Shield refactoring for 5.0 - phase 2

- Started to move configuration under the `xpack` name
 - Cleaned up `ShieldPlugin`
 - renamed `ShieldClient` to `SecurityClient`
 - Introduced `XPackClient` that wraps security and watcher clients

Original commit: elastic/x-pack-elasticsearch@f05be0c180

elasticsearch/qa/shield-audit-tests/build.gradle

@@ -10,7 +10,7 @@ integTest {
     systemProperty 'es.shield.audit.enabled', 'true'
     systemProperty 'es.shield.audit.outputs', 'index'
     setupCommand 'setupDummyUser',
-                 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
+                 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
     waitCondition = { node, ant ->
       File tmpFile = new File(node.cwd, 'wait.success')
       ant.get(src: "http://${node.httpUri()}",

elasticsearch/qa/shield-client-tests/build.gradle

@@ -8,9 +8,9 @@ integTest {
   cluster {
     plugin 'x-pack', project(':x-plugins:elasticsearch:x-pack')
     setupCommand 'setupDummyUser',
-                 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
+                 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
     setupCommand 'setupTransportClientUser',
-                 'bin/x-pack/esusers', 'useradd', 'transport', '-p', 'changeme', '-r', 'transport_client'
+                 'bin/xpack/esusers', 'useradd', 'transport', '-p', 'changeme', '-r', 'transport_client'
     waitCondition = { node, ant ->
       File tmpFile = new File(node.cwd, 'wait.success')
       ant.get(src: "http://${node.httpUri()}",

elasticsearch/qa/shield-core-rest-tests/build.gradle

@@ -35,7 +35,7 @@ integTest {
     systemProperty 'es.watcher.enabled', 'false'
     systemProperty 'es.marvel.enabled', 'false'
     setupCommand 'setupDummyUser',
-                 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
+                 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
     waitCondition = { node, ant ->
       File tmpFile = new File(node.cwd, 'wait.success')
       ant.get(src: "http://${node.httpUri()}",

elasticsearch/qa/shield-example-realm/build.gradle

@@ -23,7 +23,7 @@ integTest {
     systemProperty 'es.shield.authc.realms.esusers.type', 'esusers'
 
     setupCommand 'setupDummyUser',
-                 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
+                 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
     waitCondition = { node, ant ->
       File tmpFile = new File(node.cwd, 'wait.success')
       ant.get(src: "http://${node.httpUri()}",

elasticsearch/qa/smoke-test-plugins-ssl/build.gradle

@@ -57,9 +57,9 @@ integTest {
     // copy keystore into config/
     extraConfigFile keystore.name, keystore
     setupCommand 'setupTestUser',
-                 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
+                 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
     setupCommand 'setupMarvelUser',
-                 'bin/x-pack/esusers', 'useradd', 'marvel_export', '-p', 'changeme', '-r', 'marvel_agent'
+                 'bin/xpack/esusers', 'useradd', 'marvel_export', '-p', 'changeme', '-r', 'marvel_agent'
     waitCondition = { node, ant ->
       // we just return true, doing an https check is tricky here
       return true

elasticsearch/qa/smoke-test-plugins/build.gradle

@@ -18,7 +18,7 @@ integTest {
     plugin 'x-pack', project(':x-plugins:elasticsearch:x-pack')
 
     setupCommand 'setupDummyUser',
-                 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
+                 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
     waitCondition = { node, ant ->
       File tmpFile = new File(node.cwd, 'wait.success')
       ant.get(src: "http://${node.httpUri()}",

elasticsearch/qa/smoke-test-watcher-with-shield/build.gradle

@@ -20,13 +20,13 @@ integTest {
 
   cluster {
     plugin 'x-pack', project(':x-plugins:elasticsearch:x-pack')
-    extraConfigFile 'x-pack/roles.yml', 'roles.yml'
+    extraConfigFile 'xpack/roles.yml', 'roles.yml'
     setupCommand 'setupTestAdminUser',
-                 'bin/x-pack/esusers', 'useradd', 'test_admin', '-p', 'changeme', '-r', 'admin'
+                 'bin/xpack/esusers', 'useradd', 'test_admin', '-p', 'changeme', '-r', 'admin'
     setupCommand 'setupWatcherManagerUser',
-                 'bin/x-pack/esusers', 'useradd', 'watcher_manager', '-p', 'changeme', '-r', 'watcher_manager'
+                 'bin/xpack/esusers', 'useradd', 'watcher_manager', '-p', 'changeme', '-r', 'watcher_manager'
     setupCommand 'setupPowerlessUser',
-                 'bin/x-pack/esusers', 'useradd', 'powerless_user', '-p', 'changeme', '-r', 'crappy_role'
+                 'bin/xpack/esusers', 'useradd', 'powerless_user', '-p', 'changeme', '-r', 'crappy_role'
     waitCondition = { node, ant ->
       File tmpFile = new File(node.cwd, 'wait.success')
       ant.get(src: "http://${node.httpUri()}",

elasticsearch/x-pack/build.gradle

@@ -3,7 +3,7 @@ import org.elasticsearch.gradle.test.NodeInfo
 
 apply plugin: 'elasticsearch.esplugin'
 esplugin {
-  name 'x-pack'
+  name 'xpack'
   description 'Elasticsearch Expanded Pack Plugin'
   classname 'org.elasticsearch.xpack.XPackPlugin'
   // FIXME we still can't be isolated due to shield custom realms
@@ -129,7 +129,7 @@ integTest {
   // TODO: fix this rest test to not depend on a hardcoded port!
   systemProperty 'tests.rest.blacklist', 'getting_started/10_monitor_cluster_health/*'
   cluster {
-    setupCommand 'setupDummyUser', 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
+    setupCommand 'setupDummyUser', 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
     waitCondition = { NodeInfo node, AntBuilder ant ->
         File tmpFile = new File(node.cwd, 'wait.success')
         ant.get(src: "http://${node.httpUri()}",
@@ -157,7 +157,7 @@ artifacts {
 }
 
 run {
-  setupCommand 'setupDummyUser', 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
+  setupCommand 'setupDummyUser', 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
 }
 
 // classes are missing, e.g. com.ibm.icu.lang.UCharacter

elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexRecoveryCollector.java

@@ -19,6 +19,7 @@ import org.elasticsearch.marvel.agent.exporter.MarvelDoc;
 import org.elasticsearch.marvel.agent.settings.MarvelSettings;
 import org.elasticsearch.marvel.license.MarvelLicensee;
 import org.elasticsearch.shield.InternalClient;
+import org.elasticsearch.shield.ShieldPlugin;
 
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -26,8 +27,6 @@ import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 
-import static org.elasticsearch.shield.ShieldPlugin.shieldEnabled;
-
 /**
  * Collector for the Recovery API.
  * <p>
@@ -73,7 +72,7 @@ public class IndexRecoveryCollector extends AbstractCollector<IndexRecoveryColle
                 results.add(indexRecoveryDoc);
             }
         } catch (IndexNotFoundException e) {
-            if (shieldEnabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
+            if (ShieldPlugin.enabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
                 logger.debug("collector [{}] - unable to collect data for missing index [{}]", name(), e.getIndex());
             } else {
                 throw e;

elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexStatsCollector.java

@@ -21,6 +21,7 @@ import org.elasticsearch.marvel.agent.exporter.MarvelDoc;
 import org.elasticsearch.marvel.agent.settings.MarvelSettings;
 import org.elasticsearch.marvel.license.MarvelLicensee;
 import org.elasticsearch.shield.InternalClient;
+import org.elasticsearch.shield.ShieldPlugin;
 
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -28,8 +29,6 @@ import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 
-import static org.elasticsearch.shield.ShieldPlugin.shieldEnabled;
-
 /**
  * Collector for indices statistics.
  * <p>
@@ -87,7 +86,7 @@ public class IndexStatsCollector extends AbstractCollector<IndexStatsCollector>
                 results.add(indexStatsDoc);
             }
         } catch (IndexNotFoundException e) {
-            if (shieldEnabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
+            if (ShieldPlugin.enabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
                 logger.debug("collector [{}] - unable to collect data for missing index [{}]", name(), e.getIndex());
             } else {
                 throw e;

elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndicesStatsCollector.java

@@ -19,13 +19,12 @@ import org.elasticsearch.marvel.agent.exporter.MarvelDoc;
 import org.elasticsearch.marvel.agent.settings.MarvelSettings;
 import org.elasticsearch.marvel.license.MarvelLicensee;
 import org.elasticsearch.shield.InternalClient;
+import org.elasticsearch.shield.ShieldPlugin;
 
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 
-import static org.elasticsearch.shield.ShieldPlugin.shieldEnabled;
-
 /**
  * Collector for indices statistics.
  * <p>
@@ -72,7 +71,7 @@ public class IndicesStatsCollector extends AbstractCollector<IndicesStatsCollect
 
             return Collections.singletonList(indicesStatsDoc);
         } catch (IndexNotFoundException e) {
-            if (shieldEnabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
+            if (ShieldPlugin.enabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
                 logger.debug("collector [{}] - unable to collect data for missing index [{}]", name(), e.getIndex());
                 return Collections.emptyList();
             }

elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/MarvelPluginTests.java

@@ -66,7 +66,7 @@ public class MarvelPluginTests extends MarvelIntegTestCase {
                     break;
                 }
             }
-            assertThat("x-pack plugin not found", found, equalTo(true));
+            assertThat("xpack plugin not found", found, equalTo(true));
         }
     }
 

elasticsearch/x-pack/shield/bin/shield/.in.bat

@@ -76,7 +76,7 @@ REM JAVA_OPTS=%JAVA_OPTS% -XX:HeapDumpPath=$ES_HOME/logs/heapdump.hprof
 
 REM Disables explicit GC
 set JAVA_OPTS=%JAVA_OPTS% -XX:+DisableExplicitGC
-set ES_CLASSPATH=%ES_CLASSPATH%;%ES_HOME%/lib/elasticsearch-1.4.0-SNAPSHOT.jar;%ES_HOME%/lib/*;%ES_HOME%/lib/sigar/*;%ES_HOME%/plugins/x-pack/*
+set ES_CLASSPATH=%ES_CLASSPATH%;%ES_HOME%/lib/*;%ES_HOME%/lib/sigar/*;%ES_HOME%/plugins/xpack/*
 set ES_PARAMS=-Des.path.home="%ES_HOME%"
 
 SET HOSTNAME=%COMPUTERNAME%

elasticsearch/x-pack/shield/bin/shield/esusers

@@ -123,7 +123,7 @@ fi
 export HOSTNAME=`hostname -s`
 
 # include shield jars in classpath
-ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*"
+ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/xpack/*"
 
 cd "$ES_HOME" > /dev/null
 "$JAVA" $ES_JAVA_OPTS -cp "$ES_CLASSPATH" -Des.path.home="$ES_HOME" $properties org.elasticsearch.shield.authc.esusers.tool.ESUsersTool "$@"

elasticsearch/x-pack/shield/bin/shield/syskeygen

@@ -123,7 +123,7 @@ fi
 export HOSTNAME=`hostname -s`
 
 # include shield jars in classpath
-ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*"
+ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/xpack/*"
 
 cd "$ES_HOME" > /dev/null
 $JAVA $ES_JAVA_OPTS -cp "$ES_CLASSPATH" -Des.path.home="$ES_HOME" $properties org.elasticsearch.shield.crypto.tool.SystemKeyTool "$@"

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldPlugin.java

@@ -6,7 +6,6 @@
 package org.elasticsearch.shield;
 
 import org.elasticsearch.action.ActionModule;
-import org.elasticsearch.client.Client;
 import org.elasticsearch.common.component.LifecycleComponent;
 import org.elasticsearch.common.inject.Module;
 import org.elasticsearch.common.network.NetworkModule;
@@ -14,7 +13,6 @@ import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
-import org.elasticsearch.env.Environment;
 import org.elasticsearch.index.IndexModule;
 import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.shield.action.ShieldActionFilter;
@@ -71,7 +69,6 @@ import org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport;
 import org.elasticsearch.shield.transport.netty.ShieldNettyTransport;
 import org.elasticsearch.xpack.XPackPlugin;
 
-import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -85,22 +82,19 @@ import java.util.Map;
 public class ShieldPlugin extends Plugin {
 
     public static final String NAME = "shield";
-    public static final String ENABLED_SETTING_NAME = NAME + ".enabled";
+    public static final String DLS_FLS_FEATURE = "shield.dls_fls";
     public static final String OPT_OUT_QUERY_CACHE = "opt_out_cache";
-    public static final String DLS_FLS_ENABLED_SETTING = "shield.dls_fls.enabled";
-
-    private static final boolean DEFAULT_ENABLED_SETTING = true;
 
     private final Settings settings;
     private final boolean enabled;
-    private final boolean clientMode;
+    private final boolean transportClientMode;
     private ShieldLicenseState shieldLicenseState;
 
     public ShieldPlugin(Settings settings) {
         this.settings = settings;
-        this.enabled = shieldEnabled(settings);
-        this.clientMode = clientMode(settings);
-        if (enabled && clientMode == false) {
+        this.transportClientMode = XPackPlugin.transportClientMode(settings);
+        this.enabled = XPackPlugin.featureEnabled(settings, NAME, true);
+        if (enabled && !transportClientMode) {
             failIfShieldQueryCacheIsNotActive(settings, true);
         }
     }
@@ -118,11 +112,11 @@ public class ShieldPlugin extends Plugin {
     @Override
     public Collection<Module> nodeModules() {
 
-        if (!enabled) {
+        if (enabled == false) {
             return Collections.singletonList(new ShieldDisabledModule(settings));
         }
 
-        if (clientMode) {
+        if (transportClientMode == true) {
             return Arrays.<Module>asList(
                     new ShieldTransportModule(settings),
                     new SSLModule(settings));
@@ -147,18 +141,21 @@ public class ShieldPlugin extends Plugin {
 
     @Override
     public Collection<Class<? extends LifecycleComponent>> nodeServices() {
-        if (enabled && clientMode == false) {
-            List<Class<? extends LifecycleComponent>> list = new ArrayList<>();
-            if (AuditTrailModule.fileAuditLoggingEnabled(settings)) {
-                list.add(LoggingAuditTrail.class);
-            }
-            list.add(ShieldLicensee.class);
-            list.add(InternalCryptoService.class);
-            list.add(FileRolesStore.class);
-            list.add(Realms.class);
-            return list;
+        if (enabled == false || transportClientMode == true) {
+            return Collections.emptyList();
         }
-        return Collections.emptyList();
+        List<Class<? extends LifecycleComponent>> list = new ArrayList<>();
+
+        //TODO why only focus on file audit logs? shouldn't we just check if audit trail is enabled in general?
+        if (AuditTrailModule.fileAuditLoggingEnabled(settings) == true) {
+            list.add(LoggingAuditTrail.class);
+        }
+        list.add(ShieldLicensee.class);
+        list.add(InternalCryptoService.class);
+        list.add(FileRolesStore.class);
+        list.add(Realms.class);
+        return list;
+
     }
 
     @Override
@@ -178,6 +175,7 @@ public class ShieldPlugin extends Plugin {
     }
 
     public void onModule(SettingsModule settingsModule) {
+        //TODO shouldn't we register these settings only if shield is enabled and we're not in a client mode?
         settingsModule.registerSetting(IPFilter.IP_FILTER_ENABLED_SETTING);
         settingsModule.registerSetting(IPFilter.IP_FILTER_ENABLED_HTTP_SETTING);
         settingsModule.registerSetting(IPFilter.HTTP_FILTER_ALLOW_SETTING);
@@ -187,6 +185,9 @@ public class ShieldPlugin extends Plugin {
         settingsModule.registerSetting(Setting.boolSetting("plugins.load_classpath_plugins", true, false, Setting.Scope.CLUSTER));
         // TODO add real settings for this wildcard here
         settingsModule.registerSetting(Setting.groupSetting("shield.", false, Setting.Scope.CLUSTER));
+        // TODO please let's just drop the old settings before releasing
+        settingsModule.registerSetting(Setting.groupSetting("xpack.shield.", false, Setting.Scope.CLUSTER));
+
         String[] asArray = settings.getAsArray("shield.hide_settings");
         for (String pattern : asArray) {
             settingsModule.registerSettingsFilter(pattern);
@@ -207,6 +208,7 @@ public class ShieldPlugin extends Plugin {
         if (enabled == false) {
             return;
         }
+
         assert shieldLicenseState != null;
         if (flsDlsEnabled(settings)) {
             module.setSearcherWrapper((indexService) -> new ShieldIndexSearcherWrapper(indexService.getIndexSettings(),
@@ -214,7 +216,7 @@ public class ShieldPlugin extends Plugin {
                     indexService.cache().bitsetFilterCache(), indexService.getIndexServices().getThreadPool().getThreadContext(),
                     shieldLicenseState));
         }
-        if (clientMode == false) {
+        if (transportClientMode == false) {
             module.registerQueryCache(ShieldPlugin.OPT_OUT_QUERY_CACHE, OptOutQueryCache::new);
             failIfShieldQueryCacheIsNotActive(module.getSettings(), false);
         }
@@ -225,7 +227,7 @@ public class ShieldPlugin extends Plugin {
             return;
         }
         // registering the security filter only for nodes
-        if (clientMode == false) {
+        if (transportClientMode == false) {
             module.registerFilter(ShieldActionFilter.class);
         }
 
@@ -241,23 +243,21 @@ public class ShieldPlugin extends Plugin {
     }
 
     public void onModule(NetworkModule module) {
-        if (clientMode == false) {
-            // we want to expose the shield rest action even when the plugin is disabled
-            module.registerRestHandler(RestShieldInfoAction.class);
-        }
 
-        if (enabled == false) {
+        if (transportClientMode) {
+            if (enabled) {
+                module.registerTransport(ShieldPlugin.NAME, ShieldNettyTransport.class);
+                module.registerTransportService(ShieldPlugin.NAME, ShieldClientTransportService.class);
+            }
             return;
         }
 
-        module.registerTransport(ShieldPlugin.NAME, ShieldNettyTransport.class);
-        if (clientMode) {
-            module.registerTransportService(ShieldPlugin.NAME, ShieldClientTransportService.class);
-        } else {
-            module.registerTransportService(ShieldPlugin.NAME, ShieldServerTransportService.class);
-        }
+        // we want to expose the shield rest action even when the plugin is disabled
+        module.registerRestHandler(RestShieldInfoAction.class);
 
-        if (clientMode == false) {
+        if (enabled) {
+            module.registerTransport(ShieldPlugin.NAME, ShieldNettyTransport.class);
+            module.registerTransportService(ShieldPlugin.NAME, ShieldServerTransportService.class);
             module.registerRestHandler(RestAuthenticateAction.class);
             module.registerRestHandler(RestClearRealmCacheAction.class);
             module.registerRestHandler(RestClearRolesCacheAction.class);
@@ -290,39 +290,41 @@ public class ShieldPlugin extends Plugin {
                 .toCharArray())));
     }
 
-    /*
-     We inject additional settings on each tribe client if the current node is a tribe node, to make sure that every tribe has shield
-     installed and enabled too:
-     - if shield is loaded on the tribe node we make sure it is also loaded on every tribe, by making it mandatory there
-     (this means that the tribe node will fail at startup if shield is not loaded on any tribe due to missing mandatory plugin)
-     - if shield is loaded and enabled on the tribe node, we make sure it is also enabled on every tribe, by forcibly enabling it
-       (that means it's not possible to disable shield on the tribe clients)
+    /**
+     * If the current node is a tribe node, we inject additional settings on each tribe client. We do this to make sure
+     * that every tribe cluster has shield installed and is enabled. We do that by:
+     *
+     *    - making it mandatory on the tribe client (this means that the tribe node will fail at startup if shield is
+     *      not loaded on any tribe due to missing mandatory plugin)
+     *
+     *    - forcibly enabling it (that means it's not possible to disable shield on the tribe clients)
      */
     private void addTribeSettings(Settings.Builder settingsBuilder) {
         Map<String, Settings> tribesSettings = settings.getGroups("tribe", true);
         if (tribesSettings.isEmpty()) {
+            // it's not a tribe node
             return;
         }
 
         for (Map.Entry<String, Settings> tribeSettings : tribesSettings.entrySet()) {
             String tribePrefix = "tribe." + tribeSettings.getKey() + ".";
 
-            // we copy over existing mandatory plugins under additional settings, as they would get overridden otherwise (arrays don't get
-            // merged)
+            // we copy over existing mandatory plugins under additional settings, as they would get overridden
+            // otherwise (arrays don't get merged)
             String[] existingMandatoryPlugins = tribeSettings.getValue().getAsArray("plugin.mandatory", null);
             if (existingMandatoryPlugins == null) {
                 //shield is mandatory on every tribe if installed and enabled on the tribe node
-                settingsBuilder.putArray(tribePrefix + "plugin.mandatory", NAME);
+                settingsBuilder.putArray(tribePrefix + "plugin.mandatory", XPackPlugin.NAME);
             } else {
-                if (!isShieldMandatory(existingMandatoryPlugins)) {
-                    throw new IllegalStateException("when [plugin.mandatory] is explicitly configured, [" + NAME + "] must be included in" +
-                            " this list");
+                if (Arrays.binarySearch(existingMandatoryPlugins, XPackPlugin.NAME) < 0) {
+                    throw new IllegalStateException("when [plugin.mandatory] is explicitly configured, [" +
+                            XPackPlugin.NAME + "] must be included in this list");
                 }
             }
 
-            final String tribeEnabledSetting = tribePrefix + ENABLED_SETTING_NAME;
+            final String tribeEnabledSetting = tribePrefix + XPackPlugin.featureEnabledSetting(NAME);
             if (settings.get(tribeEnabledSetting) != null) {
-                boolean enabled = shieldEnabled(tribeSettings.getValue());
+                boolean enabled = enabled(tribeSettings.getValue());
                 if (!enabled) {
                     throw new IllegalStateException("tribe setting [" + tribeEnabledSetting + "] must be set to true but the value is ["
                             + settings.get(tribeEnabledSetting) + "]");
@@ -334,43 +336,22 @@ public class ShieldPlugin extends Plugin {
         }
     }
 
-    /*
-        We need to forcefully overwrite the query cache implementation to use Shield's opt out query cache implementation.
-        This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do
-        forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to
-        unauthorized users.
+    /**
+     *  We need to forcefully overwrite the query cache implementation to use Shield's opt out query cache implementation.
+     *  This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do
+     *  forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to
+     *  unauthorized users.
      */
     private void addQueryCacheSettings(Settings.Builder settingsBuilder) {
         settingsBuilder.put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), OPT_OUT_QUERY_CACHE);
     }
 
-    private static boolean isShieldMandatory(String[] existingMandatoryPlugins) {
-        for (String existingMandatoryPlugin : existingMandatoryPlugins) {
-            if (NAME.equals(existingMandatoryPlugin)) {
-                return true;
-            }
-        }
-        return false;
-    }
-
-    public static Path configDir(Environment env) {
-        return env.configFile().resolve(XPackPlugin.NAME);
-    }
-
-    public static Path resolveConfigFile(Environment env, String name) {
-        return configDir(env).resolve(name);
-    }
-
-    public static boolean clientMode(Settings settings) {
-        return !"node".equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey()));
-    }
-
-    public static boolean shieldEnabled(Settings settings) {
-        return settings.getAsBoolean(ENABLED_SETTING_NAME, DEFAULT_ENABLED_SETTING);
+    public static boolean enabled(Settings settings) {
+        return XPackPlugin.featureEnabled(settings, NAME, true);
     }
 
     public static boolean flsDlsEnabled(Settings settings) {
-        return settings.getAsBoolean(DLS_FLS_ENABLED_SETTING, true);
+        return XPackPlugin.featureEnabled(settings, DLS_FLS_FEATURE, true);
     }
 
     private void failIfShieldQueryCacheIsNotActive(Settings settings, boolean nodeSettings) {

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/ESNativeUsersStore.java

@@ -54,7 +54,7 @@ import org.elasticsearch.shield.action.user.DeleteUserRequest;
 import org.elasticsearch.shield.authc.AuthenticationService;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 import org.elasticsearch.threadpool.ThreadPool;
 
 import java.util.ArrayList;
@@ -458,10 +458,10 @@ public class ESNativeUsersStore extends AbstractComponent implements ClusterStat
     }
 
     private <Response> void clearRealmCache(String username, ActionListener<Response> listener, Response response) {
-        ShieldClient shieldClient = new ShieldClient(client);
-        ClearRealmCacheRequest request = shieldClient.prepareClearRealmCache()
+        SecurityClient securityClient = new SecurityClient(client);
+        ClearRealmCacheRequest request = securityClient.prepareClearRealmCache()
                 .usernames(username).request();
-        shieldClient.clearRealmCache(request, new ActionListener<ClearRealmCacheResponse>() {
+        securityClient.clearRealmCache(request, new ActionListener<ClearRealmCacheResponse>() {
             @Override
             public void onResponse(ClearRealmCacheResponse nodes) {
                 listener.onResponse(response);

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserPasswdStore.java

@@ -20,6 +20,7 @@ import org.elasticsearch.shield.support.Validation;
 import org.elasticsearch.watcher.FileChangesListener;
 import org.elasticsearch.watcher.FileWatcher;
 import org.elasticsearch.watcher.ResourceWatcherService;
+import org.elasticsearch.xpack.XPackPlugin;
 
 import java.io.IOException;
 import java.io.PrintWriter;
@@ -98,7 +99,7 @@ public class FileUserPasswdStore {
     public static Path resolveFile(Settings settings, Environment env) {
         String location = settings.get("files.users");
         if (location == null) {
-            return ShieldPlugin.resolveConfigFile(env, "users");
+            return XPackPlugin.resolveConfigFile(env, "users");
         }
         return env.binFile().getParent().resolve(location);
     }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStore.java

@@ -19,6 +19,7 @@ import org.elasticsearch.shield.support.Validation;
 import org.elasticsearch.watcher.FileChangesListener;
 import org.elasticsearch.watcher.FileWatcher;
 import org.elasticsearch.watcher.ResourceWatcherService;
+import org.elasticsearch.xpack.XPackPlugin;
 
 import java.io.IOException;
 import java.io.PrintWriter;
@@ -91,7 +92,7 @@ public class FileUserRolesStore {
     public static Path resolveFile(Settings settings, Environment env) {
         String location = settings.get("files.users_roles");
         if (location == null) {
-            return ShieldPlugin.resolveConfigFile(env, "users_roles");
+            return XPackPlugin.resolveConfigFile(env, "users_roles");
         }
         return env.binFile().getParent().resolve(location);
     }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/DnRoleMapper.java

@@ -17,6 +17,7 @@ import org.elasticsearch.shield.authc.RealmConfig;
 import org.elasticsearch.watcher.FileChangesListener;
 import org.elasticsearch.watcher.FileWatcher;
 import org.elasticsearch.watcher.ResourceWatcherService;
+import org.elasticsearch.xpack.XPackPlugin;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -82,7 +83,7 @@ public class DnRoleMapper {
     public static Path resolveFile(Settings settings, Environment env) {
         String location = settings.get(ROLE_MAPPING_FILE_SETTING);
         if (location == null) {
-            return ShieldPlugin.resolveConfigFile(env, DEFAULT_FILE_NAME);
+            return XPackPlugin.resolveConfigFile(env, DEFAULT_FILE_NAME);
         }
         return env.binFile().getParent().resolve(location);
     }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/esnative/ESNativeRolesStore.java

@@ -48,7 +48,7 @@ import org.elasticsearch.shield.authc.AuthenticationService;
 import org.elasticsearch.shield.authz.RoleDescriptor;
 import org.elasticsearch.shield.authz.permission.Role;
 import org.elasticsearch.shield.authz.store.RolesStore;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 import org.elasticsearch.threadpool.ThreadPool;
 
 import java.util.ArrayList;
@@ -84,7 +84,7 @@ public class ESNativeRolesStore extends AbstractComponent implements RolesStore,
     private final ConcurrentHashMap<String, RoleAndVersion> roleCache = new ConcurrentHashMap<>();
 
     private Client client;
-    private ShieldClient shieldClient;
+    private SecurityClient securityClient;
     private int scrollSize;
     private TimeValue scrollKeepAlive;
     private ScheduledFuture<?> versionChecker;
@@ -353,7 +353,7 @@ public class ESNativeRolesStore extends AbstractComponent implements RolesStore,
         try {
             if (state.compareAndSet(State.INITIALIZED, State.STARTING)) {
                 this.client = clientProvider.get();
-                this.shieldClient = new ShieldClient(client);
+                this.securityClient = new SecurityClient(client);
                 this.scrollSize = settings.getAsInt("shield.authc.native.scroll.size", 1000);
                 this.scrollKeepAlive = settings.getAsTime("shield.authc.native.scroll.keep_alive", TimeValue.timeValueSeconds(10L));
                 TimeValue pollInterval = settings.getAsTime("shield.authc.native.reload.interval", TimeValue.timeValueSeconds(30L));
@@ -407,7 +407,7 @@ public class ESNativeRolesStore extends AbstractComponent implements RolesStore,
 
     private <Response> void clearRoleCache(final String role, ActionListener<Response> listener, Response response) {
         ClearRolesCacheRequest request = new ClearRolesCacheRequest().roles(role);
-        shieldClient.clearRolesCache(request, new ActionListener<ClearRolesCacheResponse>() {
+        securityClient.clearRolesCache(request, new ActionListener<ClearRolesCacheResponse>() {
             @Override
             public void onResponse(ClearRolesCacheResponse nodes) {
                 listener.onResponse(response);

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java

@@ -34,6 +34,7 @@ import org.elasticsearch.shield.support.Validation;
 import org.elasticsearch.watcher.FileChangesListener;
 import org.elasticsearch.watcher.FileWatcher;
 import org.elasticsearch.watcher.ResourceWatcherService;
+import org.elasticsearch.xpack.XPackPlugin;
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
@@ -109,7 +110,7 @@ public class FileRolesStore extends AbstractLifecycleComponent<RolesStore> imple
     public static Path resolveFile(Settings settings, Environment env) {
         String location = settings.get("shield.authz.store.files.roles");
         if (location == null) {
-            return ShieldPlugin.resolveConfigFile(env, "roles.yml");
+            return XPackPlugin.resolveConfigFile(env, "roles.yml");
         }
 
         return env.binFile().getParent().resolve(location);
@@ -285,10 +286,10 @@ public class FileRolesStore extends AbstractLifecycleComponent<RolesStore> imple
                                                                 if (token == XContentParser.Token.VALUE_STRING) {
                                                                     names.add(parser.text());
                                                                 } else {
-                                                                    logger.error("invalid role definition [{}] in roles file [{}]. could " +
-                                                                            "not parse " +
-                                                                            "[{}] as index privilege. privilege names must be strings. " +
-                                                                            "skipping role...", roleName, path.toAbsolutePath(), token);
+                                                                    logger.error("invalid role definition [{}] in roles file [{}]. " +
+                                                                            "could not parse [{}] as index privilege. privilege " +
+                                                                            "names must be strings. skipping role...", roleName,
+                                                                            path.toAbsolutePath(), token);
                                                                     return null;
                                                                 }
                                                             }
@@ -301,26 +302,27 @@ public class FileRolesStore extends AbstractLifecycleComponent<RolesStore> imple
                                                 if (name != null) {
                                                     if ((query != null || (fields != null && fields.isEmpty() == false)) &&
                                                             ShieldPlugin.flsDlsEnabled(settings) == false) {
-                                                        logger.error("invalid role definition [{}] in roles file [{}]. document and field" +
-                                                                " level security is not enabled. set [{}] to [true] in the configuration " +
-                                                                "file. skipping role...", roleName, path.toAbsolutePath(), ShieldPlugin
-                                                                .DLS_FLS_ENABLED_SETTING);
+                                                        logger.error("invalid role definition [{}] in roles file [{}]. " +
+                                                                "document and field level security is not enabled. " +
+                                                                "set [{}] to [true] in the configuration file. skipping role...",
+                                                                roleName, path.toAbsolutePath(),
+                                                                XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE));
                                                         return null;
                                                     }
 
                                                     try {
                                                         role.add(fields, query, IndexPrivilege.get(name), indices);
                                                     } catch (IllegalArgumentException e) {
-                                                        logger.error("invalid role definition [{}] in roles file [{}]. could not resolve " +
-                                                                "indices privileges [{}]. skipping role...", roleName,
+                                                        logger.error("invalid role definition [{}] in roles file [{}]. could not " +
+                                                                "resolve indices privileges [{}]. skipping role...", roleName,
                                                                 path.toAbsolutePath(), name);
                                                         return null;
                                                     }
                                                 }
                                                 continue;
                                             } else {
-                                                logger.error("invalid role definition [{}] in roles file [{}]. could not parse [{}] as " +
-                                                        "index privileges. privilege lists must either " +
+                                                logger.error("invalid role definition [{}] in roles file [{}]. " +
+                                                        "could not parse [{}] as index privileges. privilege lists must either " +
                                                         "be a comma delimited string or an array of strings. skipping role...", roleName,
                                                         path.toAbsolutePath(), token);
                                                 return null;

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/client/SecurityClient.java

@@ -44,19 +44,12 @@ import org.elasticsearch.shield.action.role.ClearRolesCacheResponse;
 /**
  * A wrapper to elasticsearch clients that exposes all Shield related APIs
  */
-public class ShieldClient {
+public class SecurityClient {
 
     private final ElasticsearchClient client;
-    private final ShieldAuthcClient authcClient;
 
-    public ShieldClient(ElasticsearchClient client) {
+    public SecurityClient(ElasticsearchClient client) {
         this.client = client;
-        this.authcClient = new ShieldAuthcClient(client);
-    }
-
-    @Deprecated
-    public ShieldAuthcClient authc() {
-        return authcClient;
     }
 
     /****************

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/client/ShieldAuthcClient.java

@@ -1,54 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-package org.elasticsearch.shield.client;
-
-import org.elasticsearch.action.ActionFuture;
-import org.elasticsearch.action.ActionListener;
-import org.elasticsearch.client.ElasticsearchClient;
-import org.elasticsearch.shield.action.realm.ClearRealmCacheAction;
-import org.elasticsearch.shield.action.realm.ClearRealmCacheRequest;
-import org.elasticsearch.shield.action.realm.ClearRealmCacheRequestBuilder;
-import org.elasticsearch.shield.action.realm.ClearRealmCacheResponse;
-
-/**
- * A client to manage Shield's authentication
- *
- * @deprecated Use {@link ShieldClient} directly instead
- */
-@Deprecated
-public class ShieldAuthcClient {
-
-    private final ElasticsearchClient client;
-
-    ShieldAuthcClient(ElasticsearchClient client) {
-        this.client = client;
-    }
-
-    /**
-     * Clears the realm caches. It's possible to clear all user entries from all realms in the cluster or alternatively
-     * select the realms (by their unique names) and/or users (by their usernames) that should be evicted.
-     */
-    public ClearRealmCacheRequestBuilder prepareClearRealmCache() {
-        return new ClearRealmCacheRequestBuilder(client);
-    }
-
-    /**
-     * Clears the realm caches. It's possible to clear all user entries from all realms in the cluster or alternatively
-     * select the realms (by their unique names) and/or users (by their usernames) that should be evicted.
-     */
-    public void clearRealmCache(ClearRealmCacheRequest request, ActionListener<ClearRealmCacheResponse> listener) {
-        client.execute(ClearRealmCacheAction.INSTANCE, request, listener);
-    }
-
-    /**
-     * Clears the realm caches. It's possible to clear all user entries from all realms in the cluster or alternatively
-     * select the realms (by their unique names) and/or users (by their usernames) that should be evicted.
-     */
-    public ActionFuture<ClearRealmCacheResponse> clearRealmCache(ClearRealmCacheRequest request) {
-        return client.execute(ClearRealmCacheAction.INSTANCE, request);
-    }
-
-}

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java

@@ -17,6 +17,7 @@ import org.elasticsearch.shield.authc.support.CharArrays;
 import org.elasticsearch.watcher.FileChangesListener;
 import org.elasticsearch.watcher.FileWatcher;
 import org.elasticsearch.watcher.ResourceWatcherService;
+import org.elasticsearch.xpack.XPackPlugin;
 
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
@@ -159,7 +160,7 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
     public static Path resolveSystemKey(Settings settings, Environment env) {
         String location = settings.get(FILE_SETTING);
         if (location == null) {
-            return ShieldPlugin.resolveConfigFile(env, FILE_NAME);
+            return XPackPlugin.resolveConfigFile(env, FILE_NAME);
         }
         return env.binFile().getParent().resolve(location);
     }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/RestShieldInfoAction.java

@@ -37,7 +37,7 @@ public class RestShieldInfoAction extends BaseRestHandler {
         super(settings, client);
         this.clusterName = clusterName;
         this.shieldLicenseState = licenseState;
-        this.shieldEnabled = ShieldPlugin.shieldEnabled(settings);
+        this.shieldEnabled = ShieldPlugin.enabled(settings);
         controller.registerHandler(GET, "/_shield", this);
         controller.registerHandler(HEAD, "/_shield", this);
     }

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/realm/RestClearRealmCacheAction.java

@@ -20,7 +20,7 @@ import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.rest.action.support.RestBuilderListener;
 import org.elasticsearch.shield.action.realm.ClearRealmCacheRequest;
 import org.elasticsearch.shield.action.realm.ClearRealmCacheResponse;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 
 import static org.elasticsearch.rest.RestRequest.Method.POST;
 
@@ -41,7 +41,7 @@ public class RestClearRealmCacheAction extends BaseRestHandler {
 
         ClearRealmCacheRequest req = new ClearRealmCacheRequest().realms(realms).usernames(usernames);
 
-        new ShieldClient(client).clearRealmCache(req, new RestBuilderListener<ClearRealmCacheResponse>(channel) {
+        new SecurityClient(client).clearRealmCache(req, new RestBuilderListener<ClearRealmCacheResponse>(channel) {
             @Override
             public RestResponse buildResponse(ClearRealmCacheResponse response, XContentBuilder builder) throws Exception {
                 response.toXContent(builder, ToXContent.EMPTY_PARAMS);

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestAddRoleAction.java

@@ -19,7 +19,7 @@ import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.rest.action.support.RestBuilderListener;
 import org.elasticsearch.shield.action.role.AddRoleRequest;
 import org.elasticsearch.shield.action.role.AddRoleResponse;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 
 /**
  * Rest endpoint to add a Role to the shield index
@@ -38,7 +38,7 @@ public class RestAddRoleAction extends BaseRestHandler {
         AddRoleRequest addRoleReq = new AddRoleRequest(request.content());
         addRoleReq.name(request.param("id"));
 
-        new ShieldClient(client).addRole(addRoleReq, new RestBuilderListener<AddRoleResponse>(channel) {
+        new SecurityClient(client).addRole(addRoleReq, new RestBuilderListener<AddRoleResponse>(channel) {
             @Override
             public RestResponse buildResponse(AddRoleResponse addRoleResponse, XContentBuilder builder) throws Exception {
                 return new BytesRestResponse(RestStatus.OK,

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestClearRolesCacheAction.java

@@ -20,7 +20,7 @@ import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.rest.action.support.RestBuilderListener;
 import org.elasticsearch.shield.action.role.ClearRolesCacheRequest;
 import org.elasticsearch.shield.action.role.ClearRolesCacheResponse;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 
 import static org.elasticsearch.rest.RestRequest.Method.POST;
 
@@ -42,7 +42,7 @@ public class RestClearRolesCacheAction extends BaseRestHandler {
 
         ClearRolesCacheRequest req = new ClearRolesCacheRequest().roles(roles);
 
-        new ShieldClient(client).clearRolesCache(req, new RestBuilderListener<ClearRolesCacheResponse>(channel) {
+        new SecurityClient(client).clearRolesCache(req, new RestBuilderListener<ClearRolesCacheResponse>(channel) {
             @Override
             public RestResponse buildResponse(ClearRolesCacheResponse response, XContentBuilder builder) throws Exception {
                 response.toXContent(builder, ToXContent.EMPTY_PARAMS);

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestDeleteRoleAction.java

@@ -19,7 +19,7 @@ import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.rest.action.support.RestBuilderListener;
 import org.elasticsearch.shield.action.role.DeleteRoleRequest;
 import org.elasticsearch.shield.action.role.DeleteRoleResponse;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 
 /**
  * Rest endpoint to delete a Role from the shield index
@@ -37,7 +37,7 @@ public class RestDeleteRoleAction extends BaseRestHandler {
         String role = request.param("id");
         DeleteRoleRequest delRoleRequest = new DeleteRoleRequest(role);
 
-        new ShieldClient(client).deleteRole(delRoleRequest, new RestBuilderListener<DeleteRoleResponse>(channel) {
+        new SecurityClient(client).deleteRole(delRoleRequest, new RestBuilderListener<DeleteRoleResponse>(channel) {
             @Override
             public RestResponse buildResponse(DeleteRoleResponse response, XContentBuilder builder) throws Exception {
                 return new BytesRestResponse(response.found() ? RestStatus.OK : RestStatus.NOT_FOUND,

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestGetRolesAction.java

@@ -20,7 +20,7 @@ import org.elasticsearch.rest.RestResponse;
 import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.rest.action.support.RestBuilderListener;
 import org.elasticsearch.shield.action.role.GetRolesResponse;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 
 /**
  * Rest endpoint to retrieve a Role from the shield index
@@ -38,7 +38,7 @@ public class RestGetRolesAction extends BaseRestHandler {
     protected void handleRequest(RestRequest request, final RestChannel channel, Client client) throws Exception {
         String[] roles = Strings.splitStringByCommaToArray(request.param("id"));
 
-        new ShieldClient(client).prepareGetRoles().roles(roles).execute(new RestBuilderListener<GetRolesResponse>(channel) {
+        new SecurityClient(client).prepareGetRoles().roles(roles).execute(new RestBuilderListener<GetRolesResponse>(channel) {
             @Override
             public RestResponse buildResponse(GetRolesResponse getRolesResponse, XContentBuilder builder) throws Exception {
                 builder.startObject();

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestAddUserAction.java

@@ -20,7 +20,7 @@ import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.rest.action.support.RestBuilderListener;
 import org.elasticsearch.shield.action.user.AddUserRequest;
 import org.elasticsearch.shield.action.user.AddUserResponse;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 
 /**
  * Rest endpoint to add a User to the shield index
@@ -40,7 +40,7 @@ public class RestAddUserAction extends BaseRestHandler {
         addUserReq.username(request.param("username"));
         addUserReq.source(request.content());
 
-        new ShieldClient(client).addUser(addUserReq, new RestBuilderListener<AddUserResponse>(channel) {
+        new SecurityClient(client).addUser(addUserReq, new RestBuilderListener<AddUserResponse>(channel) {
             @Override
             public RestResponse buildResponse(AddUserResponse addUserResponse, XContentBuilder builder) throws Exception {
                 return new BytesRestResponse(RestStatus.OK,

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestDeleteUserAction.java

@@ -19,7 +19,7 @@ import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.rest.action.support.RestBuilderListener;
 import org.elasticsearch.shield.action.user.DeleteUserRequest;
 import org.elasticsearch.shield.action.user.DeleteUserResponse;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 
 /**
  * Rest action to delete a user from the shield index
@@ -37,7 +37,7 @@ public class RestDeleteUserAction extends BaseRestHandler {
         String user = request.param("username");
         DeleteUserRequest delUserRequest = new DeleteUserRequest(user);
 
-        new ShieldClient(client).deleteUser(delUserRequest, new RestBuilderListener<DeleteUserResponse>(channel) {
+        new SecurityClient(client).deleteUser(delUserRequest, new RestBuilderListener<DeleteUserResponse>(channel) {
             @Override
             public RestResponse buildResponse(DeleteUserResponse response, XContentBuilder builder) throws Exception {
                 return new BytesRestResponse(response.found() ? RestStatus.OK : RestStatus.NOT_FOUND,

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestGetUsersAction.java

@@ -21,7 +21,7 @@ import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.rest.action.support.RestBuilderListener;
 import org.elasticsearch.shield.User;
 import org.elasticsearch.shield.action.user.GetUsersResponse;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 
 /**
  * Rest action to retrieve a user from the shield index
@@ -39,7 +39,7 @@ public class RestGetUsersAction extends BaseRestHandler {
     protected void handleRequest(RestRequest request, final RestChannel channel, Client client) throws Exception {
         String[] users = Strings.splitStringByCommaToArray(request.param("username"));
 
-        new ShieldClient(client).prepareGetUsers().users(users).execute(new RestBuilderListener<GetUsersResponse>(channel) {
+        new SecurityClient(client).prepareGetUsers().users(users).execute(new RestBuilderListener<GetUsersResponse>(channel) {
             @Override
             public RestResponse buildResponse(GetUsersResponse getUsersResponse, XContentBuilder builder) throws Exception {
                 builder.startObject();

elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/AbstractShieldModule.java

@@ -22,7 +22,7 @@ public abstract class AbstractShieldModule extends AbstractModule {
     public AbstractShieldModule(Settings settings) {
         this.settings = settings;
         this.clientMode = !"node".equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey()));
-        this.shieldEnabled = ShieldPlugin.shieldEnabled(settings);
+        this.shieldEnabled = ShieldPlugin.enabled(settings);
     }
 
     @Override

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/BulkUpdateTests.java

@@ -16,6 +16,7 @@ import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.test.ShieldSettingsSource;
 import org.elasticsearch.test.rest.client.http.HttpResponse;
+import org.elasticsearch.xpack.XPackPlugin;
 
 import java.io.IOException;
 
@@ -30,7 +31,7 @@ public class BulkUpdateTests extends ShieldIntegTestCase {
         return Settings.builder()
                 .put(super.nodeSettings(nodeOrdinal))
                 .put(NetworkModule.HTTP_ENABLED.getKey(), true)
-                .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, randomBoolean())
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), randomBoolean())
                 .build();
     }
 

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRealmsCacheTests.java

@@ -21,7 +21,7 @@ import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.authc.support.SecuredStringTests;
 import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.test.ShieldSettingsSource;
 import org.elasticsearch.test.rest.client.http.HttpRequestBuilder;
@@ -140,11 +140,11 @@ public class ClearRealmsCacheTests extends ShieldIntegTestCase {
         public abstract void executeRequest() throws Exception;
 
         static void executeTransportRequest(ClearRealmCacheRequest request) throws Exception {
-            ShieldClient shieldClient = new ShieldClient(client());
+            SecurityClient securityClient = securityClient(client());
 
             final CountDownLatch latch = new CountDownLatch(1);
             final AtomicReference<Throwable> error = new AtomicReference<>();
-            shieldClient.clearRealmCache(request, new ActionListener<ClearRealmCacheResponse>() {
+            securityClient.clearRealmCache(request, new ActionListener<ClearRealmCacheResponse>() {
                 @Override
                 public void onResponse(ClearRealmCacheResponse response) {
                     assertThat(response.getNodes().length, equalTo(internalCluster().getNodeNames().length));

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRolesCacheTests.java

@@ -21,7 +21,7 @@ import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
 import org.elasticsearch.shield.authz.RoleDescriptor;
 import org.elasticsearch.shield.authz.esnative.ESNativeRolesStore;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.test.ShieldSettingsSource;
 import org.elasticsearch.test.junit.annotations.TestLogging;
@@ -57,7 +57,7 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase {
     @Before
     public void setupForTest() throws Exception {
         // Clear the realm cache for all realms since we use a SUITE scoped cluster
-        ShieldClient client = new ShieldClient(internalCluster().transportClient());
+        SecurityClient client = securityClient(internalCluster().transportClient());
         client.prepareClearRealmCache().get();
 
         for (ESNativeUsersStore store : internalCluster().getInstances(ESNativeUsersStore.class)) {
@@ -78,7 +78,7 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase {
             });
         }
 
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
         // create roles
         for (String role : roles) {
             c.prepareAddRole().name(role)
@@ -109,13 +109,13 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase {
 
     public void testModifyingViaApiClearsCache() throws Exception {
         Client client = internalCluster().transportClient();
-        ShieldClient shieldClient = new ShieldClient(client);
+        SecurityClient securityClient = securityClient(client);
 
         int modifiedRolesCount = randomIntBetween(1, roles.length);
         List<String> toModify = randomSubsetOf(modifiedRolesCount, roles);
         logger.debug("--> modifying roles {} to have run_as", toModify);
         for (String role : toModify) {
-            AddRoleResponse response = shieldClient.prepareAddRole().name(role)
+            AddRoleResponse response = securityClient.prepareAddRole().name(role)
                     .cluster("none")
                     .addIndices(new String[] { "*" }, new String[] { "ALL" }, null, null)
                     .runAs(role)
@@ -124,7 +124,7 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase {
             logger.debug("--> updated role [{}] with run_as", role);
         }
 
-        assertRolesAreCorrect(shieldClient, toModify);
+        assertRolesAreCorrect(securityClient, toModify);
     }
 
     public void testModifyingDocumentsDirectly() throws Exception {
@@ -144,7 +144,7 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase {
 
         // in this test, the poller runs too frequently to check the cache still has roles without run as
         // clear the cache and we should definitely see the latest values!
-        ShieldClient shieldClient = new ShieldClient(client);
+        SecurityClient securityClient = securityClient(client);
         final boolean useHttp = randomBoolean();
         final boolean clearAll = randomBoolean();
         logger.debug("--> starting to clear roles. using http [{}] clearing all [{}]", useHttp, clearAll);
@@ -163,18 +163,18 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase {
                     .execute();
             assertThat(response.getStatusCode(), is(RestStatus.OK.getStatus()));
         } else {
-            shieldClient.prepareClearRolesCache().roles(rolesToClear).get();
+            securityClient.prepareClearRolesCache().roles(rolesToClear).get();
         }
 
-        assertRolesAreCorrect(shieldClient, toModify);
+        assertRolesAreCorrect(securityClient, toModify);
     }
 
     public void testDeletingRoleDocumentDirectly() throws Exception {
         Client client = internalCluster().transportClient();
-        ShieldClient shieldClient = new ShieldClient(client);
+        SecurityClient securityClient = securityClient(client);
 
         final String role = randomFrom(roles);
-        List<RoleDescriptor> foundRoles = shieldClient.prepareGetRoles().roles(role).get().roles();
+        List<RoleDescriptor> foundRoles = securityClient.prepareGetRoles().roles(role).get().roles();
         assertThat(foundRoles.size(), is(1));
         logger.debug("--> deleting role [{}]", role);
         DeleteResponse response = client.prepareDelete(ShieldTemplateService.SHIELD_ADMIN_INDEX_NAME,
@@ -184,15 +184,15 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase {
         assertBusy(new Runnable() {
             @Override
             public void run() {
-                assertThat(shieldClient.prepareGetRoles().roles(role).get().roles().isEmpty(), is(true));
+                assertThat(securityClient.prepareGetRoles().roles(role).get().roles().isEmpty(), is(true));
             }
         });
     }
 
-    private void assertRolesAreCorrect(ShieldClient shieldClient, List<String> toModify) {
+    private void assertRolesAreCorrect(SecurityClient securityClient, List<String> toModify) {
         for (String role : roles) {
             logger.debug("--> getting role [{}]", role);
-            GetRolesResponse roleResponse = shieldClient.prepareGetRoles().roles(role).get();
+            GetRolesResponse roleResponse = securityClient.prepareGetRoles().roles(role).get();
             assertThat(roleResponse.isExists(), is(true));
             final String[] runAs = roleResponse.roles().get(0).getRunAs();
             if (toModify.contains(role)) {

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java

@@ -12,6 +12,7 @@ import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.test.ShieldIntegTestCase;
+import org.elasticsearch.xpack.XPackPlugin;
 
 import java.util.Collections;
 
@@ -75,7 +76,7 @@ public class DocumentAndFieldLevelSecurityTests extends ShieldIntegTestCase {
     public Settings nodeSettings(int nodeOrdinal) {
         return Settings.builder()
                 .put(super.nodeSettings(nodeOrdinal))
-                .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true)
                 .build();
     }
 

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityRandomTests.java

@@ -14,6 +14,7 @@ import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.test.ShieldIntegTestCase;
+import org.elasticsearch.xpack.XPackPlugin;
 
 import java.util.ArrayList;
 import java.util.Collections;
@@ -74,7 +75,7 @@ public class DocumentLevelSecurityRandomTests extends ShieldIntegTestCase {
     public Settings nodeSettings(int nodeOrdinal) {
         return Settings.builder()
                 .put(super.nodeSettings(nodeOrdinal))
-                .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true)
                 .build();
     }
 

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java

@@ -28,6 +28,7 @@ import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.test.ShieldIntegTestCase;
+import org.elasticsearch.xpack.XPackPlugin;
 
 import java.util.Collections;
 
@@ -87,7 +88,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
     public Settings nodeSettings(int nodeOrdinal) {
         return Settings.builder()
                 .put(super.nodeSettings(nodeOrdinal))
-                .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true)
                 .build();
     }
 

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java

@@ -14,6 +14,7 @@ import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.test.ShieldIntegTestCase;
+import org.elasticsearch.xpack.XPackPlugin;
 
 import java.util.ArrayList;
 import java.util.Collections;
@@ -111,7 +112,7 @@ public class FieldLevelSecurityRandomTests extends ShieldIntegTestCase {
     public Settings nodeSettings(int nodeOrdinal) {
         return Settings.builder()
                 .put(super.nodeSettings(nodeOrdinal))
-                .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true)
                 .build();
     }
 

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java

@@ -28,6 +28,7 @@ import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.test.ESIntegTestCase;
 import org.elasticsearch.test.ShieldIntegTestCase;
+import org.elasticsearch.xpack.XPackPlugin;
 
 import java.util.Collections;
 
@@ -116,7 +117,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
     public Settings nodeSettings(int nodeOrdinal) {
         return Settings.builder()
                 .put(super.nodeSettings(nodeOrdinal))
-                .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true)
                 .build();
     }
 

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java

@@ -12,6 +12,7 @@ import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.test.ShieldIntegTestCase;
+import org.elasticsearch.xpack.XPackPlugin;
 
 import java.util.Collections;
 
@@ -60,7 +61,7 @@ public class IndicesPermissionsWithAliasesWildcardsAndRegexsTests extends Shield
     public Settings nodeSettings(int nodeOrdinal) {
         return Settings.builder()
                 .put(super.nodeSettings(nodeOrdinal))
-                .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true)
                 .build();
     }
 

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginEnabledDisabledTests.java

@@ -66,7 +66,7 @@ public class ShieldPluginEnabledDisabledTests extends ShieldIntegTestCase {
         logger.info("******* shield is " + (enabled ? "enabled" : "disabled"));
         return Settings.settingsBuilder()
                 .put(super.nodeSettings(nodeOrdinal))
-                .put(ShieldPlugin.ENABLED_SETTING_NAME, enabled)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), enabled)
                 .put(NetworkModule.HTTP_ENABLED.getKey(), true)
                 .build();
     }
@@ -75,7 +75,7 @@ public class ShieldPluginEnabledDisabledTests extends ShieldIntegTestCase {
     protected Settings transportClientSettings() {
         return Settings.settingsBuilder()
                 .put(super.transportClientSettings())
-                .put(ShieldPlugin.ENABLED_SETTING_NAME, enabled)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), enabled)
                 .build();
     }
 

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginSettingsTests.java

@@ -7,6 +7,7 @@ package org.elasticsearch.shield;
 
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.xpack.XPackPlugin;
 
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.equalTo;
@@ -14,8 +15,9 @@ import static org.hamcrest.CoreMatchers.notNullValue;
 import static org.hamcrest.Matchers.arrayContaining;
 
 public class ShieldPluginSettingsTests extends ESTestCase {
-    private static final String TRIBE_T1_SHIELD_ENABLED = "tribe.t1." + ShieldPlugin.ENABLED_SETTING_NAME;
-    private static final String TRIBE_T2_SHIELD_ENABLED = "tribe.t2." + ShieldPlugin.ENABLED_SETTING_NAME;
+
+    private static final String TRIBE_T1_SHIELD_ENABLED = "tribe.t1." + XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME);
+    private static final String TRIBE_T2_SHIELD_ENABLED = "tribe.t2." + XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME);
 
     public void testShieldIsMandatoryOnTribes() {
         Settings settings = Settings.builder().put("tribe.t1.cluster.name", "non_existing")
@@ -26,8 +28,8 @@ public class ShieldPluginSettingsTests extends ESTestCase {
         Settings additionalSettings = shieldPlugin.additionalSettings();
 
 
-        assertThat(additionalSettings.getAsArray("tribe.t1.plugin.mandatory", null), arrayContaining(ShieldPlugin.NAME));
-        assertThat(additionalSettings.getAsArray("tribe.t2.plugin.mandatory", null), arrayContaining(ShieldPlugin.NAME));
+        assertThat(additionalSettings.getAsArray("tribe.t1.plugin.mandatory", null), arrayContaining(XPackPlugin.NAME));
+        assertThat(additionalSettings.getAsArray("tribe.t2.plugin.mandatory", null), arrayContaining(XPackPlugin.NAME));
     }
 
     public void testAdditionalMandatoryPluginsOnTribes() {
@@ -41,14 +43,14 @@ public class ShieldPluginSettingsTests extends ESTestCase {
             Settings.builder().put(settings).put(shieldPlugin.additionalSettings()).build();
             fail("shield cannot change the value of a setting that is already defined, so a exception should be thrown");
         } catch (IllegalStateException e) {
-            assertThat(e.getMessage(), containsString("shield"));
+            assertThat(e.getMessage(), containsString(XPackPlugin.NAME));
             assertThat(e.getMessage(), containsString("plugin.mandatory"));
         }
     }
 
     public void testMandatoryPluginsOnTribesShieldAlreadyMandatory() {
         Settings settings = Settings.builder().put("tribe.t1.cluster.name", "non_existing")
-                .putArray("tribe.t1.plugin.mandatory", "test_plugin", ShieldPlugin.NAME).build();
+                .putArray("tribe.t1.plugin.mandatory", "test_plugin", XPackPlugin.NAME).build();
 
         ShieldPlugin shieldPlugin = new ShieldPlugin(settings);
 
@@ -59,7 +61,7 @@ public class ShieldPluginSettingsTests extends ESTestCase {
         assertThat(finalMandatoryPlugins, notNullValue());
         assertThat(finalMandatoryPlugins.length, equalTo(2));
         assertThat(finalMandatoryPlugins[0], equalTo("test_plugin"));
-        assertThat(finalMandatoryPlugins[1], equalTo(ShieldPlugin.NAME));
+        assertThat(finalMandatoryPlugins[1], equalTo(XPackPlugin.NAME));
     }
 
     public void testShieldIsEnabledByDefaultOnTribes() {
@@ -93,7 +95,7 @@ public class ShieldPluginSettingsTests extends ESTestCase {
         Settings settings = Settings.builder().put("tribe.t1.cluster.name", "non_existing")
                 .put(TRIBE_T1_SHIELD_ENABLED, false)
                 .put("tribe.t2.cluster.name", "non_existing")
-                .putArray("tribe.t1.plugin.mandatory", "test_plugin", ShieldPlugin.NAME).build();
+                .putArray("tribe.t1.plugin.mandatory", "test_plugin", XPackPlugin.NAME).build();
 
         ShieldPlugin shieldPlugin = new ShieldPlugin(settings);
 

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java

@@ -42,6 +42,7 @@ import org.elasticsearch.transport.Transport;
 import org.elasticsearch.transport.TransportInfo;
 import org.elasticsearch.transport.TransportMessage;
 import org.elasticsearch.transport.TransportRequest;
+import org.elasticsearch.xpack.XPackPlugin;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 import org.joda.time.format.ISODateTimeFormat;
@@ -166,13 +167,15 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase {
                     public Settings nodeSettings(int nodeOrdinal) {
                         Settings.Builder builder = Settings.builder()
                                 .put(super.nodeSettings(nodeOrdinal))
-                                .put(ShieldPlugin.ENABLED_SETTING_NAME, useShield);
-                        // For tests we forcefully configure Shield's custom query cache because the test framework randomizes the query
-                        // cache impl,
-                        // but if shield is disabled then we don't need to forcefully set the query cache
+                                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), useShield);
+
+                        // For tests we forcefully configure Shield's custom query cache because the test framework
+                        // randomizes the query cache impl but if shield is disabled then we don't need to forcefully
+                        // set the query cache
                         if (useShield == false) {
                             builder.remove(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey());
                         }
+
                         return builder.build();
                     }
             };
@@ -188,7 +191,7 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase {
 
             Settings.Builder builder = Settings.builder()
                     .put(settings)
-                    .put(ShieldPlugin.ENABLED_SETTING_NAME, useShield)
+                    .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), useShield)
                     .put(remoteSettings(NetworkAddress.formatAddress(inet.address().getAddress()), inet.address().getPort(), cluster2Name))
                     .put("shield.audit.index.client.shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD);
 

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ESNativeTests.java

@@ -22,7 +22,7 @@ import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.authz.RoleDescriptor;
 import org.elasticsearch.shield.authz.esnative.ESNativeRolesStore;
 import org.elasticsearch.shield.authz.permission.Role;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.test.ShieldSettingsSource;
 import org.junit.After;
@@ -43,7 +43,7 @@ import static org.hamcrest.Matchers.isOneOf;
 public class ESNativeTests extends ShieldIntegTestCase {
 
     public void testDeletingNonexistingUserAndRole() throws Exception {
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
         DeleteUserResponse resp = c.prepareDeleteUser().user("joe").get();
         assertFalse("user shouldn't be found", resp.found());
         DeleteRoleResponse resp2 = c.prepareDeleteRole().role("role").get();
@@ -51,7 +51,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
     }
 
     public void testGettingUserThatDoesntExist() throws Exception {
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
         GetUsersResponse resp = c.prepareGetUsers().users("joe").get();
         assertFalse("user should not exist", resp.isExists());
         GetRolesResponse resp2 = c.prepareGetRoles().roles("role").get();
@@ -59,7 +59,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
     }
 
     public void testAddAndGetUser() throws Exception {
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
         logger.error("--> creating user");
         c.prepareAddUser()
                 .username("joe")
@@ -117,7 +117,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
     }
 
     public void testAddAndGetRole() throws Exception {
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
         logger.error("--> creating role");
         c.prepareAddRole()
                 .name("test_role")
@@ -171,7 +171,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
     }
 
     public void testAddUserAndRoleThenAuth() throws Exception {
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
         logger.error("--> creating role");
         c.prepareAddRole()
                 .name("test_role")
@@ -204,7 +204,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
     }
 
     public void testUpdatingUserAndAuthentication() throws Exception {
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
         logger.error("--> creating user");
         c.prepareAddUser()
                 .username("joe")
@@ -248,7 +248,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
     }
 
     public void testCreateDeleteAuthenticate() {
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
         logger.error("--> creating user");
         c.prepareAddUser()
                 .username("joe")
@@ -285,7 +285,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
 
     public void testCreateAndUpdateRole() {
         final boolean authenticate = randomBoolean();
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
         logger.error("--> creating role");
         c.prepareAddRole()
                 .name("test_role")
@@ -340,7 +340,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
     }
 
     public void testAuthenticateWithDeletedRole() {
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
         logger.error("--> creating role");
         c.prepareAddRole()
                 .name("test_role")
@@ -373,7 +373,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
     @Before
     public void ensureStoresStarted() throws Exception {
         // Clear the realm cache for all realms since we use a SUITE scoped cluster
-        ShieldClient client = new ShieldClient(client());
+        SecurityClient client = securityClient();
         client.prepareClearRealmCache().get();
 
         for (ESNativeUsersStore store : internalCluster().getInstances(ESNativeUsersStore.class)) {

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java

@@ -19,6 +19,7 @@ import org.elasticsearch.shield.authz.privilege.IndexPrivilege;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
+import org.elasticsearch.xpack.XPackPlugin;
 
 import java.io.BufferedWriter;
 import java.io.OutputStream;
@@ -52,8 +53,9 @@ public class FileRolesStoreTests extends ESTestCase {
 
     public void testParseFile() throws Exception {
         Path path = getDataPath("roles.yml");
-        Map<String, Role> roles = FileRolesStore.parseFile(path, logger,
-                Settings.builder().put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true).build());
+        Map<String, Role> roles = FileRolesStore.parseFile(path, logger, Settings.builder()
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true)
+                .build());
         assertThat(roles, notNullValue());
         assertThat(roles.size(), is(10));
 
@@ -208,8 +210,9 @@ public class FileRolesStoreTests extends ESTestCase {
     public void testParseFileWithFLSAndDLSDisabled() throws Exception {
         Path path = getDataPath("roles.yml");
         CapturingLogger logger = new CapturingLogger(CapturingLogger.Level.ERROR);
-        Map<String, Role> roles = FileRolesStore.parseFile(path,
-                logger, Settings.builder().put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, false).build());
+        Map<String, Role> roles = FileRolesStore.parseFile(path, logger, Settings.builder()
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), false)
+                .build());
         assertThat(roles, notNullValue());
         assertThat(roles.size(), is(7));
         assertThat(roles.get("role_fields"), nullValue());

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldIntegTestCase.java

@@ -15,9 +15,11 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.shield.InternalClient;
 import org.elasticsearch.shield.authc.support.SecuredString;
+import org.elasticsearch.shield.client.SecurityClient;
 import org.elasticsearch.test.ESIntegTestCase.SuppressLocalMode;
 import org.elasticsearch.test.transport.AssertingLocalTransport;
 import org.elasticsearch.test.transport.MockTransportService;
+import org.elasticsearch.xpack.XPackClient;
 import org.elasticsearch.xpack.XPackPlugin;
 import org.junit.AfterClass;
 import org.junit.Before;
@@ -267,6 +269,7 @@ public abstract class ShieldIntegTestCase extends ESIntegTestCase {
     }
 
     private class CustomShieldSettingsSource extends ShieldSettingsSource {
+
         private CustomShieldSettingsSource(boolean sslTransportEnabled, Path configDir, Scope scope) {
             super(maxNumberOfNodes(), sslTransportEnabled, configDir, scope);
         }
@@ -339,4 +342,12 @@ public abstract class ShieldIntegTestCase extends ESIntegTestCase {
     protected InternalClient internalClient(String node) {
         return internalCluster().getInstance(InternalClient.class, node);
     }
+
+    protected SecurityClient securityClient() {
+        return securityClient(client());
+    }
+
+    public static SecurityClient securityClient(Client client) {
+        return randomBoolean() ? new XPackClient(client).security() : new SecurityClient(client);
+    }
 }

elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/transport/ShieldServerTransportServiceTests.java

@@ -9,6 +9,7 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.shield.transport.ShieldServerTransportService;
 import org.elasticsearch.test.ShieldIntegTestCase;
+import org.elasticsearch.xpack.XPackPlugin;
 
 import java.util.Map;
 
@@ -21,7 +22,7 @@ public class ShieldServerTransportServiceTests extends ShieldIntegTestCase {
     protected Settings transportClientSettings() {
         return Settings.settingsBuilder()
                 .put(super.transportClientSettings())
-                .put(ShieldPlugin.ENABLED_SETTING_NAME, true)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), true)
                 .build();
     }
 

elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackClient.java

@@ -0,0 +1,57 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.xpack;
+
+import org.elasticsearch.client.Client;
+import org.elasticsearch.shield.authc.support.SecuredString;
+import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
+import org.elasticsearch.shield.client.SecurityClient;
+import org.elasticsearch.watcher.client.WatcherClient;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
+import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
+
+/**
+ *
+ */
+public class XPackClient {
+
+    private final Client client;
+    private final SecurityClient securityClient;
+    private final WatcherClient watcherClient;
+
+    public XPackClient(Client client) {
+        this.client = client;
+        this.securityClient = new SecurityClient(client);
+        this.watcherClient = new WatcherClient(client);
+    }
+
+    public SecurityClient security() {
+        return securityClient;
+    }
+
+    public WatcherClient watcher() {
+        return watcherClient;
+    }
+
+    public XPackClient withHeaders(Map<String, String> headers) {
+        return new XPackClient(client.filterWithHeader(headers));
+    }
+
+    /**
+     * Returns a client that will call xpack APIs on behalf of the given user.
+     *
+     * @param username The username of the user
+     * @param passwd    The password of the user. This char array can be cleared after calling this method.
+     */
+    public XPackClient withAuth(String username, char[] passwd) {
+       return withHeaders(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue(username, new SecuredString(passwd))));
+    }
+}

elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java

@@ -7,13 +7,13 @@ package org.elasticsearch.xpack;
 
 import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.action.ActionModule;
+import org.elasticsearch.client.Client;
 import org.elasticsearch.common.component.LifecycleComponent;
 import org.elasticsearch.common.inject.Module;
-import org.elasticsearch.common.logging.ESLogger;
-import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.network.NetworkModule;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
+import org.elasticsearch.env.Environment;
 import org.elasticsearch.index.IndexModule;
 import org.elasticsearch.license.plugin.LicensePlugin;
 import org.elasticsearch.marvel.MarvelPlugin;
@@ -22,6 +22,7 @@ import org.elasticsearch.script.ScriptModule;
 import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.watcher.WatcherPlugin;
 
+import java.nio.file.Path;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.ArrayList;
@@ -29,9 +30,7 @@ import java.util.Collection;
 
 public class XPackPlugin extends Plugin {
 
-    public static final String NAME = "x-pack";
-
-    private final static ESLogger logger = Loggers.getLogger(XPackPlugin.class);
+    public static final String NAME = "xpack";
 
     // TODO: clean up this library to not ask for write access to all system properties!
     static {
@@ -143,4 +142,30 @@ public class XPackPlugin extends Plugin {
         watcherPlugin.onIndexModule(module);
         marvelPlugin.onIndexModule(module);
     }
+
+    public static boolean transportClientMode(Settings settings) {
+        return !"node".equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey()));
+    }
+
+    public static Path resolveConfigFile(Environment env, String name) {
+        return env.configFile().resolve(NAME).resolve(name);
+    }
+
+    /**
+     * A consistent way to enable disable features using the following setting:
+     *
+     *          {@code "xpack.<feature>.enabled": true | false}
+     *
+     *  Also supports the following setting as a fallback (for BWC with 1.x/2.x):
+     *
+     *          {@code "<feature>.enabled": true | false}
+     */
+    public static boolean featureEnabled(Settings settings, String featureName, boolean defaultValue) {
+        return settings.getAsBoolean(featureEnabledSetting(featureName),
+                settings.getAsBoolean(featureName + ".enabled", defaultValue)); // for bwc
+    }
+
+    public static String featureEnabledSetting(String featureName) {
+        return NAME + "." + featureName + ".enabled";
+    }
 }

elasticsearch/x-pack/src/test/resources/rest-api-spec/test/xpack/10_basic.yaml

@@ -10,4 +10,4 @@
     - do:
         nodes.info: {}
 
-    - match:  { nodes.$master.plugins.0.name: x-pack  }
+    - match:  { nodes.$master.plugins.0.name: xpack  }

elasticsearch/x-pack/watcher/bin/watcher/.in.bat

@@ -76,7 +76,7 @@ REM JAVA_OPTS=%JAVA_OPTS% -XX:HeapDumpPath=$ES_HOME/logs/heapdump.hprof
 
 REM Disables explicit GC
 set JAVA_OPTS=%JAVA_OPTS% -XX:+DisableExplicitGC
-set ES_CLASSPATH=%ES_CLASSPATH%;%ES_HOME%/lib/elasticsearch-1.4.0-SNAPSHOT.jar;%ES_HOME%/lib/*;%ES_HOME%/lib/sigar/*;%ES_HOME%/plugins/x-pack/*
+set ES_CLASSPATH=%ES_CLASSPATH%;%ES_HOME%/lib/*;%ES_HOME%/lib/sigar/*;%ES_HOME%/plugins/xpack/*
 set ES_PARAMS=-Des.path.home="%ES_HOME%"
 
 SET HOSTNAME=%COMPUTERNAME%

elasticsearch/x-pack/watcher/bin/watcher/croneval

@@ -114,7 +114,7 @@ fi
 export HOSTNAME=`hostname -s`
 
 # include watcher jars in classpath
-ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*"
+ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/xpack/*"
 
 cd "$ES_HOME" > /dev/null
 $JAVA $ES_JAVA_OPTS -cp "$ES_CLASSPATH" org.elasticsearch.watcher.trigger.schedule.tool.CronEvalTool "$@" $properties

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherPlugin.java

@@ -22,6 +22,8 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.script.ScriptModule;
+import org.elasticsearch.shield.ShieldPlugin;
+import org.elasticsearch.shield.authz.privilege.ClusterPrivilege;
 import org.elasticsearch.watcher.actions.WatcherActionModule;
 import org.elasticsearch.watcher.actions.email.service.EmailService;
 import org.elasticsearch.watcher.actions.email.service.InternalEmailService;
@@ -50,8 +52,7 @@ import org.elasticsearch.watcher.rest.action.RestPutWatchAction;
 import org.elasticsearch.watcher.rest.action.RestWatchServiceAction;
 import org.elasticsearch.watcher.rest.action.RestWatcherInfoAction;
 import org.elasticsearch.watcher.rest.action.RestWatcherStatsAction;
-import org.elasticsearch.watcher.shield.ShieldSecretService;
-import org.elasticsearch.watcher.shield.WatcherShieldModule;
+import org.elasticsearch.watcher.support.secret.SecretService;
 import org.elasticsearch.watcher.support.WatcherIndexTemplateRegistry.TemplateConfig;
 import org.elasticsearch.watcher.support.clock.ClockModule;
 import org.elasticsearch.watcher.support.http.HttpClient;
@@ -120,8 +121,15 @@ public class WatcherPlugin extends Plugin {
         transportClient = "transport".equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey()));
         enabled = watcherEnabled(settings);
         validAutoCreateIndex(settings);
+
+        // adding the watcher privileges to shield
+        if (ShieldPlugin.enabled(settings)) {
+            registerClusterPrivilege("manage_watcher", "cluster:admin/watcher/*", "cluster:monitor/watcher/*");
+            registerClusterPrivilege("monitor_watcher", "cluster:monitor/watcher/*");
+        }
     }
 
+
     @Override public String name() {
         return NAME;
     }
@@ -152,7 +160,6 @@ public class WatcherPlugin extends Plugin {
                 new WatcherActionModule(),
                 new HistoryModule(),
                 new ExecutionModule(),
-                new WatcherShieldModule(settings),
                 new SecretModule(settings));
     }
 
@@ -204,7 +211,8 @@ public class WatcherPlugin extends Plugin {
         module.registerSetting(Setting.intSetting("watcher.execution.scroll.size", 0, false, CLUSTER));
         module.registerSetting(Setting.intSetting("watcher.watch.scroll.size", 0, false, CLUSTER));
         module.registerSetting(Setting.boolSetting("watcher.enabled", false, false, CLUSTER));
-        module.registerSetting(ShieldSecretService.ENCRYPT_SENSITIVE_DATA_SETTING);
+        module.registerSetting(SecretService.Secure.ENCRYPT_SENSITIVE_DATA_SETTING);
+
         // TODO add real settings for these
         module.registerSetting(Setting.simpleString("resource.reload.interval", false, CLUSTER));
         module.registerSetting(Setting.simpleString("resource.reload.enabled", false, CLUSTER));
@@ -328,4 +336,16 @@ public class WatcherPlugin extends Plugin {
                 "[.watcher-history-YYYY.MM.dd] are allowed to be created", value);
     }
 
+    void registerClusterPrivilege(String name, String... patterns) {
+        try {
+            ClusterPrivilege.addCustom(name, patterns);
+        } catch (Exception se) {
+            logger.warn("could not register cluster privilege [{}]", name);
+
+            // we need to prevent bubbling the shield exception here for the tests. In the tests
+            // we create multiple nodes in the same jvm and since the custom cluster is a static binding
+            // multiple nodes will try to add the same privileges multiple times.
+        }
+    }
+
 }

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/ShieldSecretService.java

@@ -1,41 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-package org.elasticsearch.watcher.shield;
-
-import org.elasticsearch.common.component.AbstractComponent;
-import org.elasticsearch.common.inject.Inject;
-import org.elasticsearch.common.settings.Setting;
-import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.shield.crypto.CryptoService;
-import org.elasticsearch.watcher.support.secret.SecretService;
-
-/**
- *
- */
-public class ShieldSecretService extends AbstractComponent implements SecretService {
-
-    private final CryptoService cryptoService;
-    private final boolean encryptSensitiveData;
-    public static final Setting<Boolean> ENCRYPT_SENSITIVE_DATA_SETTING =
-            Setting.boolSetting("watcher.shield.encrypt_sensitive_data", false, false, Setting.Scope.CLUSTER);
-
-    @Inject
-    public ShieldSecretService(Settings settings, CryptoService cryptoService) {
-        super(settings);
-        this.encryptSensitiveData = ENCRYPT_SENSITIVE_DATA_SETTING.get(settings);
-        this.cryptoService = cryptoService;
-    }
-
-    @Override
-    public char[] encrypt(char[] text) {
-        return encryptSensitiveData ? cryptoService.encrypt(text) : text;
-    }
-
-    @Override
-    public char[] decrypt(char[] text) {
-        return encryptSensitiveData ? cryptoService.decrypt(text) : text;
-    }
-}

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherShieldModule.java

@@ -1,45 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License;
- * you may not use this file except in compliance with the Elastic License.
- */
-package org.elasticsearch.watcher.shield;
-
-import org.elasticsearch.common.inject.AbstractModule;
-import org.elasticsearch.common.logging.ESLogger;
-import org.elasticsearch.common.logging.Loggers;
-import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.shield.ShieldPlugin;
-import org.elasticsearch.shield.authz.privilege.ClusterPrivilege;
-
-/**
- *
- */
-public class WatcherShieldModule extends AbstractModule {
-
-    private final ESLogger logger;
-
-    public WatcherShieldModule(Settings settings) {
-        this.logger = Loggers.getLogger(WatcherShieldModule.class, settings);
-        if (ShieldPlugin.shieldEnabled(settings)) {
-            registerClusterPrivilege("manage_watcher", "cluster:admin/watcher/*", "cluster:monitor/watcher/*");
-            registerClusterPrivilege("monitor_watcher", "cluster:monitor/watcher/*");
-        }
-    }
-
-    void registerClusterPrivilege(String name, String... patterns) {
-        try {
-            ClusterPrivilege.addCustom(name, patterns);
-        } catch (Exception se) {
-            logger.warn("could not register cluster privilege [{}]", name);
-
-            // we need to prevent bubbling the shield exception here for the tests. In the tests
-            // we create multiple nodes in the same jvm and since the custom cluster is a static binding
-            // multiple nodes will try to add the same privileges multiple times.
-        }
-    }
-
-    @Override
-    protected void configure() {
-    }
-}

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretModule.java

@@ -8,7 +8,6 @@ package org.elasticsearch.watcher.support.secret;
 import org.elasticsearch.common.inject.AbstractModule;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.shield.ShieldPlugin;
-import org.elasticsearch.watcher.shield.ShieldSecretService;
 
 /**
  *
@@ -18,17 +17,16 @@ public class SecretModule extends AbstractModule {
     private final boolean shieldEnabled;
 
     public SecretModule(Settings settings) {
-        shieldEnabled = ShieldPlugin.shieldEnabled(settings);
+        shieldEnabled = ShieldPlugin.enabled(settings);
     }
 
     @Override
     protected void configure() {
         if (shieldEnabled) {
-            bind(ShieldSecretService.class).asEagerSingleton();
-            bind(SecretService.class).to(ShieldSecretService.class);
+            bind(SecretService.Secure.class).asEagerSingleton();
+            bind(SecretService.class).to(SecretService.Secure.class);
         } else {
-            bind(SecretService.PlainText.class).asEagerSingleton();
-            bind(SecretService.class).to(SecretService.PlainText.class);
+            bind(SecretService.class).toInstance(SecretService.Insecure.INSTANCE);
         }
     }
 }

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretService.java

@@ -5,6 +5,12 @@
  */
 package org.elasticsearch.watcher.support.secret;
 
+import org.elasticsearch.common.component.AbstractComponent;
+import org.elasticsearch.common.inject.Inject;
+import org.elasticsearch.common.settings.Setting;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.shield.crypto.CryptoService;
+
 /**
  *
  */
@@ -14,7 +20,12 @@ public interface SecretService {
 
     char[] decrypt(char[] text);
 
-    class PlainText implements SecretService {
+    class Insecure implements SecretService {
+
+        public static final Insecure INSTANCE = new Insecure();
+
+        Insecure() {
+        }
 
         @Override
         public char[] encrypt(char[] text) {
@@ -26,4 +37,31 @@ public interface SecretService {
             return text;
         }
     }
+
+    /**
+     *
+     */
+    class Secure extends AbstractComponent implements SecretService {
+
+        private final CryptoService cryptoService;
+        private final boolean encryptSensitiveData;
+        public static final Setting<Boolean> ENCRYPT_SENSITIVE_DATA_SETTING =
+                Setting.boolSetting("watcher.shield.encrypt_sensitive_data", false, false, Setting.Scope.CLUSTER);
+        @Inject
+        public Secure(Settings settings, CryptoService cryptoService) {
+            super(settings);
+            this.encryptSensitiveData = ENCRYPT_SENSITIVE_DATA_SETTING.get(settings);
+            this.cryptoService = cryptoService;
+        }
+
+        @Override
+        public char[] encrypt(char[] text) {
+            return encryptSensitiveData ? cryptoService.encrypt(text) : text;
+        }
+
+        @Override
+        public char[] decrypt(char[] text) {
+            return encryptSensitiveData ? cryptoService.decrypt(text) : text;
+        }
+    }
 }

elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/watch/Watch.java

@@ -257,7 +257,7 @@ public class Watch implements TriggerEngine.Job, ToXContent {
          * Such that the returned watch will potentially hide this sensitive data behind a "secret". A secret
          * is an abstraction around sensitive data (text). There can be different implementations of how the
          * secret holds the data, depending on the wired up {@link SecretService}. When shield is installed, a
-         * {@link org.elasticsearch.watcher.shield.ShieldSecretService} is used, that potentially encrypts the data
+         * {@link SecretService.Secure} is used, that potentially encrypts the data
          * using Shield's configured system key.
          *
          * This method is only called once - when the user adds a new watch. From that moment on, all representations

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherPluginDisableTests.java

@@ -41,8 +41,10 @@ public class WatcherPluginDisableTests extends ESIntegTestCase {
         return Settings.settingsBuilder()
                 .put(super.nodeSettings(nodeOrdinal))
                 .put(WatcherPlugin.ENABLED_SETTING, false)
+
                 // disable shield because of query cache check and authentication/authorization
-                .put(ShieldPlugin.ENABLED_SETTING_NAME, false)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), false)
+
                 .put(NetworkModule.HTTP_ENABLED.getKey(), true)
                 .build();
     }

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/EmailSecretsIntegrationTests.java

@@ -12,7 +12,6 @@ import org.elasticsearch.watcher.actions.email.service.EmailTemplate;
 import org.elasticsearch.watcher.actions.email.service.support.EmailServer;
 import org.elasticsearch.watcher.client.WatcherClient;
 import org.elasticsearch.watcher.execution.ActionExecutionMode;
-import org.elasticsearch.watcher.shield.ShieldSecretService;
 import org.elasticsearch.watcher.support.secret.SecretService;
 import org.elasticsearch.watcher.support.xcontent.XContentSource;
 import org.elasticsearch.watcher.test.AbstractWatcherIntegrationTestCase;
@@ -100,15 +99,15 @@ public class EmailSecretsIntegrationTests extends AbstractWatcherIntegrationTest
         if (shieldEnabled() && encryptSensitiveData) {
             assertThat(value, not(is((Object) PASSWORD)));
             SecretService secretService = getInstanceFromMaster(SecretService.class);
-            assertThat(secretService, instanceOf(ShieldSecretService.class));
+            assertThat(secretService, instanceOf(SecretService.Secure.class));
             assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD));
         } else {
             assertThat(value, is((Object) PASSWORD));
             SecretService secretService = getInstanceFromMaster(SecretService.class);
             if (shieldEnabled()) {
-                assertThat(secretService, instanceOf(ShieldSecretService.class));
+                assertThat(secretService, instanceOf(SecretService.Secure.class));
             } else {
-                assertThat(secretService, instanceOf(SecretService.PlainText.class));
+                assertThat(secretService, instanceOf(SecretService.Insecure.class));
             }
             assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD));
         }

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/AccountTests.java

@@ -160,7 +160,7 @@ public class AccountTests extends ESTestCase {
                 .put("smtp.port", server.port())
                 .put("smtp.user", USERNAME)
                 .put("smtp.password", PASSWORD)
-                .build()), new SecretService.PlainText(), logger);
+                .build()), SecretService.Insecure.INSTANCE, logger);
 
         Email email = Email.builder()
                 .id("_id")
@@ -197,7 +197,7 @@ public class AccountTests extends ESTestCase {
                 .put("smtp.port", server.port())
                 .put("smtp.user", USERNAME)
                 .put("smtp.password", PASSWORD)
-                .build()), new SecretService.PlainText(), logger);
+                .build()), SecretService.Insecure.INSTANCE, logger);
 
         Email email = Email.builder()
                 .id("_id")
@@ -237,7 +237,7 @@ public class AccountTests extends ESTestCase {
         Account account = new Account(new Account.Config("default", Settings.builder()
                 .put("smtp.host", "localhost")
                 .put("smtp.port", server.port())
-                .build()), new SecretService.PlainText(), logger);
+                .build()), SecretService.Insecure.INSTANCE, logger);
 
         Email email = Email.builder()
                 .id("_id")

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/AccountsTests.java

@@ -24,7 +24,7 @@ public class AccountsTests extends ESTestCase {
                 .put("default_account", "account1");
         addAccountSettings("account1", builder);
 
-        Accounts accounts = new Accounts(builder.build(), new SecretService.PlainText(), logger);
+        Accounts accounts = new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger);
         Account account = accounts.account("account1");
         assertThat(account, notNullValue());
         assertThat(account.name(), equalTo("account1"));
@@ -37,7 +37,7 @@ public class AccountsTests extends ESTestCase {
         Settings.Builder builder = Settings.builder();
         addAccountSettings("account1", builder);
 
-        Accounts accounts = new Accounts(builder.build(), new SecretService.PlainText(), logger);
+        Accounts accounts = new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger);
         Account account = accounts.account("account1");
         assertThat(account, notNullValue());
         assertThat(account.name(), equalTo("account1"));
@@ -52,7 +52,7 @@ public class AccountsTests extends ESTestCase {
         addAccountSettings("account1", builder);
         addAccountSettings("account2", builder);
 
-        Accounts accounts = new Accounts(builder.build(), new SecretService.PlainText(), logger);
+        Accounts accounts = new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger);
         Account account = accounts.account("account1");
         assertThat(account, notNullValue());
         assertThat(account.name(), equalTo("account1"));
@@ -70,7 +70,7 @@ public class AccountsTests extends ESTestCase {
         addAccountSettings("account1", builder);
         addAccountSettings("account2", builder);
 
-        Accounts accounts = new Accounts(builder.build(), new SecretService.PlainText(), logger);
+        Accounts accounts = new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger);
         Account account = accounts.account("account1");
         assertThat(account, notNullValue());
         assertThat(account.name(), equalTo("account1"));
@@ -88,7 +88,7 @@ public class AccountsTests extends ESTestCase {
         addAccountSettings("account1", builder);
         addAccountSettings("account2", builder);
         try {
-            new Accounts(builder.build(), new SecretService.PlainText(), logger);
+            new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger);
             fail("Expected SettingsException");
         } catch (SettingsException e) {
             assertThat(e.getMessage(), is("could not find default email account [unknown]"));
@@ -97,7 +97,7 @@ public class AccountsTests extends ESTestCase {
 
     public void testNoAccount() throws Exception {
         Settings.Builder builder = Settings.builder();
-        Accounts accounts = new Accounts(builder.build(), new SecretService.PlainText(), logger);
+        Accounts accounts = new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger);
         try {
             accounts.account(null);
             fail("no accounts are configured so trying to get the default account should throw an IllegalStateException");
@@ -110,7 +110,7 @@ public class AccountsTests extends ESTestCase {
         Settings.Builder builder = Settings.builder()
                 .put("default_account", "unknown");
         try {
-            new Accounts(builder.build(), new SecretService.PlainText(), logger);
+            new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger);
             fail("Expected SettingsException");
         } catch (SettingsException e) {
             assertThat(e.getMessage(), is("could not find default email account [unknown]"));

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/InternalEmailServiceTests.java

@@ -33,7 +33,7 @@ public class InternalEmailServiceTests extends ESTestCase {
     @Before
     public void init() throws Exception {
         accounts = mock(Accounts.class);
-        service = new InternalEmailService(Settings.EMPTY, new SecretService.PlainText(),
+        service = new InternalEmailService(Settings.EMPTY, SecretService.Insecure.INSTANCE,
                 new ClusterSettings(Settings.EMPTY, Collections.singleton(InternalEmailService.EMAIL_ACCOUNT_SETTING))) {
             @Override
             protected Accounts createAccounts(Settings settings, ESLogger logger) {

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/ManualPublicSmtpServersTester.java

@@ -7,7 +7,6 @@ package org.elasticsearch.watcher.actions.email.service;
 
 import org.apache.lucene.util.LuceneTestCase.AwaitsFix;
 import org.elasticsearch.common.cli.Terminal;
-import org.elasticsearch.common.inject.Provider;
 import org.elasticsearch.common.settings.ClusterSettings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.xcontent.ToXContent;
@@ -15,7 +14,6 @@ import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.watcher.support.secret.SecretService;
 
 import java.io.IOException;
-import java.io.InputStream;
 import java.util.Collections;
 import java.util.Locale;
 
@@ -124,7 +122,7 @@ public class ManualPublicSmtpServersTester {
 
     static InternalEmailService startEmailService(Settings.Builder builder) {
         Settings settings = builder.build();
-        InternalEmailService service = new InternalEmailService(settings, new SecretService.PlainText(),
+        InternalEmailService service = new InternalEmailService(settings, SecretService.Insecure.INSTANCE,
                 new ClusterSettings(settings, Collections.singleton(InternalEmailService.EMAIL_ACCOUNT_SETTING)));
         service.start();
         return service;

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/attachment/HttpEmailAttachementParserTests.java

@@ -35,14 +35,14 @@ import static org.mockito.Mockito.when;
 
 public class HttpEmailAttachementParserTests extends ESTestCase {
 
-    private SecretService.PlainText secretService;
+    private SecretService.Insecure secretService;
     private HttpAuthRegistry authRegistry;
     private HttpRequestTemplate.Parser httpRequestTemplateParser;
     private HttpClient httpClient;
 
     @Before
     public void init() throws Exception {
-        secretService = new SecretService.PlainText();
+        secretService = SecretService.Insecure.INSTANCE;
         authRegistry = new HttpAuthRegistry(singletonMap(BasicAuth.TYPE, new BasicAuthFactory(secretService)));
         httpRequestTemplateParser = new HttpRequestTemplate.Parser(authRegistry);
         httpClient = mock(HttpClient.class);

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpClientTests.java

@@ -54,7 +54,7 @@ public class HttpClientTests extends ESTestCase {
 
     @Before
     public void init() throws Exception {
-        secretService = new SecretService.PlainText();
+        secretService = SecretService.Insecure.INSTANCE;
         authRegistry = new HttpAuthRegistry(singletonMap(BasicAuth.TYPE, new BasicAuthFactory(secretService)));
         webServer = startWebServer(9200, 9300);
         webPort = webServer.getPort();

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpReadTimeoutTests.java

@@ -14,7 +14,6 @@ import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.watcher.support.http.auth.HttpAuthRegistry;
-import org.elasticsearch.watcher.support.secret.SecretService;
 import org.junit.After;
 import org.junit.Before;
 
@@ -27,13 +26,12 @@ import static org.mockito.Mockito.mock;
 /**
  */
 public class HttpReadTimeoutTests extends ESTestCase {
+
     private MockWebServer webServer;
-    private SecretService secretService;
     private int webPort;
 
     @Before
     public void init() throws Exception {
-        secretService = new SecretService.PlainText();
         for (webPort = 9200; webPort < 9300; webPort++) {
             try {
                 webServer = new MockWebServer();

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpRequestTemplateTests.java

@@ -136,7 +136,8 @@ public class HttpRequestTemplateTests extends ESTestCase {
 
         HttpRequestTemplate template = builder.build();
 
-        HttpAuthRegistry registry = new HttpAuthRegistry(singletonMap(BasicAuth.TYPE, new BasicAuthFactory(new SecretService.PlainText())));
+        HttpAuthRegistry registry = new HttpAuthRegistry(singletonMap(BasicAuth.TYPE,
+                new BasicAuthFactory(SecretService.Insecure.INSTANCE)));
         HttpRequestTemplate.Parser parser = new HttpRequestTemplate.Parser(registry);
 
         XContentBuilder xContentBuilder = template.toXContent(jsonBuilder(), ToXContent.EMPTY_PARAMS);

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java

@@ -61,6 +61,7 @@ import org.elasticsearch.watcher.trigger.TriggerService;
 import org.elasticsearch.watcher.trigger.schedule.ScheduleModule;
 import org.elasticsearch.watcher.watch.Watch;
 import org.elasticsearch.xpack.TimeWarpedXPackPlugin;
+import org.elasticsearch.xpack.XPackClient;
 import org.elasticsearch.xpack.XPackPlugin;
 import org.hamcrest.Matcher;
 import org.jboss.netty.util.internal.SystemPropertyUtil;
@@ -349,9 +350,8 @@ public abstract class AbstractWatcherIntegrationTestCase extends ESIntegTestCase
     }
 
     protected WatcherClient watcherClient() {
-        return shieldEnabled ?
-                new WatcherClient(internalCluster().transportClient()) :
-                new WatcherClient(client());
+        Client client = shieldEnabled ? internalCluster().transportClient() : client();
+        return randomBoolean() ? new XPackClient(client).watcher() : new WatcherClient(client);
     }
 
     protected ScriptServiceProxy scriptService() {

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/integration/HttpSecretsIntegrationTests.java

@@ -14,7 +14,6 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.xcontent.support.XContentMapValues;
 import org.elasticsearch.watcher.client.WatcherClient;
 import org.elasticsearch.watcher.execution.ActionExecutionMode;
-import org.elasticsearch.watcher.shield.ShieldSecretService;
 import org.elasticsearch.watcher.support.http.HttpRequestTemplate;
 import org.elasticsearch.watcher.support.http.auth.basic.ApplicableBasicAuth;
 import org.elasticsearch.watcher.support.http.auth.basic.BasicAuth;
@@ -118,15 +117,15 @@ public class HttpSecretsIntegrationTests extends AbstractWatcherIntegrationTestC
         if (shieldEnabled() && encryptSensitiveData) {
             assertThat(value, not(is((Object) PASSWORD)));
             SecretService secretService = getInstanceFromMaster(SecretService.class);
-            assertThat(secretService, instanceOf(ShieldSecretService.class));
+            assertThat(secretService, instanceOf(SecretService.Secure.class));
             assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD));
         } else {
             assertThat(value, is((Object) PASSWORD));
             SecretService secretService = getInstanceFromMaster(SecretService.class);
             if (shieldEnabled()) {
-                assertThat(secretService, instanceOf(ShieldSecretService.class));
+                assertThat(secretService, instanceOf(SecretService.Secure.class));
             } else {
-                assertThat(secretService, instanceOf(SecretService.PlainText.class));
+                assertThat(secretService, instanceOf(SecretService.Insecure.class));
             }
             assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD));
         }
@@ -190,15 +189,15 @@ public class HttpSecretsIntegrationTests extends AbstractWatcherIntegrationTestC
         if (shieldEnabled() && encryptSensitiveData) {
             assertThat(value, not(is((Object) PASSWORD)));
             SecretService secretService = getInstanceFromMaster(SecretService.class);
-            assertThat(secretService, instanceOf(ShieldSecretService.class));
+            assertThat(secretService, instanceOf(SecretService.Secure.class));
             assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD));
         } else {
             assertThat(value, is((Object) PASSWORD));
             SecretService secretService = getInstanceFromMaster(SecretService.class);
             if (shieldEnabled()) {
-                assertThat(secretService, instanceOf(ShieldSecretService.class));
+                assertThat(secretService, instanceOf(SecretService.Secure.class));
             } else {
-                assertThat(secretService, instanceOf(SecretService.PlainText.class));
+                assertThat(secretService, instanceOf(SecretService.Insecure.class));
             }
             assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD));
         }

elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/watch/WatchTests.java

@@ -177,7 +177,7 @@ public class WatchTests extends ESTestCase {
         ScheduleRegistry scheduleRegistry = registry(schedule);
         TriggerEngine triggerEngine = new ParseOnlyScheduleTriggerEngine(Settings.EMPTY, scheduleRegistry, clock);
         TriggerService triggerService = new TriggerService(Settings.EMPTY, singleton(triggerEngine));
-        SecretService secretService = new SecretService.PlainText();
+        SecretService secretService = SecretService.Insecure.INSTANCE;
 
         ExecutableInput input = randomInput();
         InputRegistry inputRegistry = registry(input);
@@ -227,7 +227,7 @@ public class WatchTests extends ESTestCase {
         ScheduleRegistry scheduleRegistry = registry(randomSchedule());
         TriggerEngine triggerEngine = new ParseOnlyScheduleTriggerEngine(Settings.EMPTY, scheduleRegistry, clock);
         TriggerService triggerService = new TriggerService(Settings.EMPTY, singleton(triggerEngine));
-        SecretService secretService = new SecretService.PlainText();
+        SecretService secretService = SecretService.Insecure.INSTANCE;
         ExecutableCondition condition = randomCondition();
         ConditionRegistry conditionRegistry = registry(condition);
         ExecutableInput input = randomInput();
@@ -258,7 +258,7 @@ public class WatchTests extends ESTestCase {
         ScheduleRegistry scheduleRegistry = registry(schedule);
         TriggerEngine triggerEngine = new ParseOnlyScheduleTriggerEngine(Settings.EMPTY, scheduleRegistry, SystemClock.INSTANCE);
         TriggerService triggerService = new TriggerService(Settings.EMPTY, singleton(triggerEngine));
-        SecretService secretService = new SecretService.PlainText();
+        SecretService secretService = SecretService.Insecure.INSTANCE;
 
         ConditionRegistry conditionRegistry = registry(new ExecutableAlwaysCondition(logger));
         InputRegistry inputRegistry = registry(new ExecutableNoneInput(logger));