
 import java.util.function.Predicate;
 
+import static org.elasticsearch.shield.support.Automatons.minusAndDeterminize;
+import static org.elasticsearch.shield.support.Automatons.patterns;
+
 /**
  *
  */
 public class ClusterPrivilege extends AbstractAutomatonPrivilege<ClusterPrivilege> {
 
-    public static final ClusterPrivilege NONE = new ClusterPrivilege(Name.NONE, BasicAutomata.makeEmpty());
+    // shared automatons
-    public static final ClusterPrivilege ALL = new ClusterPrivilege(Name.ALL, "cluster:*", "indices:admin/template/*");
+    private static final Automaton MANAGE_SECURITY_AUTOMATON = patterns("cluster:admin/xpack/security/*");
-    public static final ClusterPrivilege MONITOR = new ClusterPrivilege("monitor", "cluster:monitor/*");
+    private static final Automaton MONITOR_AUTOMATON = patterns("cluster:monitor/*");
-    public static final ClusterPrivilege MANAGE_SHIELD = new ClusterPrivilege("manage_shield", "cluster:admin/shield/*");
+    private static final Automaton ALL_CLUSTER_AUTOMATON = patterns("cluster:*", "indices:admin/template/*");
-    public static final ClusterPrivilege MANAGE_PIPELINE = new ClusterPrivilege("manage_pipeline", "cluster:admin/ingest/pipeline/*");
+    private static final Automaton MANAGE_AUTOMATON = minusAndDeterminize(ALL_CLUSTER_AUTOMATON, MANAGE_SECURITY_AUTOMATON);
+    private static final Automaton TRANSPORT_CLIENT_AUTOMATON = patterns("cluster:monitor/nodes/liveness", "cluster:monitor/state");
+    private static final Automaton MANAGE_IDX_TEMPLATE_AUTOMATON = patterns("indices:admin/template/*");
+
+    public static final ClusterPrivilege NONE =                  new ClusterPrivilege(Name.NONE,                Automatons.EMPTY);
+    public static final ClusterPrivilege ALL =                   new ClusterPrivilege(Name.ALL,                 ALL_CLUSTER_AUTOMATON);
+    public static final ClusterPrivilege MONITOR =               new ClusterPrivilege("monitor",                MONITOR_AUTOMATON);
+    public static final ClusterPrivilege MANAGE =                new ClusterPrivilege("manage",                 MANAGE_AUTOMATON);
+    public static final ClusterPrivilege MANAGE_IDX_TEMPLATES =
+            new ClusterPrivilege("manage_index_templates", MANAGE_IDX_TEMPLATE_AUTOMATON);
+    public static final ClusterPrivilege TRANSPORT_CLIENT =      new ClusterPrivilege("transport_client",       TRANSPORT_CLIENT_AUTOMATON);
+    public static final ClusterPrivilege MANAGE_SECURITY =       new ClusterPrivilege("manage_security",        MANAGE_SECURITY_AUTOMATON);
 
     public final static Predicate<String> ACTION_MATCHER = ClusterPrivilege.ALL.predicate();
 
@@ -34,8 +48,10 @@ public class ClusterPrivilege extends AbstractAutomatonPrivilege<ClusterPrivileg
         values.add(NONE);
         values.add(ALL);
         values.add(MONITOR);
-        values.add(MANAGE_SHIELD);
+        values.add(MANAGE);
-        values.add(MANAGE_PIPELINE);
+        values.add(MANAGE_IDX_TEMPLATES);
+        values.add(TRANSPORT_CLIENT);
+        values.add(MANAGE_SECURITY);
     }
 
     static Set<ClusterPrivilege> values() {
@@ -48,8 +64,8 @@ public class ClusterPrivilege extends AbstractAutomatonPrivilege<ClusterPrivileg
         super(name, patterns);
     }
 
-    private ClusterPrivilege(Name name, String... patterns) {
+    private ClusterPrivilege(String name, Automaton automaton) {
-        super(name, patterns);
+        super(new Name(name), automaton);
     }
 
     private ClusterPrivilege(Name name, Automaton automaton) {

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/privilege/IndexPrivilege.java

@@ -6,14 +6,21 @@
 package org.elasticsearch.shield.authz.privilege;
 
 import dk.brics.automaton.Automaton;
-import dk.brics.automaton.BasicAutomata;
+import org.elasticsearch.action.admin.cluster.shards.ClusterSearchShardsAction;
+import org.elasticsearch.action.admin.indices.alias.exists.AliasesExistAction;
+import org.elasticsearch.action.admin.indices.alias.get.GetAliasesAction;
 import org.elasticsearch.action.admin.indices.create.CreateIndexAction;
-import org.elasticsearch.action.get.GetAction;
+import org.elasticsearch.action.admin.indices.delete.DeleteIndexAction;
-import org.elasticsearch.action.get.MultiGetAction;
+import org.elasticsearch.action.admin.indices.exists.indices.IndicesExistsAction;
-import org.elasticsearch.action.search.MultiSearchAction;
+import org.elasticsearch.action.admin.indices.exists.types.TypesExistsAction;
-import org.elasticsearch.action.search.SearchAction;
+import org.elasticsearch.action.admin.indices.get.GetIndexAction;
-import org.elasticsearch.action.suggest.SuggestAction;
+import org.elasticsearch.action.admin.indices.mapping.get.GetFieldMappingsAction;
+import org.elasticsearch.action.admin.indices.mapping.get.GetMappingsAction;
+import org.elasticsearch.action.admin.indices.mapping.put.PutMappingAction;
+import org.elasticsearch.action.admin.indices.settings.get.GetSettingsAction;
+import org.elasticsearch.action.admin.indices.validate.query.ValidateQueryAction;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.shield.support.Automatons;
 
 import java.util.Locale;
 import java.util.Set;
@@ -21,29 +28,41 @@ import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.CopyOnWriteArraySet;
 import java.util.function.Predicate;
 
+import static org.elasticsearch.shield.support.Automatons.patterns;
+import static org.elasticsearch.shield.support.Automatons.unionAndDeterminize;
+
 /**
  *
  */
 public class IndexPrivilege extends AbstractAutomatonPrivilege<IndexPrivilege> {
 
-    public static final IndexPrivilege NONE = new IndexPrivilege(Name.NONE, BasicAutomata.makeEmpty());
+    private static final Automaton ALL_AUTOMATON = patterns("indices:*");
-    public static final IndexPrivilege ALL = new IndexPrivilege(Name.ALL, "indices:*");
+    private static final Automaton READ_AUTOMATON = patterns("indices:data/read/*");
-    public static final IndexPrivilege MANAGE = new IndexPrivilege("manage", "indices:monitor/*", "indices:admin/*");
+    private static final Automaton CREATE_AUTOMATON = patterns("indices:data/write/index*", PutMappingAction.NAME);
-    public static final IndexPrivilege CREATE_INDEX = new IndexPrivilege("create_index", CreateIndexAction.NAME);
+    private static final Automaton INDEX_AUTOMATON =
-    public static final IndexPrivilege MANAGE_ALIASES = new IndexPrivilege("manage_aliases", "indices:admin/aliases*");
+            patterns("indices:data/write/index*", "indices:data/write/update*", PutMappingAction.NAME);
-    public static final IndexPrivilege MONITOR = new IndexPrivilege("monitor", "indices:monitor/*");
+    private static final Automaton DELETE_AUTOMATON = patterns("indices:data/write/delete*");
-    public static final IndexPrivilege DATA_ACCESS = new IndexPrivilege("data_access", "indices:data/*", "indices:admin/mapping/put");
+    private static final Automaton WRITE_AUTOMATON = patterns("indices:data/write/*", PutMappingAction.NAME);
-    public static final IndexPrivilege CRUD =
+    private static final Automaton MONITOR_AUTOMATON = patterns("indices:monitor/*");
-            new IndexPrivilege("crud", "indices:data/write/*", "indices:data/read/*", "indices:admin/mapping/put");
+    private static final Automaton MANAGE_AUTOMATON = unionAndDeterminize(MONITOR_AUTOMATON, patterns("indices:admin/*"));
-    public static final IndexPrivilege READ = new IndexPrivilege("read", "indices:data/read/*");
+    private static final Automaton CREATE_INDEX_AUTOMATON = patterns(CreateIndexAction.NAME);
-    public static final IndexPrivilege SEARCH =
+    private static final Automaton DELETE_INDEX_AUTOMATON = patterns(DeleteIndexAction.NAME);
-            new IndexPrivilege("search", SearchAction.NAME + "*", MultiSearchAction.NAME + "*", SuggestAction.NAME + "*");
+    private static final Automaton VIEW_METADATA_AUTOMATON = patterns(GetAliasesAction.NAME, AliasesExistAction.NAME,
-    public static final IndexPrivilege GET = new IndexPrivilege("get", GetAction.NAME + "*", MultiGetAction.NAME + "*");
+            GetIndexAction.NAME, IndicesExistsAction.NAME, GetFieldMappingsAction.NAME, GetMappingsAction.NAME,
-    public static final IndexPrivilege SUGGEST = new IndexPrivilege("suggest", SuggestAction.NAME + "*");
+            ClusterSearchShardsAction.NAME, TypesExistsAction.NAME, ValidateQueryAction.NAME, GetSettingsAction.NAME);
-    public static final IndexPrivilege INDEX =
+
-            new IndexPrivilege("index", "indices:data/write/index*", "indices:data/write/update*", "indices:admin/mapping/put");
+    public static final IndexPrivilege NONE =                new IndexPrivilege(Name.NONE,             Automatons.EMPTY);
-    public static final IndexPrivilege DELETE = new IndexPrivilege("delete", "indices:data/write/delete*");
+    public static final IndexPrivilege ALL =                 new IndexPrivilege(Name.ALL,              ALL_AUTOMATON);
-    public static final IndexPrivilege WRITE = new IndexPrivilege("write", "indices:data/write/*", "indices:admin/mapping/put");
+    public static final IndexPrivilege READ =                new IndexPrivilege("read",                READ_AUTOMATON);
+    public static final IndexPrivilege CREATE =              new IndexPrivilege("create",              CREATE_AUTOMATON);
+    public static final IndexPrivilege INDEX =               new IndexPrivilege("index",               INDEX_AUTOMATON);
+    public static final IndexPrivilege DELETE =              new IndexPrivilege("delete",              DELETE_AUTOMATON);
+    public static final IndexPrivilege WRITE =               new IndexPrivilege("write",               WRITE_AUTOMATON);
+    public static final IndexPrivilege MONITOR =             new IndexPrivilege("monitor",             MONITOR_AUTOMATON);
+    public static final IndexPrivilege MANAGE =              new IndexPrivilege("manage",              MANAGE_AUTOMATON);
+    public static final IndexPrivilege DELETE_INDEX =        new IndexPrivilege("delete_index",        DELETE_INDEX_AUTOMATON);
+    public static final IndexPrivilege CREATE_INDEX =        new IndexPrivilege("create_index",        CREATE_INDEX_AUTOMATON);
+    public static final IndexPrivilege VIEW_METADATA =       new IndexPrivilege("view_index_metadata", VIEW_METADATA_AUTOMATON);
 
     private static final Set<IndexPrivilege> values = new CopyOnWriteArraySet<>();
 
@@ -52,17 +71,14 @@ public class IndexPrivilege extends AbstractAutomatonPrivilege<IndexPrivilege> {
         values.add(ALL);
         values.add(MANAGE);
         values.add(CREATE_INDEX);
-        values.add(MANAGE_ALIASES);
         values.add(MONITOR);
-        values.add(DATA_ACCESS);
-        values.add(CRUD);
         values.add(READ);
-        values.add(SEARCH);
-        values.add(GET);
-        values.add(SUGGEST);
         values.add(INDEX);
         values.add(DELETE);
         values.add(WRITE);
+        values.add(CREATE);
+        values.add(DELETE_INDEX);
+        values.add(VIEW_METADATA);
     }
 
     public static final Predicate<String> ACTION_MATCHER = ALL.predicate();
@@ -78,8 +94,8 @@ public class IndexPrivilege extends AbstractAutomatonPrivilege<IndexPrivilege> {
         super(name, patterns);
     }
 
-    private IndexPrivilege(Name name, String... patterns) {
+    private IndexPrivilege(String name, Automaton automaton) {
-        super(name, patterns);
+        super(new Name(name), automaton);
     }
 
     private IndexPrivilege(Name name, Automaton automaton) {

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/Automatons.java

@@ -24,6 +24,8 @@ import static dk.brics.automaton.MinimizationOperations.minimize;
  */
 public final class Automatons {
 
+    public static final Automaton EMPTY = BasicAutomata.makeEmpty();
+
     static final char WILDCARD_STRING = '*';     // String equality with support for wildcards
     static final char WILDCARD_CHAR = '?';       // Char equality with support for wildcards
     static final char WILDCARD_ESCAPE = '\\';    // Escape character

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityRandomTests.java

@@ -63,7 +63,8 @@ public class DocumentLevelSecurityRandomTests extends ShieldIntegTestCase {
             builder.append("  cluster: [ all ]\n");
             builder.append("  indices:\n");
             builder.append("    - names: '*'\n");
-            builder.append("      privileges: [ ALL ]\n");
+            builder.append("      privileges:\n");
+            builder.append("        - all\n");
             builder.append("      query: \n");
             builder.append("        term: \n");
             builder.append("          field1: value").append(i).append('\n');

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java

@@ -73,10 +73,12 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
     protected String configRoles() {
         return super.configRoles() +
                 "\nrole1:\n" +
-                "  cluster: [ all ]\n" +
+                "  cluster:\n" +
+                "    - all\n" +
                 "  indices:\n" +
                 "    - names: '*'\n" +
-                "      privileges: [ ALL ]\n" +
+                "      privileges:\n" +
+                "        - all\n" +
                 "      query: \n" +
                 "        term: \n" +
                 "          field1: value1\n" +

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java

@@ -86,10 +86,12 @@ public class FieldLevelSecurityRandomTests extends ShieldIntegTestCase {
                 "      privileges: [ ALL ]\n" +
                 "      fields:\n" +roleFields.toString() +
                 "role2:\n" +
-                "  cluster: [ all ]\n" +
+                "  cluster:\n" +
+                "    - all\n" +
                 "  indices:\n" +
                 "    - names: test\n" +
-                "      privileges: [ ALL ]\n" +
+                "      privileges:\n" +
+                "        - all\n" +
                 "      fields:\n" +
                 "        - field1\n" +
                 "role3:\n" +

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/SearchGetAndSuggestPermissionsTests.java

@@ -1,199 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-package org.elasticsearch.integration;
-
-import org.elasticsearch.ElasticsearchSecurityException;
-import org.elasticsearch.action.get.MultiGetResponse;
-import org.elasticsearch.action.index.IndexResponse;
-import org.elasticsearch.action.search.MultiSearchResponse;
-import org.elasticsearch.action.search.SearchResponse;
-import org.elasticsearch.action.suggest.SuggestResponse;
-import org.elasticsearch.client.Client;
-import org.elasticsearch.search.suggest.SuggestBuilders;
-import org.elasticsearch.shield.authc.support.Hasher;
-import org.elasticsearch.shield.authc.support.SecuredString;
-import org.elasticsearch.shield.authc.support.SecuredStringTests;
-import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
-import org.elasticsearch.test.ShieldIntegTestCase;
-
-import java.util.Map;
-
-import static java.util.Collections.singletonMap;
-import static org.elasticsearch.client.Requests.searchRequest;
-import static org.elasticsearch.common.xcontent.XContentFactory.jsonBuilder;
-import static org.elasticsearch.test.ShieldTestsUtils.assertAuthorizationException;
-import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoFailures;
-import static org.hamcrest.Matchers.equalTo;
-import static org.hamcrest.Matchers.is;
-
-public class SearchGetAndSuggestPermissionsTests extends ShieldIntegTestCase {
-    protected static final String USERS_PASSWD_HASHED = new String(Hasher.BCRYPT.hash(new SecuredString("passwd".toCharArray())));
-
-    @Override
-    protected String configRoles() {
-        return super.configRoles() + "\n" +
-                "\n" +
-                "search_role:\n" +
-                "  indices:\n" +
-                "    - names: 'a'\n" +
-                "      privileges: [ search ]\n" +
-                "\n" +
-                "get_role:\n" +
-                "  indices:\n" +
-                "    - names: 'a'\n" +
-                "      privileges: [ get ]\n" +
-                "\n" +
-                "suggest_role:\n" +
-                "  indices:\n" +
-                "    - names: 'a'\n" +
-                "      privileges: [ suggest ]\n";
-    }
-
-    @Override
-    protected String configUsers() {
-        return super.configUsers() +
-                "search_user:" + USERS_PASSWD_HASHED + "\n" +
-                "get_user:" + USERS_PASSWD_HASHED + "\n" +
-                "suggest_user:" + USERS_PASSWD_HASHED + "\n";
-
-    }
-
-    @Override
-    protected String configUsersRoles() {
-        return super.configUsersRoles() +
-                "search_role:search_user\n" +
-                "get_role:get_user\n" +
-                "suggest_role:suggest_user\n";
-    }
-
-    /**
-     * testing both "search" and "suggest" privileges can execute the suggest API
-     */
-    public void testSuggestAPI() throws Exception {
-        IndexResponse indexResponse = index("a", "type", jsonBuilder()
-                .startObject()
-                .field("name", "value")
-                .endObject());
-        assertThat(indexResponse.isCreated(), is(true));
-
-        refresh();
-
-        Client client = internalCluster().transportClient();
-
-        Map<String, String> headers = singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, userHeader("suggest_user", "passwd"));
-        SuggestResponse suggestResponse = client.filterWithHeader(headers)
-                .prepareSuggest("a")
-                .addSuggestion(randomAsciiOfLengthBetween(3,7), SuggestBuilders.termSuggestion("name").text("val")).get();
-        assertNoFailures(suggestResponse);
-        assertThat(suggestResponse.getSuggest().size(), is(1));
-
-        suggestResponse = client
-                .filterWithHeader(singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, userHeader("search_user", "passwd")))
-                .prepareSuggest("a")
-                .addSuggestion(randomAsciiOfLengthBetween(3, 7), SuggestBuilders.termSuggestion("name").text("val")).get();
-        assertNoFailures(suggestResponse);
-        assertThat(suggestResponse.getSuggest().size(), is(1));
-
-        try {
-            client.filterWithHeader(singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, userHeader("suggest_user", "passwd")))
-                    .prepareSearch("a")
-                    .get();
-            fail("a user with only a suggest privilege cannot execute search");
-        } catch (ElasticsearchSecurityException e) {
-            logger.error("failed to search", e);
-            // expected
-        }
-    }
-
-    /**
-     * testing that "search" privilege cannot execute the get API
-     */
-    public void testGetAPI() throws Exception {
-        IndexResponse indexResponse = index("a", "type", jsonBuilder()
-                .startObject()
-                .field("name", "value")
-                .endObject());
-        assertThat(indexResponse.isCreated(), is(true));
-
-        refresh();
-
-        Client client = internalCluster().transportClient();
-
-        try {
-            client.filterWithHeader(singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, userHeader("search_user", "passwd")))
-                    .prepareGet("a", "type", indexResponse.getId())
-                    .get();
-            fail("a user with only search privilege should not be authorized for a get request");
-        } catch (ElasticsearchSecurityException e) {
-            // expected
-            assertAuthorizationException(e);
-            logger.error("could not get document", e);
-        }
-    }
-
-    /**
-     * testing that "get" privilege can execute the mget API, and "search" privilege cannot execute mget
-     */
-    public void testMultiGetAPI() throws Exception {
-        IndexResponse indexResponse = index("a", "type", jsonBuilder()
-                .startObject()
-                .field("name", "value")
-                .endObject());
-        assertThat(indexResponse.isCreated(), is(true));
-
-        refresh();
-
-        Client client = internalCluster().transportClient();
-
-        MultiGetResponse response = client
-                .filterWithHeader(singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, userHeader("get_user", "passwd")))
-                .prepareMultiGet().add("a", "type", indexResponse.getId())
-                .get();
-        assertNotNull(response);
-        assertThat(response.getResponses().length, is(1));
-        assertThat(response.getResponses()[0].getId(), equalTo(indexResponse.getId()));
-
-        try {
-            client.filterWithHeader(singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, userHeader("search_user", "passwd")))
-                    .prepareMultiGet().add("a", "type", indexResponse.getId())
-                    .get();
-            fail("a user with only a search privilege should not be able to execute the mget API");
-        } catch (ElasticsearchSecurityException e) {
-            // expected
-            assertAuthorizationException(e);
-            logger.error("could not mget documents", e);
-        }
-    }
-
-    /**
-     * testing that "search" privilege can execute the msearch API
-     */
-    public void testMultiSearchAPI() throws Exception {
-        IndexResponse indexResponse = index("a", "type", jsonBuilder()
-                .startObject()
-                .field("name", "value")
-                .endObject());
-        assertThat(indexResponse.isCreated(), is(true));
-
-        refresh();
-
-        Client client = internalCluster().transportClient();
-
-        MultiSearchResponse response = client
-                .filterWithHeader(singletonMap(UsernamePasswordToken.BASIC_AUTH_HEADER, userHeader("search_user", "passwd")))
-                .prepareMultiSearch().add(searchRequest("a").types("type"))
-                .get();
-        assertNotNull(response);
-        assertThat(response.getResponses().length, is(1));
-        SearchResponse first = response.getResponses()[0].getResponse();
-        assertNotNull(first);
-        assertNoFailures(first);
-    }
-
-    private static String userHeader(String username, String password) {
-        return UsernamePasswordToken.basicAuthHeaderValue(username, SecuredStringTests.build(password));
-    }
-}

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java

@@ -12,7 +12,7 @@ import org.elasticsearch.action.admin.indices.settings.get.GetSettingsResponse;
 import org.elasticsearch.action.search.SearchResponse;
 import org.elasticsearch.action.support.IndicesOptions;
 import org.elasticsearch.client.Client;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.inject.util.Providers;
 import org.elasticsearch.common.network.NetworkAddress;
 import org.elasticsearch.common.settings.Settings;

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailUpdateMappingTests.java

@@ -6,7 +6,7 @@
 package org.elasticsearch.shield.audit.index;
 
 import org.elasticsearch.action.admin.indices.mapping.get.GetMappingsResponse;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.inject.util.Providers;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.transport.BoundTransportAddress;

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/InternalAuthenticationServiceTests.java

@@ -7,6 +7,8 @@ package org.elasticsearch.shield.authc;
 
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.ElasticsearchSecurityException;
+import org.elasticsearch.Version;
+import org.elasticsearch.common.Base64;
 import org.elasticsearch.common.io.stream.BytesStreamOutput;
 import org.elasticsearch.common.io.stream.StreamInput;
 import org.elasticsearch.common.settings.Settings;
@@ -750,6 +752,15 @@ public class InternalAuthenticationServiceTests extends ESTestCase {
         }
     }
 
+    public void testVersionWrittenWithUser() throws Exception {
+        User user = new User("username", "r1", "r2", "r3");
+        String text = InternalAuthenticationService.encodeUser(user, null);
+
+        StreamInput input = StreamInput.wrap(Base64.decode(text));
+        Version version = Version.readVersion(input);
+        assertThat(version, is(Version.CURRENT));
+    }
+
     private static class InternalMessage extends TransportMessage {
     }
 }

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/ldap/support/SessionFactoryLoadBalancingTests.java

@@ -5,6 +5,7 @@
  */
 package org.elasticsearch.shield.authc.ldap.support;
 
+import com.unboundid.ldap.listener.InMemoryDirectoryServer;
 import com.unboundid.ldap.sdk.LDAPConnection;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.shield.authc.RealmConfig;
@@ -12,8 +13,10 @@ import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.ssl.ClientSSLService;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 
+import static org.hamcrest.Matchers.greaterThanOrEqualTo;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.not;
 
@@ -43,6 +46,7 @@ public class SessionFactoryLoadBalancingTests extends LdapTestCase {
 
     public void testRoundRobinWithFailures() throws Exception {
         assumeTrue("at least one ldap server should be present for this test", ldapServers.length > 1);
+        logger.debug("using [{}] ldap servers, urls {}", ldapServers.length, ldapUrls());
         TestSessionFactory testSessionFactory = createSessionFactory(LdapLoadBalancing.ROUND_ROBIN);
 
         // create a list of ports
@@ -50,19 +54,31 @@ public class SessionFactoryLoadBalancingTests extends LdapTestCase {
         for (int i = 0; i < ldapServers.length; i++) {
             ports.add(ldapServers[i].getListenPort());
         }
+        logger.debug("list of all ports {}", ports);
 
-        int numberToKill = randomIntBetween(1, numberOfLdapServers - 1);
+        final int numberToKill = randomIntBetween(1, numberOfLdapServers - 1);
-        for (int i = 0; i < numberToKill; i++) {
+        logger.debug("killing [{}] servers", numberToKill);
-            int index = randomIntBetween(0, numberOfLdapServers - 1);
+
-            ports.remove(Integer.valueOf(ldapServers[index].getListenPort()));
+        // get a subset to kil
+        final List<InMemoryDirectoryServer> ldapServersToKill = randomSubsetOf(numberToKill, ldapServers);
+        final List<InMemoryDirectoryServer> ldapServersList = Arrays.asList(ldapServers);
+        for (InMemoryDirectoryServer ldapServerToKill : ldapServersToKill) {
+            final int index = ldapServersList.indexOf(ldapServerToKill);
+            assertThat(index, greaterThanOrEqualTo(0));
+            final Integer port = Integer.valueOf(ldapServers[index].getListenPort());
+            logger.debug("shutting down server index [{}] listening on [{}]", index, port);
+            assertTrue(ports.remove(port));
             ldapServers[index].shutDown(true);
+            assertThat(ldapServers[index].getListenPort(), is(-1));
         }
 
         final int numberOfIterations = randomIntBetween(1, 5);
         for (int iteration = 0; iteration < numberOfIterations; iteration++) {
+            logger.debug("iteration [{}]", iteration);
             for (Integer port : ports) {
                 LDAPConnection connection = null;
                 try {
+                    logger.debug("attempting connection with expected port [{}]", port);
                     connection = testSessionFactory.getServerSet().getConnection();
                     assertThat(connection.getConnectedPort(), is(port));
                 } finally {
@@ -76,6 +92,7 @@ public class SessionFactoryLoadBalancingTests extends LdapTestCase {
 
     public void testFailover() throws Exception {
         assumeTrue("at least one ldap server should be present for this test", ldapServers.length > 1);
+        logger.debug("using [{}] ldap servers, urls {}", ldapServers.length, ldapUrls());
         TestSessionFactory testSessionFactory = createSessionFactory(LdapLoadBalancing.FAILOVER);
 
         // first test that there is no round robin stuff going on
@@ -92,32 +109,46 @@ public class SessionFactoryLoadBalancingTests extends LdapTestCase {
             }
         }
 
-        List<Integer> stoppedServers = new ArrayList<>();
+        logger.debug("shutting down server index [0] listening on [{}]", ldapServers[0].getListenPort());
-        // now we should kill some servers including the first one
+        // always kill the first one
-        int numberToKill = randomIntBetween(1, numberOfLdapServers - 1);
-        // always kill the first one, but don't add to the list
         ldapServers[0].shutDown(true);
-        stoppedServers.add(0);
+        assertThat(ldapServers[0].getListenPort(), is(-1));
-        for (int i = 0; i < numberToKill - 1; i++) {
+
-            int index = randomIntBetween(1, numberOfLdapServers - 1);
+        // now randomly shutdown some others
-            ldapServers[index].shutDown(true);
+        if (ldapServers.length > 2) {
-            stoppedServers.add(index);
+            // kill at least one other server, but we need at least one good one. Hence the upper bound is number - 2 since we need at least
+            // one server to use!
+            final int numberToKill = randomIntBetween(1, numberOfLdapServers - 2);
+            InMemoryDirectoryServer[] allButFirstServer = Arrays.copyOfRange(ldapServers, 1, ldapServers.length);
+            // get a subset to kil
+            final List<InMemoryDirectoryServer> ldapServersToKill = randomSubsetOf(numberToKill, allButFirstServer);
+            final List<InMemoryDirectoryServer> ldapServersList = Arrays.asList(ldapServers);
+            for (InMemoryDirectoryServer ldapServerToKill : ldapServersToKill) {
+                final int index = ldapServersList.indexOf(ldapServerToKill);
+                assertThat(index, greaterThanOrEqualTo(1));
+                final Integer port = Integer.valueOf(ldapServers[index].getListenPort());
+                logger.debug("shutting down server index [{}] listening on [{}]", index, port);
+                ldapServers[index].shutDown(true);
+                assertThat(ldapServers[index].getListenPort(), is(-1));
+            }
         }
 
         int firstNonStoppedPort = -1;
         // now we find the first that isn't stopped
         for (int i = 0; i < numberOfLdapServers; i++) {
-            if (stoppedServers.contains(i) == false) {
+            if (ldapServers[i].getListenPort() != -1) {
                 firstNonStoppedPort = ldapServers[i].getListenPort();
                 break;
             }
         }
+        logger.debug("first non stopped port [{}]", firstNonStoppedPort);
 
         assertThat(firstNonStoppedPort, not(-1));
         final int numberOfIterations = randomIntBetween(1, 5);
         for (int iteration = 0; iteration < numberOfIterations; iteration++) {
             LDAPConnection connection = null;
             try {
+                logger.debug("attempting connection with expected port [{}] iteration [{}]", firstNonStoppedPort, iteration);
                 connection = testSessionFactory.getServerSet().getConnection();
                 assertThat(connection.getConnectedPort(), is(firstNonStoppedPort));
             } finally {

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/IndexAliasesTests.java

@@ -60,30 +60,30 @@ public class IndexAliasesTests extends ShieldIntegTestCase {
                 "  indices:\n" +
                 "    - names: '*'\n" +
                 "      privileges: [ create_index ]\n" +
-                //role that has create index and managa aliases on test_*, not enough to manage aliases outside of test_* namespace
+                //role that has create index and manage_aliases on test_*, not enough to manage_aliases aliases outside of test_* namespace
                 "create_test_aliases_test:\n" +
                 "  indices:\n" +
                 "    - names: 'test_*'\n" +
-                "      privileges: [ create_index, manage_aliases ]\n" +
+                "      privileges: [ create_index, 'indices:admin/aliases*' ]\n" +
-                //role that has create index on test_* and manage aliases on alias_*, can't create aliases pointing to test_* though
+                //role that has create index on test_* and manage_aliases on alias_*, can't create aliases pointing to test_* though
                 "create_test_aliases_alias:\n" +
                 "  indices:\n" +
                 "    - names: 'test_*'\n" +
                 "      privileges: [ create_index ]\n" +
                 "    - names: 'alias_*'\n" +
-                "      privileges: [ manage_aliases ]\n" +
+                "      privileges: [ 'indices:admin/aliases*' ]\n" +
                 //role that has create index on test_* and manage_aliases on both alias_* and test_*
                 "create_test_aliases_test_alias:\n" +
                 "  indices:\n" +
                 "    - names: 'test_*'\n" +
                 "      privileges: [ create_index ]\n" +
                 "    - names: [ 'alias_*', 'test_*' ]\n" +
-                "      privileges: [ manage_aliases ]\n" +
+                "      privileges: [ 'indices:admin/aliases*' ]\n" +
                 //role that has manage_aliases only on both test_* and alias_*
                 "aliases_only:\n" +
                 "  indices:\n" +
                 "    - names: [ 'alias_*', 'test_*']\n" +
-                "      privileges: [ manage_aliases ]\n";
+                "      privileges: [ 'indices:admin/aliases*' ]\n";
     }
 
     @Before
@@ -368,7 +368,7 @@ public class IndexAliasesTests extends ShieldIntegTestCase {
         assertAcked(client.admin().indices().prepareCreate("test_1"));
 
         try {
-            //fails: user doesn't have manage aliases on test_1
+            //fails: user doesn't have manage_aliases aliases on test_1
             client.admin().indices().prepareAliases().addAlias("test_1", "test_alias").get();
             fail("add alias should have failed due to missing manage_aliases privileges on test_alias and test_1");
         } catch(ElasticsearchSecurityException e) {
@@ -377,7 +377,7 @@ public class IndexAliasesTests extends ShieldIntegTestCase {
         }
 
         try {
-            //fails: user doesn't have manage aliases on test_1
+            //fails: user doesn't have manage_aliases aliases on test_1
             client.admin().indices().prepareAliases().addAlias("test_1", "alias_1").get();
             fail("add alias should have failed due to missing manage_aliases privileges on test_1");
         } catch(ElasticsearchSecurityException e) {
@@ -386,7 +386,7 @@ public class IndexAliasesTests extends ShieldIntegTestCase {
         }
 
         try {
-            //fails: user doesn't have manage aliases on test_*, no matching indices to replace wildcards
+            //fails: user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards
             client.admin().indices().prepareAliases().addAlias("test_*", "alias_1").get();
             fail("add alias should have failed due to missing manage_aliases privileges on test_1");
         } catch(IndexNotFoundException e) {
@@ -465,7 +465,7 @@ public class IndexAliasesTests extends ShieldIntegTestCase {
         assertAcked(client.admin().indices().prepareCreate("test_1"));
 
         try {
-            //fails: user doesn't have manage aliases on test_1, nor test_alias
+            //fails: user doesn't have manage_aliases aliases on test_1, nor test_alias
             client.admin().indices().prepareGetAliases().setAliases("test_alias").setIndices("test_1").get();
             fail("get alias should have failed due to missing manage_aliases privileges on test_alias and test_1");
         } catch(ElasticsearchSecurityException e) {
@@ -474,7 +474,7 @@ public class IndexAliasesTests extends ShieldIntegTestCase {
         }
 
         try {
-            //fails: user doesn't have manage aliases on test_*, no matching indices to replace wildcards
+            //fails: user doesn't have manage_aliases aliases on test_*, no matching indices to replace wildcards
             client.admin().indices().prepareGetAliases().setIndices("test_*").setAliases("test_alias").get();
             fail("get alias should have failed due to missing manage_aliases privileges on test_*");
         } catch(IndexNotFoundException e) {

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/InternalAuthorizationServiceTests.java

@@ -31,7 +31,7 @@ import org.elasticsearch.action.termvectors.TermVectorsAction;
 import org.elasticsearch.action.termvectors.TermVectorsRequest;
 import org.elasticsearch.action.update.UpdateAction;
 import org.elasticsearch.action.update.UpdateRequest;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.metadata.AliasMetaData;
 import org.elasticsearch.cluster.metadata.IndexMetaData;
@@ -302,7 +302,7 @@ public class InternalAuthorizationServiceTests extends ESTestCase {
         User user = new User("test user", "a_star", "b");
         ClusterState state = mock(ClusterState.class);
         when(rolesStore.role("a_star")).thenReturn(Role.builder("a_star").add(IndexPrivilege.ALL, "a*").build());
-        when(rolesStore.role("b")).thenReturn(Role.builder("a_star").add(IndexPrivilege.SEARCH, "b").build());
+        when(rolesStore.role("b")).thenReturn(Role.builder("a_star").add(IndexPrivilege.READ, "b").build());
         when(clusterService.state()).thenReturn(state);
         Settings indexSettings = Settings.builder().put("index.version.created", Version.CURRENT).build();
         when(state.metaData()).thenReturn(MetaData.builder()

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/indicesresolver/DefaultIndicesResolverTests.java

@@ -22,7 +22,7 @@ import org.elasticsearch.action.search.SearchAction;
 import org.elasticsearch.action.search.SearchRequest;
 import org.elasticsearch.action.support.IndicesOptions;
 import org.elasticsearch.client.Requests;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.metadata.AliasAction;
 import org.elasticsearch.cluster.metadata.AliasMetaData;

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/permission/PermissionTests.java

@@ -18,7 +18,6 @@ import java.util.function.Predicate;
 
 import static org.elasticsearch.shield.authz.privilege.IndexPrivilege.MONITOR;
 import static org.elasticsearch.shield.authz.privilege.IndexPrivilege.READ;
-import static org.elasticsearch.shield.authz.privilege.IndexPrivilege.SEARCH;
 import static org.elasticsearch.shield.authz.privilege.IndexPrivilege.union;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
@@ -33,7 +32,7 @@ public class PermissionTests extends ESTestCase {
     @Before
     public void init() {
         Role.Builder builder = Role.builder("test");
-        builder.add(union(SEARCH, MONITOR), "test_*", "/foo.*/");
+        builder.add(union(MONITOR), "test_*", "/foo.*/");
         builder.add(union(READ), "baz_*foo", "/fool.*bar/");
         builder.add(union(MONITOR), "/bar.*/");
         permission = builder.build();

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/privilege/PrivilegeTests.java

@@ -5,15 +5,10 @@
  */
 package org.elasticsearch.shield.authz.privilege;
 
-import org.elasticsearch.action.get.GetAction;
-import org.elasticsearch.action.get.MultiGetAction;
 import org.elasticsearch.action.ingest.DeletePipelineAction;
 import org.elasticsearch.action.ingest.GetPipelineAction;
 import org.elasticsearch.action.ingest.PutPipelineAction;
 import org.elasticsearch.action.ingest.SimulatePipelineAction;
-import org.elasticsearch.action.search.MultiSearchAction;
-import org.elasticsearch.action.search.SearchAction;
-import org.elasticsearch.action.suggest.SuggestAction;
 import org.elasticsearch.shield.support.AutomatonPredicate;
 import org.elasticsearch.shield.support.Automatons;
 import org.elasticsearch.test.ESTestCase;
@@ -77,16 +72,6 @@ public class PrivilegeTests extends ESTestCase {
         assertThat(cluster, is(cluster2));
     }
 
-    public void testIngestPrivilege() throws Exception {
-        Privilege.Name name = new Privilege.Name("manage_pipeline");
-        ClusterPrivilege cluster = ClusterPrivilege.get(name);
-        assertThat(cluster, is(ClusterPrivilege.MANAGE_PIPELINE));
-        assertThat(cluster.predicate().test(PutPipelineAction.NAME), is(true));
-        assertThat(cluster.predicate().test(DeletePipelineAction.NAME), is(true));
-        assertThat(cluster.predicate().test(GetPipelineAction.NAME), is(true));
-        assertThat(cluster.predicate().test(SimulatePipelineAction.NAME), is(true));
-    }
-
     public void testClusterTemplateActions() throws Exception {
         Privilege.Name name = new Privilege.Name("indices:admin/template/delete");
         ClusterPrivilege cluster = ClusterPrivilege.get(name);
@@ -262,27 +247,4 @@ public class PrivilegeTests extends ESTestCase {
         assertThat(predicate.test("indices:admin/mapping/put"), is(false));
         assertThat(predicate.test("indices:admin/mapping/whatever"), is(false));
     }
-
-    public void testSearchPrivilege() throws Exception {
-        Predicate<String> predicate = IndexPrivilege.SEARCH.predicate();
-        assertThat(predicate.test(SearchAction.NAME), is(true));
-        assertThat(predicate.test(SearchAction.NAME + "/whatever"), is(true));
-        assertThat(predicate.test(MultiSearchAction.NAME), is(true));
-        assertThat(predicate.test(MultiSearchAction.NAME + "/whatever"), is(true));
-        assertThat(predicate.test(SuggestAction.NAME), is(true));
-        assertThat(predicate.test(SuggestAction.NAME + "/whatever"), is(true));
-
-        assertThat(predicate.test(GetAction.NAME), is(false));
-        assertThat(predicate.test(GetAction.NAME + "/whatever"), is(false));
-        assertThat(predicate.test(MultiGetAction.NAME), is(false));
-        assertThat(predicate.test(MultiGetAction.NAME + "/whatever"), is(false));
-    }
-
-    public void testGetPrivilege() throws Exception {
-        Predicate<String> predicate = IndexPrivilege.GET.predicate();
-        assertThat(predicate.test(GetAction.NAME), is(true));
-        assertThat(predicate.test(GetAction.NAME + "/whatever"), is(true));
-        assertThat(predicate.test(MultiGetAction.NAME), is(true));
-        assertThat(predicate.test(MultiGetAction.NAME + "/whatever"), is(true));
-    }
 }

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java

@@ -82,7 +82,8 @@ public class FileRolesStoreTests extends ESTestCase {
         assertThat(group.indices().length, is(1));
         assertThat(group.indices()[0], equalTo("idx3"));
         assertThat(group.privilege(), notNullValue());
-        assertThat(group.privilege(), is(IndexPrivilege.CRUD));
+        assertThat(group.privilege().implies(IndexPrivilege.READ), is(true));
+        assertThat(group.privilege().implies(IndexPrivilege.WRITE),is(true));
 
         role = roles.get("role1.ab");
         assertThat(role, notNullValue());
@@ -228,21 +229,20 @@ public class FileRolesStoreTests extends ESTestCase {
      * This test is mainly to make sure we can read the default roles.yml config
      */
     public void testDefaultRolesFile() throws Exception {
+        // TODO we should add the config dir to the resources so we don't copy this stuff around...
         Path path = getDataPath("default_roles.yml");
         Map<String, Role> roles = FileRolesStore.parseFile(path, logger, Settings.EMPTY);
         assertThat(roles, notNullValue());
-        assertThat(roles.size(), is(10));
+        assertThat(roles.size(), is(8));
 
         assertThat(roles, hasKey("admin"));
         assertThat(roles, hasKey("power_user"));
         assertThat(roles, hasKey("user"));
-        assertThat(roles, hasKey("kibana4"));
+        assertThat(roles, hasKey("transport_client"));
         assertThat(roles, hasKey("kibana4_server"));
         assertThat(roles, hasKey("logstash"));
         assertThat(roles, hasKey("monitoring_user"));
         assertThat(roles, hasKey("remote_monitoring_agent"));
-        assertThat(roles, hasKey("ingest_admin"));
-        assertThat(roles, hasKey("transport_client"));
     }
 
     public void testAutoReload() throws Exception {

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/transport/TransportFilterTests.java

@@ -5,7 +5,7 @@
  */
 package org.elasticsearch.shield.transport;
 
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.common.inject.AbstractModule;
 import org.elasticsearch.common.inject.Inject;

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldSettingsSource.java

@@ -71,8 +71,7 @@ public class ShieldSettingsSource extends ClusterDiscoveryConfiguration.UnicastZ
                     "      privileges: [ ALL ]\n" +
             DEFAULT_TRANSPORT_CLIENT_ROLE + ":\n" +
                     "  cluster:\n" +
-                    "    - cluster:monitor/nodes/info\n" +
+                    "    - transport_client";
-                    "    - cluster:monitor/state";
 
     private final Path parentFolder;
     private final String subfolderPrefix;

elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/authz/store/default_roles.yml

@@ -26,101 +26,46 @@ user:
 # Defines the required permissions for transport clients
 transport_client:
   cluster:
-      - cluster:monitor/nodes/liveness
+      - transport_client
-      #uncomment the following for sniffing
-      #- cluster:monitor/state
-
-# The required permissions for kibana 4 users.
-kibana4:
-  cluster:
-      - cluster:monitor/nodes/info
-      - cluster:monitor/health
-  indices:
-    - names: '*'
-      privileges:
-        - indices:admin/mappings/fields/get
-        - indices:admin/validate/query
-        - indices:data/read/search
-        - indices:data/read/msearch
-        - indices:data/read/field_stats
-        - indices:admin/get
-    - names: '.kibana'
-      privileges:
-        - indices:admin/exists
-        - indices:admin/mapping/put
-        - indices:admin/mappings/fields/get
-        - indices:admin/refresh
-        - indices:admin/validate/query
-        - indices:data/read/get
-        - indices:data/read/mget
-        - indices:data/read/search
-        - indices:data/write/delete
-        - indices:data/write/index
-        - indices:data/write/update
 
 # The required permissions for the kibana 4 server
 kibana4_server:
   cluster:
-      - cluster:monitor/nodes/info
+      - monitor
-      - cluster:monitor/health
   indices:
     - names: '.kibana'
       privileges:
-        - indices:admin/create
+        - all
-        - indices:admin/exists
-        - indices:admin/mapping/put
-        - indices:admin/mappings/fields/get
-        - indices:admin/refresh
-        - indices:admin/validate/query
-        - indices:data/read/get
-        - indices:data/read/mget
-        - indices:data/read/search
-        - indices:data/write/delete
-        - indices:data/write/index
-        - indices:data/write/update
 
 # The required role for logstash users
 logstash:
   cluster:
-    - indices:admin/template/get
+    - manage_index_templates
-    - indices:admin/template/put
   indices:
     - names: 'logstash-*'
       privileges:
-        - indices:data/write/bulk
+        - write
-        - indices:data/write/delete
+        - read
-        - indices:data/write/update
-        - indices:data/read/search
-        - indices:data/read/scroll
         - create_index
 
-# Monitoring user role. Assign to monitoring users.
+# Marvel user role. Assign to marvel users.
 monitoring_user:
   indices:
-    - names: '.monitoring-*'
+    - names:
-      privileges:
+        - '.marvel-es-*'
-        - read
+        - '.monitoring-*'
+      privileges: [ "read" ]
     - names: '.kibana'
       privileges:
-        - indices:admin/exists
+        - view_index_metadata
-        - indices:admin/mappings/fields/get
+        - read
-        - indices:admin/validate/query
-        - indices:data/read/get
-        - indices:data/read/mget
-        - indices:data/read/search
 
-# Monitoring remote agent role. Assign to the agent user on the remote monitoring cluster
+# Marvel remote agent role. Assign to the agent user on the remote marvel cluster
-# to which the monitoring agent will export all its data
+# to which the marvel agent will export all its data
 remote_monitoring_agent:
-  cluster:
+  cluster: [ "manage_index_templates" ]
-    - indices:admin/template/put
-    - indices:admin/template/get
   indices:
-    - names: '.monitoring-*'
+    - names:
-      privileges:
+        - '.marvel-es-*'
-        - all
+        - '.monitoring-*'
-
+      privileges: [ "all" ]
-# Allows all operations required to manage ingest pipelines
-ingest_admin:
-  cluster:
-    - manage_pipeline

elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/shield/authz/store/roles.yml

@@ -9,7 +9,8 @@ role1:
         - READ
     - names: idx3
       privileges:
-        - CRUD
+        - READ
+        - WRITE
 
 role1.ab:
   cluster:

elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/transport/actions

@@ -54,7 +54,7 @@ indices:monitor/upgrade
 indices:data/read/explain
 indices:data/read/field_stats
 indices:data/read/get
-indices:data/read/graph/explore
+indices:data/read/xpack/graph/explore
 indices:data/read/mget
 indices:data/read/mpercolate
 indices:data/read/msearch
@@ -75,14 +75,14 @@ indices:data/write/update
 cluster:monitor/xpack/license/get
 cluster:admin/xpack/license/delete
 cluster:admin/xpack/license/put
-cluster:admin/shield/realm/cache/clear
+cluster:admin/xpack/security/realm/cache/clear
-cluster:admin/shield/roles/cache/clear
+cluster:admin/xpack/security/roles/cache/clear
-cluster:admin/shield/user/put
+cluster:admin/xpack/security/user/put
-cluster:admin/shield/user/delete
+cluster:admin/xpack/security/user/delete
-cluster:admin/shield/user/get
+cluster:admin/xpack/security/user/get
-cluster:admin/shield/role/put
+cluster:admin/xpack/security/role/put
-cluster:admin/shield/role/delete
+cluster:admin/xpack/security/role/delete
-cluster:admin/shield/role/get
+cluster:admin/xpack/security/role/get
 internal:indices/admin/upgrade
 cluster:admin/ingest/pipeline/delete
 cluster:admin/ingest/pipeline/get

elasticsearch/x-pack/shield/src/test/resources/org/elasticsearch/transport/handlers

@@ -8,16 +8,16 @@ cluster:monitor/nodes/liveness
 cluster:monitor/nodes/stats[n]
 cluster:monitor/stats[n]
 cluster:monitor/tasks/lists[n]
-cluster:admin/shield/realm/cache/clear
+cluster:admin/xpack/security/realm/cache/clear
-cluster:admin/shield/realm/cache/clear[n]
+cluster:admin/xpack/security/realm/cache/clear[n]
-cluster:admin/shield/roles/cache/clear
+cluster:admin/xpack/security/roles/cache/clear
-cluster:admin/shield/roles/cache/clear[n]
+cluster:admin/xpack/security/roles/cache/clear[n]
-cluster:admin/shield/role/put
+cluster:admin/xpack/security/role/put
-cluster:admin/shield/role/delete
+cluster:admin/xpack/security/role/delete
-cluster:admin/shield/role/get
+cluster:admin/xpack/security/role/get
-cluster:admin/shield/user/put
+cluster:admin/xpack/security/user/put
-cluster:admin/shield/user/delete
+cluster:admin/xpack/security/user/delete
-cluster:admin/shield/user/get
+cluster:admin/xpack/security/user/get
 indices:admin/analyze[s]
 indices:admin/cache/clear[n]
 indices:admin/forcemerge[n]
@@ -36,11 +36,9 @@ indices:admin/validate/query[s]
 indices:data/read/explain[s]
 indices:data/read/field_stats[s]
 indices:data/read/get[s]
-indices:data/read/graph/explore
+indices:data/read/xpack/graph/explore
 indices:data/read/mget[shard][s]
-indices:data/read/mpercolate[shard][s]
 indices:data/read/mtv[shard][s]
-indices:data/read/percolate[s]
 indices:data/read/search[clear_scroll_contexts]
 indices:data/read/search[free_context/scroll]
 indices:data/read/search[free_context]

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/Watcher.java

@@ -21,7 +21,6 @@ import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.script.ScriptModule;
-import org.elasticsearch.shield.Shield;
 import org.elasticsearch.watcher.actions.WatcherActionModule;
 import org.elasticsearch.watcher.actions.email.service.EmailService;
 import org.elasticsearch.watcher.actions.email.service.InternalEmailService;
@@ -120,12 +119,6 @@ public class Watcher {
         transportClient = "transport".equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey()));
         enabled = enabled(settings);
         validAutoCreateIndex(settings);
-
-        // adding the watcher privileges to shield
-        if (Shield.enabled(settings)) {
-            Shield.registerClusterPrivilege("manage_watcher", "cluster:admin/watcher/*", "cluster:monitor/watcher/*");
-            Shield.registerClusterPrivilege("monitor_watcher", "cluster:monitor/watcher/*");
-        }
     }
 
     public Collection<Module> nodeModules() {

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherLifeCycleService.java

@@ -8,7 +8,7 @@ package org.elasticsearch.watcher;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.cluster.AckedClusterStateUpdateTask;
 import org.elasticsearch.cluster.ClusterChangedEvent;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.ClusterStateListener;
 import org.elasticsearch.cluster.ack.AckedRequest;

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/WatcherIndexTemplateRegistry.java

@@ -8,7 +8,7 @@ package org.elasticsearch.watcher.support;
 import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateRequest;
 import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateResponse;
 import org.elasticsearch.cluster.ClusterChangedEvent;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.ClusterStateListener;
 import org.elasticsearch.common.component.AbstractComponent;

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/transport/actions/WatcherTransportAction.java

@@ -10,7 +10,7 @@ import org.elasticsearch.action.ActionResponse;
 import org.elasticsearch.action.support.ActionFilters;
 import org.elasticsearch.action.support.master.MasterNodeRequest;
 import org.elasticsearch.action.support.master.TransportMasterNodeAction;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.license.plugin.core.LicenseUtils;

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/transport/actions/ack/AckWatchAction.java

@@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
 public class AckWatchAction extends Action<AckWatchRequest, AckWatchResponse, AckWatchRequestBuilder> {
 
     public static final AckWatchAction INSTANCE = new AckWatchAction();
-    public static final String NAME = "cluster:admin/watcher/watch/ack";
+    public static final String NAME = "cluster:admin/xpack/watcher/watch/ack";
 
     private AckWatchAction() {
         super(NAME);

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/transport/actions/ack/TransportAckWatchAction.java

@@ -8,7 +8,7 @@ package org.elasticsearch.watcher.transport.actions.ack;
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.support.ActionFilters;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.block.ClusterBlockException;
 import org.elasticsearch.cluster.block.ClusterBlockLevel;

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/transport/actions/activate/ActivateWatchAction.java

@@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
 public class ActivateWatchAction extends Action<ActivateWatchRequest, ActivateWatchResponse, ActivateWatchRequestBuilder> {
 
     public static final ActivateWatchAction INSTANCE = new ActivateWatchAction();
-    public static final String NAME = "cluster:admin/watcher/watch/activate";
+    public static final String NAME = "cluster:admin/xpack/watcher/watch/activate";
 
     private ActivateWatchAction() {
         super(NAME);

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/transport/actions/activate/TransportActivateWatchAction.java

@@ -8,7 +8,7 @@ package org.elasticsearch.watcher.transport.actions.activate;
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.support.ActionFilters;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.block.ClusterBlockException;
 import org.elasticsearch.cluster.block.ClusterBlockLevel;

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/transport/actions/delete/DeleteWatchAction.java

@@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
 public class DeleteWatchAction extends Action<DeleteWatchRequest, DeleteWatchResponse, DeleteWatchRequestBuilder> {
 
     public static final DeleteWatchAction INSTANCE = new DeleteWatchAction();
-    public static final String NAME = "cluster:admin/watcher/watch/delete";
+    public static final String NAME = "cluster:admin/xpack/watcher/watch/delete";
 
     private DeleteWatchAction() {
         super(NAME);

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/transport/actions/delete/TransportDeleteWatchAction.java

@@ -9,7 +9,7 @@ import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.delete.DeleteResponse;
 import org.elasticsearch.action.support.ActionFilters;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.block.ClusterBlockException;
 import org.elasticsearch.cluster.block.ClusterBlockLevel;

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/transport/actions/execute/ExecuteWatchAction.java

@@ -15,7 +15,7 @@ import org.elasticsearch.client.ElasticsearchClient;
 public class ExecuteWatchAction extends Action<ExecuteWatchRequest, ExecuteWatchResponse, ExecuteWatchRequestBuilder> {
 
     public static final ExecuteWatchAction INSTANCE = new ExecuteWatchAction();
-    public static final String NAME = "cluster:admin/watcher/watch/execute";
+    public static final String NAME = "cluster:admin/xpack/watcher/watch/execute";
 
     private ExecuteWatchAction() {
         super(NAME);

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/transport/actions/execute/TransportExecuteWatchAction.java

@@ -8,7 +8,7 @@ package org.elasticsearch.watcher.transport.actions.execute;
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.support.ActionFilters;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.block.ClusterBlockException;
 import org.elasticsearch.cluster.block.ClusterBlockLevel;

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/transport/actions/get/GetWatchAction.java

@@ -13,7 +13,7 @@ import org.elasticsearch.client.ElasticsearchClient;
 public class GetWatchAction extends org.elasticsearch.action.Action<GetWatchRequest, GetWatchResponse, GetWatchRequestBuilder> {
 
     public static final GetWatchAction INSTANCE = new GetWatchAction();
-    public static final String NAME = "cluster:monitor/watcher/watch/get";
+    public static final String NAME = "cluster:monitor/xpack/watcher/watch/get";
 
     private GetWatchAction() {
         super(NAME);

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/transport/actions/get/TransportGetWatchAction.java

@@ -8,7 +8,7 @@ package org.elasticsearch.watcher.transport.actions.get;
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.support.ActionFilters;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.block.ClusterBlockException;
 import org.elasticsearch.cluster.block.ClusterBlockLevel;

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/transport/actions/put/PutWatchAction.java

@@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
 public class PutWatchAction extends Action<PutWatchRequest, PutWatchResponse, PutWatchRequestBuilder> {
 
     public static final PutWatchAction INSTANCE = new PutWatchAction();
-    public static final String NAME = "cluster:admin/watcher/watch/put";
+    public static final String NAME = "cluster:admin/xpack/watcher/watch/put";
 
     private PutWatchAction() {
         super(NAME);

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/transport/actions/put/TransportPutWatchAction.java

@@ -9,7 +9,7 @@ import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.index.IndexResponse;
 import org.elasticsearch.action.support.ActionFilters;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.block.ClusterBlockException;
 import org.elasticsearch.cluster.block.ClusterBlockLevel;

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/transport/actions/service/TransportWatcherServiceAction.java

@@ -8,7 +8,7 @@ package org.elasticsearch.watcher.transport.actions.service;
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.support.ActionFilters;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.block.ClusterBlockException;
 import org.elasticsearch.cluster.block.ClusterBlockLevel;

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/transport/actions/service/WatcherServiceAction.java

@@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
 public class WatcherServiceAction extends Action<WatcherServiceRequest, WatcherServiceResponse, WatcherServiceRequestBuilder> {
 
     public static final WatcherServiceAction INSTANCE = new WatcherServiceAction();
-    public static final String NAME = "cluster:admin/watcher/service";
+    public static final String NAME = "cluster:admin/xpack/watcher/service";
 
     private WatcherServiceAction() {
         super(NAME);

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/transport/actions/stats/TransportWatcherStatsAction.java

@@ -8,7 +8,7 @@ package org.elasticsearch.watcher.transport.actions.stats;
 import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.action.support.ActionFilters;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.block.ClusterBlockException;
 import org.elasticsearch.cluster.block.ClusterBlockLevel;

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/transport/actions/stats/WatcherStatsAction.java

@@ -14,7 +14,7 @@ import org.elasticsearch.client.ElasticsearchClient;
 public class WatcherStatsAction extends Action<WatcherStatsRequest, WatcherStatsResponse, WatcherStatsRequestBuilder> {
 
     public static final WatcherStatsAction INSTANCE = new WatcherStatsAction();
-    public static final String NAME = "cluster:monitor/watcher/stats";
+    public static final String NAME = "cluster:monitor/xpack/watcher/stats";
 
     private WatcherStatsAction() {
         super(NAME);

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherLifeCycleServiceTests.java

@@ -8,7 +8,7 @@ package org.elasticsearch.watcher;
 import org.elasticsearch.cluster.AckedClusterStateUpdateTask;
 import org.elasticsearch.cluster.ClusterChangedEvent;
 import org.elasticsearch.cluster.ClusterName;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.ClusterStateUpdateTask;
 import org.elasticsearch.cluster.block.ClusterBlocks;

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/EmailAttachmentTests.java

@@ -8,7 +8,6 @@ package org.elasticsearch.watcher.actions.email;
 import com.squareup.okhttp.mockwebserver.MockResponse;
 import com.squareup.okhttp.mockwebserver.MockWebServer;
 import com.squareup.okhttp.mockwebserver.QueueDispatcher;
-import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.action.search.SearchRequest;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.io.Streams;
@@ -61,7 +60,6 @@ import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.startsWith;
 
-@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/pull/17065")
 public class EmailAttachmentTests extends AbstractWatcherIntegrationTestCase {
 
     static final String USERNAME = "_user";

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/execution/TriggeredWatchStoreLifeCycleTests.java

@@ -6,7 +6,7 @@
 package org.elasticsearch.watcher.execution;
 
 import org.elasticsearch.action.get.GetResponse;
-import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.watcher.condition.ExecutableCondition;
 import org.elasticsearch.watcher.condition.always.ExecutableAlwaysCondition;
 import org.elasticsearch.watcher.input.none.ExecutableNoneInput;

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/history/HistoryTemplateEmailMappingsTests.java

@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.watcher.history;
 
-import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.action.search.SearchResponse;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.search.aggregations.Aggregations;
@@ -32,7 +31,6 @@ import static org.hamcrest.Matchers.notNullValue;
  * This test makes sure that the email address fields in the watch_record action result are
  * not analyzed so they can be used in aggregations
  */
-@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/pull/17065")
 public class HistoryTemplateEmailMappingsTests extends AbstractWatcherIntegrationTestCase {
     static final String USERNAME = "_user";
     static final String PASSWORD = "_passwd";