Shield refactoring for 5.0 - phase 2

- Started to move configuration under the `xpack` name - Cleaned up `ShieldPlugin` - renamed `ShieldClient` to `SecurityClient` - Introduced `XPackClient` that wraps security and watcher clients Original commit: elastic/x-pack-elasticsearch@f05be0c180
2016-02-05 11:13:30 +01:00 · 2016-02-05 11:13:30 +01:00 · 92f027159a
parent 50452e403f
commit 92f027159a
75 changed files with 415 additions and 416 deletions
--- a/elasticsearch/qa/shield-audit-tests/build.gradle
+++ b/elasticsearch/qa/shield-audit-tests/build.gradle
@ -10,7 +10,7 @@ integTest {
    systemProperty 'es.shield.audit.enabled', 'true'
    systemProperty 'es.shield.audit.outputs', 'index'
    setupCommand 'setupDummyUser',
-                 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
+                 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
    waitCondition = { node, ant ->
      File tmpFile = new File(node.cwd, 'wait.success')
      ant.get(src: "http://${node.httpUri()}",
--- a/elasticsearch/qa/shield-client-tests/build.gradle
+++ b/elasticsearch/qa/shield-client-tests/build.gradle
@ -8,9 +8,9 @@ integTest {
  cluster {
    plugin 'x-pack', project(':x-plugins:elasticsearch:x-pack')
    setupCommand 'setupDummyUser',
-                 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
+                 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
    setupCommand 'setupTransportClientUser',
-                 'bin/x-pack/esusers', 'useradd', 'transport', '-p', 'changeme', '-r', 'transport_client'
+                 'bin/xpack/esusers', 'useradd', 'transport', '-p', 'changeme', '-r', 'transport_client'
    waitCondition = { node, ant ->
      File tmpFile = new File(node.cwd, 'wait.success')
      ant.get(src: "http://${node.httpUri()}",
--- a/elasticsearch/qa/shield-core-rest-tests/build.gradle
+++ b/elasticsearch/qa/shield-core-rest-tests/build.gradle
@ -35,7 +35,7 @@ integTest {
    systemProperty 'es.watcher.enabled', 'false'
    systemProperty 'es.marvel.enabled', 'false'
    setupCommand 'setupDummyUser',
-                 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
+                 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
    waitCondition = { node, ant ->
      File tmpFile = new File(node.cwd, 'wait.success')
      ant.get(src: "http://${node.httpUri()}",
--- a/elasticsearch/qa/shield-example-realm/build.gradle
+++ b/elasticsearch/qa/shield-example-realm/build.gradle
@ -23,7 +23,7 @@ integTest {
    systemProperty 'es.shield.authc.realms.esusers.type', 'esusers'
    setupCommand 'setupDummyUser',
-                 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
+                 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
    waitCondition = { node, ant ->
      File tmpFile = new File(node.cwd, 'wait.success')
      ant.get(src: "http://${node.httpUri()}",
--- a/elasticsearch/qa/smoke-test-plugins-ssl/build.gradle
+++ b/elasticsearch/qa/smoke-test-plugins-ssl/build.gradle
@ -57,9 +57,9 @@ integTest {
    // copy keystore into config/
    extraConfigFile keystore.name, keystore
    setupCommand 'setupTestUser',
-                 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
+                 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
    setupCommand 'setupMarvelUser',
-                 'bin/x-pack/esusers', 'useradd', 'marvel_export', '-p', 'changeme', '-r', 'marvel_agent'
+                 'bin/xpack/esusers', 'useradd', 'marvel_export', '-p', 'changeme', '-r', 'marvel_agent'
    waitCondition = { node, ant ->
      // we just return true, doing an https check is tricky here
      return true
--- a/elasticsearch/qa/smoke-test-plugins/build.gradle
+++ b/elasticsearch/qa/smoke-test-plugins/build.gradle
@ -18,7 +18,7 @@ integTest {
    plugin 'x-pack', project(':x-plugins:elasticsearch:x-pack')
    setupCommand 'setupDummyUser',
-                 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
+                 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
    waitCondition = { node, ant ->
      File tmpFile = new File(node.cwd, 'wait.success')
      ant.get(src: "http://${node.httpUri()}",
--- a/elasticsearch/qa/smoke-test-watcher-with-shield/build.gradle
+++ b/elasticsearch/qa/smoke-test-watcher-with-shield/build.gradle
@ -20,13 +20,13 @@ integTest {
  cluster {
    plugin 'x-pack', project(':x-plugins:elasticsearch:x-pack')
-    extraConfigFile 'x-pack/roles.yml', 'roles.yml'
+    extraConfigFile 'xpack/roles.yml', 'roles.yml'
    setupCommand 'setupTestAdminUser',
-                 'bin/x-pack/esusers', 'useradd', 'test_admin', '-p', 'changeme', '-r', 'admin'
+                 'bin/xpack/esusers', 'useradd', 'test_admin', '-p', 'changeme', '-r', 'admin'
    setupCommand 'setupWatcherManagerUser',
-                 'bin/x-pack/esusers', 'useradd', 'watcher_manager', '-p', 'changeme', '-r', 'watcher_manager'
+                 'bin/xpack/esusers', 'useradd', 'watcher_manager', '-p', 'changeme', '-r', 'watcher_manager'
    setupCommand 'setupPowerlessUser',
-                 'bin/x-pack/esusers', 'useradd', 'powerless_user', '-p', 'changeme', '-r', 'crappy_role'
+                 'bin/xpack/esusers', 'useradd', 'powerless_user', '-p', 'changeme', '-r', 'crappy_role'
    waitCondition = { node, ant ->
      File tmpFile = new File(node.cwd, 'wait.success')
      ant.get(src: "http://${node.httpUri()}",
--- a/elasticsearch/x-pack/build.gradle
+++ b/elasticsearch/x-pack/build.gradle
@ -3,7 +3,7 @@ import org.elasticsearch.gradle.test.NodeInfo
 apply plugin: 'elasticsearch.esplugin'
 esplugin {
-  name 'x-pack'
+  name 'xpack'
  description 'Elasticsearch Expanded Pack Plugin'
  classname 'org.elasticsearch.xpack.XPackPlugin'
  // FIXME we still can't be isolated due to shield custom realms
@ -129,7 +129,7 @@ integTest {
  // TODO: fix this rest test to not depend on a hardcoded port!
  systemProperty 'tests.rest.blacklist', 'getting_started/10_monitor_cluster_health/*'
  cluster {
-    setupCommand 'setupDummyUser', 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
+    setupCommand 'setupDummyUser', 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
    waitCondition = { NodeInfo node, AntBuilder ant ->
        File tmpFile = new File(node.cwd, 'wait.success')
        ant.get(src: "http://${node.httpUri()}",
@ -157,7 +157,7 @@ artifacts {
 }
 run {
-  setupCommand 'setupDummyUser', 'bin/x-pack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
+  setupCommand 'setupDummyUser', 'bin/xpack/esusers', 'useradd', 'test_user', '-p', 'changeme', '-r', 'admin'
 }
 // classes are missing, e.g. com.ibm.icu.lang.UCharacter
--- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexRecoveryCollector.java
+++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexRecoveryCollector.java
@ -19,6 +19,7 @@ import org.elasticsearch.marvel.agent.exporter.MarvelDoc;
 import org.elasticsearch.marvel.agent.settings.MarvelSettings;
 import org.elasticsearch.marvel.license.MarvelLicensee;
 import org.elasticsearch.shield.InternalClient;
 import org.elasticsearch.shield.ShieldPlugin;
 import java.util.ArrayList;
 import java.util.Arrays;
@ -26,8 +27,6 @@ import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 import static org.elasticsearch.shield.ShieldPlugin.shieldEnabled;
 /**
 * Collector for the Recovery API.
 * <p>
@ -73,7 +72,7 @@ public class IndexRecoveryCollector extends AbstractCollector<IndexRecoveryColle
                results.add(indexRecoveryDoc);
            }
        } catch (IndexNotFoundException e) {
-            if (shieldEnabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
+            if (ShieldPlugin.enabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
                logger.debug("collector [{}] - unable to collect data for missing index [{}]", name(), e.getIndex());
            } else {
                throw e;
--- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexStatsCollector.java
+++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndexStatsCollector.java
@ -21,6 +21,7 @@ import org.elasticsearch.marvel.agent.exporter.MarvelDoc;
 import org.elasticsearch.marvel.agent.settings.MarvelSettings;
 import org.elasticsearch.marvel.license.MarvelLicensee;
 import org.elasticsearch.shield.InternalClient;
 import org.elasticsearch.shield.ShieldPlugin;
 import java.util.ArrayList;
 import java.util.Arrays;
@ -28,8 +29,6 @@ import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 import static org.elasticsearch.shield.ShieldPlugin.shieldEnabled;
 /**
 * Collector for indices statistics.
 * <p>
@ -87,7 +86,7 @@ public class IndexStatsCollector extends AbstractCollector<IndexStatsCollector>
                results.add(indexStatsDoc);
            }
        } catch (IndexNotFoundException e) {
-            if (shieldEnabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
+            if (ShieldPlugin.enabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
                logger.debug("collector [{}] - unable to collect data for missing index [{}]", name(), e.getIndex());
            } else {
                throw e;
--- a/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndicesStatsCollector.java
+++ b/elasticsearch/x-pack/marvel/src/main/java/org/elasticsearch/marvel/agent/collector/indices/IndicesStatsCollector.java
@ -19,13 +19,12 @@ import org.elasticsearch.marvel.agent.exporter.MarvelDoc;
 import org.elasticsearch.marvel.agent.settings.MarvelSettings;
 import org.elasticsearch.marvel.license.MarvelLicensee;
 import org.elasticsearch.shield.InternalClient;
 import org.elasticsearch.shield.ShieldPlugin;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import static org.elasticsearch.shield.ShieldPlugin.shieldEnabled;
 /**
 * Collector for indices statistics.
 * <p>
@ -72,7 +71,7 @@ public class IndicesStatsCollector extends AbstractCollector<IndicesStatsCollect
            return Collections.singletonList(indicesStatsDoc);
        } catch (IndexNotFoundException e) {
-            if (shieldEnabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
+            if (ShieldPlugin.enabled(settings) && IndexNameExpressionResolver.isAllIndices(Arrays.asList(marvelSettings.indices()))) {
                logger.debug("collector [{}] - unable to collect data for missing index [{}]", name(), e.getIndex());
                return Collections.emptyList();
            }
--- a/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/MarvelPluginTests.java
+++ b/elasticsearch/x-pack/marvel/src/test/java/org/elasticsearch/marvel/MarvelPluginTests.java
@ -66,7 +66,7 @@ public class MarvelPluginTests extends MarvelIntegTestCase {
                    break;
                }
            }
-            assertThat("x-pack plugin not found", found, equalTo(true));
+            assertThat("xpack plugin not found", found, equalTo(true));
        }
    }
--- a/elasticsearch/x-pack/shield/bin/shield/.in.bat
+++ b/elasticsearch/x-pack/shield/bin/shield/.in.bat
@ -76,7 +76,7 @@ REM JAVA_OPTS=%JAVA_OPTS% -XX:HeapDumpPath=$ES_HOME/logs/heapdump.hprof
 REM Disables explicit GC
 set JAVA_OPTS=%JAVA_OPTS% -XX:+DisableExplicitGC
-set ES_CLASSPATH=%ES_CLASSPATH%;%ES_HOME%/lib/elasticsearch-1.4.0-SNAPSHOT.jar;%ES_HOME%/lib/*;%ES_HOME%/lib/sigar/*;%ES_HOME%/plugins/x-pack/*
+set ES_CLASSPATH=%ES_CLASSPATH%;%ES_HOME%/lib/*;%ES_HOME%/lib/sigar/*;%ES_HOME%/plugins/xpack/*
 set ES_PARAMS=-Des.path.home="%ES_HOME%"
 SET HOSTNAME=%COMPUTERNAME%
--- a/elasticsearch/x-pack/shield/bin/shield/esusers
+++ b/elasticsearch/x-pack/shield/bin/shield/esusers
@ -123,7 +123,7 @@ fi
 export HOSTNAME=`hostname -s`
 # include shield jars in classpath
-ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*"
+ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/xpack/*"
 cd "$ES_HOME" > /dev/null
 "$JAVA" $ES_JAVA_OPTS -cp "$ES_CLASSPATH" -Des.path.home="$ES_HOME" $properties org.elasticsearch.shield.authc.esusers.tool.ESUsersTool "$@"
--- a/elasticsearch/x-pack/shield/bin/shield/syskeygen
+++ b/elasticsearch/x-pack/shield/bin/shield/syskeygen
@ -123,7 +123,7 @@ fi
 export HOSTNAME=`hostname -s`
 # include shield jars in classpath
-ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*"
+ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/xpack/*"
 cd "$ES_HOME" > /dev/null
 $JAVA $ES_JAVA_OPTS -cp "$ES_CLASSPATH" -Des.path.home="$ES_HOME" $properties org.elasticsearch.shield.crypto.tool.SystemKeyTool "$@"
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldPlugin.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/ShieldPlugin.java
@ -6,7 +6,6 @@
 package org.elasticsearch.shield;
 import org.elasticsearch.action.ActionModule;
 import org.elasticsearch.client.Client;
 import org.elasticsearch.common.component.LifecycleComponent;
 import org.elasticsearch.common.inject.Module;
 import org.elasticsearch.common.network.NetworkModule;
@ -14,7 +13,6 @@ import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.index.IndexModule;
 import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.shield.action.ShieldActionFilter;
@ -71,7 +69,6 @@ import org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport;
 import org.elasticsearch.shield.transport.netty.ShieldNettyTransport;
 import org.elasticsearch.xpack.XPackPlugin;
 import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@ -85,22 +82,19 @@ import java.util.Map;
 public class ShieldPlugin extends Plugin {
    public static final String NAME = "shield";
-    public static final String ENABLED_SETTING_NAME = NAME + ".enabled";
+    public static final String DLS_FLS_FEATURE = "shield.dls_fls";
    public static final String OPT_OUT_QUERY_CACHE = "opt_out_cache";
    public static final String DLS_FLS_ENABLED_SETTING = "shield.dls_fls.enabled";
    private static final boolean DEFAULT_ENABLED_SETTING = true;
    private final Settings settings;
    private final boolean enabled;
-    private final boolean clientMode;
+    private final boolean transportClientMode;
    private ShieldLicenseState shieldLicenseState;
    public ShieldPlugin(Settings settings) {
        this.settings = settings;
-        this.enabled = shieldEnabled(settings);
+        this.transportClientMode = XPackPlugin.transportClientMode(settings);
-        this.clientMode = clientMode(settings);
+        this.enabled = XPackPlugin.featureEnabled(settings, NAME, true);
-        if (enabled && clientMode == false) {
+        if (enabled && !transportClientMode) {
            failIfShieldQueryCacheIsNotActive(settings, true);
        }
    }
@ -118,11 +112,11 @@ public class ShieldPlugin extends Plugin {
    @Override
    public Collection<Module> nodeModules() {
-        if (!enabled) {
+        if (enabled == false) {
            return Collections.singletonList(new ShieldDisabledModule(settings));
        }
-        if (clientMode) {
+        if (transportClientMode == true) {
            return Arrays.<Module>asList(
                    new ShieldTransportModule(settings),
                    new SSLModule(settings));
@ -147,18 +141,21 @@ public class ShieldPlugin extends Plugin {
    @Override
    public Collection<Class<? extends LifecycleComponent>> nodeServices() {
-        if (enabled && clientMode == false) {
+        if (enabled == false || transportClientMode == true) {
-            List<Class<? extends LifecycleComponent>> list = new ArrayList<>();
+            return Collections.emptyList();
            if (AuditTrailModule.fileAuditLoggingEnabled(settings)) {
                list.add(LoggingAuditTrail.class);
            }
            list.add(ShieldLicensee.class);
            list.add(InternalCryptoService.class);
            list.add(FileRolesStore.class);
            list.add(Realms.class);
            return list;
        }
-        return Collections.emptyList();
+        List<Class<? extends LifecycleComponent>> list = new ArrayList<>();
        //TODO why only focus on file audit logs? shouldn't we just check if audit trail is enabled in general?
        if (AuditTrailModule.fileAuditLoggingEnabled(settings) == true) {
            list.add(LoggingAuditTrail.class);
        }
        list.add(ShieldLicensee.class);
        list.add(InternalCryptoService.class);
        list.add(FileRolesStore.class);
        list.add(Realms.class);
        return list;
    }
    @Override
@ -178,6 +175,7 @@ public class ShieldPlugin extends Plugin {
    }
    public void onModule(SettingsModule settingsModule) {
        //TODO shouldn't we register these settings only if shield is enabled and we're not in a client mode?
        settingsModule.registerSetting(IPFilter.IP_FILTER_ENABLED_SETTING);
        settingsModule.registerSetting(IPFilter.IP_FILTER_ENABLED_HTTP_SETTING);
        settingsModule.registerSetting(IPFilter.HTTP_FILTER_ALLOW_SETTING);
@ -187,6 +185,9 @@ public class ShieldPlugin extends Plugin {
        settingsModule.registerSetting(Setting.boolSetting("plugins.load_classpath_plugins", true, false, Setting.Scope.CLUSTER));
        // TODO add real settings for this wildcard here
        settingsModule.registerSetting(Setting.groupSetting("shield.", false, Setting.Scope.CLUSTER));
        // TODO please let's just drop the old settings before releasing
        settingsModule.registerSetting(Setting.groupSetting("xpack.shield.", false, Setting.Scope.CLUSTER));
        String[] asArray = settings.getAsArray("shield.hide_settings");
        for (String pattern : asArray) {
            settingsModule.registerSettingsFilter(pattern);
@ -207,6 +208,7 @@ public class ShieldPlugin extends Plugin {
        if (enabled == false) {
            return;
        }
        assert shieldLicenseState != null;
        if (flsDlsEnabled(settings)) {
            module.setSearcherWrapper((indexService) -> new ShieldIndexSearcherWrapper(indexService.getIndexSettings(),
@ -214,7 +216,7 @@ public class ShieldPlugin extends Plugin {
                    indexService.cache().bitsetFilterCache(), indexService.getIndexServices().getThreadPool().getThreadContext(),
                    shieldLicenseState));
        }
-        if (clientMode == false) {
+        if (transportClientMode == false) {
            module.registerQueryCache(ShieldPlugin.OPT_OUT_QUERY_CACHE, OptOutQueryCache::new);
            failIfShieldQueryCacheIsNotActive(module.getSettings(), false);
        }
@ -225,7 +227,7 @@ public class ShieldPlugin extends Plugin {
            return;
        }
        // registering the security filter only for nodes
-        if (clientMode == false) {
+        if (transportClientMode == false) {
            module.registerFilter(ShieldActionFilter.class);
        }
@ -241,23 +243,21 @@ public class ShieldPlugin extends Plugin {
    }
    public void onModule(NetworkModule module) {
        if (clientMode == false) {
            // we want to expose the shield rest action even when the plugin is disabled
            module.registerRestHandler(RestShieldInfoAction.class);
        }
-        if (enabled == false) {
+        if (transportClientMode) {
            if (enabled) {
                module.registerTransport(ShieldPlugin.NAME, ShieldNettyTransport.class);
                module.registerTransportService(ShieldPlugin.NAME, ShieldClientTransportService.class);
            }
            return;
        }
-        module.registerTransport(ShieldPlugin.NAME, ShieldNettyTransport.class);
+        // we want to expose the shield rest action even when the plugin is disabled
-        if (clientMode) {
+        module.registerRestHandler(RestShieldInfoAction.class);
            module.registerTransportService(ShieldPlugin.NAME, ShieldClientTransportService.class);
        } else {
            module.registerTransportService(ShieldPlugin.NAME, ShieldServerTransportService.class);
        }
-        if (clientMode == false) {
+        if (enabled) {
            module.registerTransport(ShieldPlugin.NAME, ShieldNettyTransport.class);
            module.registerTransportService(ShieldPlugin.NAME, ShieldServerTransportService.class);
            module.registerRestHandler(RestAuthenticateAction.class);
            module.registerRestHandler(RestClearRealmCacheAction.class);
            module.registerRestHandler(RestClearRolesCacheAction.class);
@ -290,39 +290,41 @@ public class ShieldPlugin extends Plugin {
                .toCharArray())));
    }
-    /*
+    /**
-     We inject additional settings on each tribe client if the current node is a tribe node, to make sure that every tribe has shield
+     * If the current node is a tribe node, we inject additional settings on each tribe client. We do this to make sure
-     installed and enabled too:
+     * that every tribe cluster has shield installed and is enabled. We do that by:
-     - if shield is loaded on the tribe node we make sure it is also loaded on every tribe, by making it mandatory there
+     *
-     (this means that the tribe node will fail at startup if shield is not loaded on any tribe due to missing mandatory plugin)
+     *    - making it mandatory on the tribe client (this means that the tribe node will fail at startup if shield is
-     - if shield is loaded and enabled on the tribe node, we make sure it is also enabled on every tribe, by forcibly enabling it
+     *      not loaded on any tribe due to missing mandatory plugin)
-       (that means it's not possible to disable shield on the tribe clients)
+     *
     *    - forcibly enabling it (that means it's not possible to disable shield on the tribe clients)
     */
    private void addTribeSettings(Settings.Builder settingsBuilder) {
        Map<String, Settings> tribesSettings = settings.getGroups("tribe", true);
        if (tribesSettings.isEmpty()) {
            // it's not a tribe node
            return;
        }
        for (Map.Entry<String, Settings> tribeSettings : tribesSettings.entrySet()) {
            String tribePrefix = "tribe." + tribeSettings.getKey() + ".";
-            // we copy over existing mandatory plugins under additional settings, as they would get overridden otherwise (arrays don't get
+            // we copy over existing mandatory plugins under additional settings, as they would get overridden
-            // merged)
+            // otherwise (arrays don't get merged)
            String[] existingMandatoryPlugins = tribeSettings.getValue().getAsArray("plugin.mandatory", null);
            if (existingMandatoryPlugins == null) {
                //shield is mandatory on every tribe if installed and enabled on the tribe node
-                settingsBuilder.putArray(tribePrefix + "plugin.mandatory", NAME);
+                settingsBuilder.putArray(tribePrefix + "plugin.mandatory", XPackPlugin.NAME);
            } else {
-                if (!isShieldMandatory(existingMandatoryPlugins)) {
+                if (Arrays.binarySearch(existingMandatoryPlugins, XPackPlugin.NAME) < 0) {
-                    throw new IllegalStateException("when [plugin.mandatory] is explicitly configured, [" + NAME + "] must be included in" +
+                    throw new IllegalStateException("when [plugin.mandatory] is explicitly configured, [" +
-                            " this list");
+                            XPackPlugin.NAME + "] must be included in this list");
                }
            }
-            final String tribeEnabledSetting = tribePrefix + ENABLED_SETTING_NAME;
+            final String tribeEnabledSetting = tribePrefix + XPackPlugin.featureEnabledSetting(NAME);
            if (settings.get(tribeEnabledSetting) != null) {
-                boolean enabled = shieldEnabled(tribeSettings.getValue());
+                boolean enabled = enabled(tribeSettings.getValue());
                if (!enabled) {
                    throw new IllegalStateException("tribe setting [" + tribeEnabledSetting + "] must be set to true but the value is ["
                            + settings.get(tribeEnabledSetting) + "]");
@ -334,43 +336,22 @@ public class ShieldPlugin extends Plugin {
        }
    }
-    /*
+    /**
-        We need to forcefully overwrite the query cache implementation to use Shield's opt out query cache implementation.
+     *  We need to forcefully overwrite the query cache implementation to use Shield's opt out query cache implementation.
-        This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do
+     *  This impl. disabled the query cache if field level security is used for a particular request. If we wouldn't do
-        forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to
+     *  forcefully overwrite the query cache implementation then we leave the system vulnerable to leakages of data to
-        unauthorized users.
+     *  unauthorized users.
     */
    private void addQueryCacheSettings(Settings.Builder settingsBuilder) {
        settingsBuilder.put(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey(), OPT_OUT_QUERY_CACHE);
    }
-    private static boolean isShieldMandatory(String[] existingMandatoryPlugins) {
+    public static boolean enabled(Settings settings) {
-        for (String existingMandatoryPlugin : existingMandatoryPlugins) {
+        return XPackPlugin.featureEnabled(settings, NAME, true);
            if (NAME.equals(existingMandatoryPlugin)) {
                return true;
            }
        }
        return false;
    }
    public static Path configDir(Environment env) {
        return env.configFile().resolve(XPackPlugin.NAME);
    }
    public static Path resolveConfigFile(Environment env, String name) {
        return configDir(env).resolve(name);
    }
    public static boolean clientMode(Settings settings) {
        return !"node".equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey()));
    }
    public static boolean shieldEnabled(Settings settings) {
        return settings.getAsBoolean(ENABLED_SETTING_NAME, DEFAULT_ENABLED_SETTING);
    }
    public static boolean flsDlsEnabled(Settings settings) {
-        return settings.getAsBoolean(DLS_FLS_ENABLED_SETTING, true);
+        return XPackPlugin.featureEnabled(settings, DLS_FLS_FEATURE, true);
    }
    private void failIfShieldQueryCacheIsNotActive(Settings settings, boolean nodeSettings) {
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/ESNativeUsersStore.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esnative/ESNativeUsersStore.java
@ -54,7 +54,7 @@ import org.elasticsearch.shield.action.user.DeleteUserRequest;
 import org.elasticsearch.shield.authc.AuthenticationService;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 import org.elasticsearch.threadpool.ThreadPool;
 import java.util.ArrayList;
@ -458,10 +458,10 @@ public class ESNativeUsersStore extends AbstractComponent implements ClusterStat
    }
    private <Response> void clearRealmCache(String username, ActionListener<Response> listener, Response response) {
-        ShieldClient shieldClient = new ShieldClient(client);
+        SecurityClient securityClient = new SecurityClient(client);
-        ClearRealmCacheRequest request = shieldClient.prepareClearRealmCache()
+        ClearRealmCacheRequest request = securityClient.prepareClearRealmCache()
                .usernames(username).request();
-        shieldClient.clearRealmCache(request, new ActionListener<ClearRealmCacheResponse>() {
+        securityClient.clearRealmCache(request, new ActionListener<ClearRealmCacheResponse>() {
            @Override
            public void onResponse(ClearRealmCacheResponse nodes) {
                listener.onResponse(response);
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserPasswdStore.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserPasswdStore.java
@ -20,6 +20,7 @@ import org.elasticsearch.shield.support.Validation;
 import org.elasticsearch.watcher.FileChangesListener;
 import org.elasticsearch.watcher.FileWatcher;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.XPackPlugin;
 import java.io.IOException;
 import java.io.PrintWriter;
@ -98,7 +99,7 @@ public class FileUserPasswdStore {
    public static Path resolveFile(Settings settings, Environment env) {
        String location = settings.get("files.users");
        if (location == null) {
-            return ShieldPlugin.resolveConfigFile(env, "users");
+            return XPackPlugin.resolveConfigFile(env, "users");
        }
        return env.binFile().getParent().resolve(location);
    }
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStore.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/esusers/FileUserRolesStore.java
@ -19,6 +19,7 @@ import org.elasticsearch.shield.support.Validation;
 import org.elasticsearch.watcher.FileChangesListener;
 import org.elasticsearch.watcher.FileWatcher;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.XPackPlugin;
 import java.io.IOException;
 import java.io.PrintWriter;
@ -91,7 +92,7 @@ public class FileUserRolesStore {
    public static Path resolveFile(Settings settings, Environment env) {
        String location = settings.get("files.users_roles");
        if (location == null) {
-            return ShieldPlugin.resolveConfigFile(env, "users_roles");
+            return XPackPlugin.resolveConfigFile(env, "users_roles");
        }
        return env.binFile().getParent().resolve(location);
    }
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/DnRoleMapper.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authc/support/DnRoleMapper.java
@ -17,6 +17,7 @@ import org.elasticsearch.shield.authc.RealmConfig;
 import org.elasticsearch.watcher.FileChangesListener;
 import org.elasticsearch.watcher.FileWatcher;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.XPackPlugin;
 import java.io.IOException;
 import java.io.InputStream;
@ -82,7 +83,7 @@ public class DnRoleMapper {
    public static Path resolveFile(Settings settings, Environment env) {
        String location = settings.get(ROLE_MAPPING_FILE_SETTING);
        if (location == null) {
-            return ShieldPlugin.resolveConfigFile(env, DEFAULT_FILE_NAME);
+            return XPackPlugin.resolveConfigFile(env, DEFAULT_FILE_NAME);
        }
        return env.binFile().getParent().resolve(location);
    }
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/esnative/ESNativeRolesStore.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/esnative/ESNativeRolesStore.java
@ -48,7 +48,7 @@ import org.elasticsearch.shield.authc.AuthenticationService;
 import org.elasticsearch.shield.authz.RoleDescriptor;
 import org.elasticsearch.shield.authz.permission.Role;
 import org.elasticsearch.shield.authz.store.RolesStore;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 import org.elasticsearch.threadpool.ThreadPool;
 import java.util.ArrayList;
@ -84,7 +84,7 @@ public class ESNativeRolesStore extends AbstractComponent implements RolesStore,
    private final ConcurrentHashMap<String, RoleAndVersion> roleCache = new ConcurrentHashMap<>();
    private Client client;
-    private ShieldClient shieldClient;
+    private SecurityClient securityClient;
    private int scrollSize;
    private TimeValue scrollKeepAlive;
    private ScheduledFuture<?> versionChecker;
@ -353,7 +353,7 @@ public class ESNativeRolesStore extends AbstractComponent implements RolesStore,
        try {
            if (state.compareAndSet(State.INITIALIZED, State.STARTING)) {
                this.client = clientProvider.get();
-                this.shieldClient = new ShieldClient(client);
+                this.securityClient = new SecurityClient(client);
                this.scrollSize = settings.getAsInt("shield.authc.native.scroll.size", 1000);
                this.scrollKeepAlive = settings.getAsTime("shield.authc.native.scroll.keep_alive", TimeValue.timeValueSeconds(10L));
                TimeValue pollInterval = settings.getAsTime("shield.authc.native.reload.interval", TimeValue.timeValueSeconds(30L));
@ -407,7 +407,7 @@ public class ESNativeRolesStore extends AbstractComponent implements RolesStore,
    private <Response> void clearRoleCache(final String role, ActionListener<Response> listener, Response response) {
        ClearRolesCacheRequest request = new ClearRolesCacheRequest().roles(role);
-        shieldClient.clearRolesCache(request, new ActionListener<ClearRolesCacheResponse>() {
+        securityClient.clearRolesCache(request, new ActionListener<ClearRolesCacheResponse>() {
            @Override
            public void onResponse(ClearRolesCacheResponse nodes) {
                listener.onResponse(response);
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java
@ -34,6 +34,7 @@ import org.elasticsearch.shield.support.Validation;
 import org.elasticsearch.watcher.FileChangesListener;
 import org.elasticsearch.watcher.FileWatcher;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.XPackPlugin;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
@ -109,7 +110,7 @@ public class FileRolesStore extends AbstractLifecycleComponent<RolesStore> imple
    public static Path resolveFile(Settings settings, Environment env) {
        String location = settings.get("shield.authz.store.files.roles");
        if (location == null) {
-            return ShieldPlugin.resolveConfigFile(env, "roles.yml");
+            return XPackPlugin.resolveConfigFile(env, "roles.yml");
        }
        return env.binFile().getParent().resolve(location);
@ -285,10 +286,10 @@ public class FileRolesStore extends AbstractLifecycleComponent<RolesStore> imple
                                                                if (token == XContentParser.Token.VALUE_STRING) {
                                                                    names.add(parser.text());
                                                                } else {
-                                                                    logger.error("invalid role definition [{}] in roles file [{}]. could " +
+                                                                    logger.error("invalid role definition [{}] in roles file [{}]. " +
-                                                                            "not parse " +
+                                                                            "could not parse [{}] as index privilege. privilege " +
-                                                                            "[{}] as index privilege. privilege names must be strings. " +
+                                                                            "names must be strings. skipping role...", roleName,
-                                                                            "skipping role...", roleName, path.toAbsolutePath(), token);
+                                                                            path.toAbsolutePath(), token);
                                                                    return null;
                                                                }
                                                            }
@ -301,26 +302,27 @@ public class FileRolesStore extends AbstractLifecycleComponent<RolesStore> imple
                                                if (name != null) {
                                                    if ((query != null || (fields != null && fields.isEmpty() == false)) &&
                                                            ShieldPlugin.flsDlsEnabled(settings) == false) {
-                                                        logger.error("invalid role definition [{}] in roles file [{}]. document and field" +
+                                                        logger.error("invalid role definition [{}] in roles file [{}]. " +
-                                                                " level security is not enabled. set [{}] to [true] in the configuration " +
+                                                                "document and field level security is not enabled. " +
-                                                                "file. skipping role...", roleName, path.toAbsolutePath(), ShieldPlugin
+                                                                "set [{}] to [true] in the configuration file. skipping role...",
-                                                                .DLS_FLS_ENABLED_SETTING);
+                                                                roleName, path.toAbsolutePath(),
                                                                XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE));
                                                        return null;
                                                    }
                                                    try {
                                                        role.add(fields, query, IndexPrivilege.get(name), indices);
                                                    } catch (IllegalArgumentException e) {
-                                                        logger.error("invalid role definition [{}] in roles file [{}]. could not resolve " +
+                                                        logger.error("invalid role definition [{}] in roles file [{}]. could not " +
-                                                                "indices privileges [{}]. skipping role...", roleName,
+                                                                "resolve indices privileges [{}]. skipping role...", roleName,
                                                                path.toAbsolutePath(), name);
                                                        return null;
                                                    }
                                                }
                                                continue;
                                            } else {
-                                                logger.error("invalid role definition [{}] in roles file [{}]. could not parse [{}] as " +
+                                                logger.error("invalid role definition [{}] in roles file [{}]. " +
-                                                        "index privileges. privilege lists must either " +
+                                                        "could not parse [{}] as index privileges. privilege lists must either " +
                                                        "be a comma delimited string or an array of strings. skipping role...", roleName,
                                                        path.toAbsolutePath(), token);
                                                return null;
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/client/SecurityClient.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/client/SecurityClient.java
@ -44,19 +44,12 @@ import org.elasticsearch.shield.action.role.ClearRolesCacheResponse;
 /**
 * A wrapper to elasticsearch clients that exposes all Shield related APIs
 */
-public class ShieldClient {
+public class SecurityClient {
    private final ElasticsearchClient client;
    private final ShieldAuthcClient authcClient;
-    public ShieldClient(ElasticsearchClient client) {
+    public SecurityClient(ElasticsearchClient client) {
        this.client = client;
        this.authcClient = new ShieldAuthcClient(client);
    }
    @Deprecated
    public ShieldAuthcClient authc() {
        return authcClient;
    }
    /****************
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/client/ShieldAuthcClient.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/client/ShieldAuthcClient.java
@ -1,54 +0,0 @@
 /*
 * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
 * or more contributor license agreements. Licensed under the Elastic License;
 * you may not use this file except in compliance with the Elastic License.
 */
 package org.elasticsearch.shield.client;
 import org.elasticsearch.action.ActionFuture;
 import org.elasticsearch.action.ActionListener;
 import org.elasticsearch.client.ElasticsearchClient;
 import org.elasticsearch.shield.action.realm.ClearRealmCacheAction;
 import org.elasticsearch.shield.action.realm.ClearRealmCacheRequest;
 import org.elasticsearch.shield.action.realm.ClearRealmCacheRequestBuilder;
 import org.elasticsearch.shield.action.realm.ClearRealmCacheResponse;
 /**
 * A client to manage Shield's authentication
 *
 * @deprecated Use {@link ShieldClient} directly instead
 */
@Deprecated
 public class ShieldAuthcClient {
    private final ElasticsearchClient client;
    ShieldAuthcClient(ElasticsearchClient client) {
        this.client = client;
    }
    /**
     * Clears the realm caches. It's possible to clear all user entries from all realms in the cluster or alternatively
     * select the realms (by their unique names) and/or users (by their usernames) that should be evicted.
     */
    public ClearRealmCacheRequestBuilder prepareClearRealmCache() {
        return new ClearRealmCacheRequestBuilder(client);
    }
    /**
     * Clears the realm caches. It's possible to clear all user entries from all realms in the cluster or alternatively
     * select the realms (by their unique names) and/or users (by their usernames) that should be evicted.
     */
    public void clearRealmCache(ClearRealmCacheRequest request, ActionListener<ClearRealmCacheResponse> listener) {
        client.execute(ClearRealmCacheAction.INSTANCE, request, listener);
    }
    /**
     * Clears the realm caches. It's possible to clear all user entries from all realms in the cluster or alternatively
     * select the realms (by their unique names) and/or users (by their usernames) that should be evicted.
     */
    public ActionFuture<ClearRealmCacheResponse> clearRealmCache(ClearRealmCacheRequest request) {
        return client.execute(ClearRealmCacheAction.INSTANCE, request);
    }
 }
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java
@ -17,6 +17,7 @@ import org.elasticsearch.shield.authc.support.CharArrays;
 import org.elasticsearch.watcher.FileChangesListener;
 import org.elasticsearch.watcher.FileWatcher;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.XPackPlugin;
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
@ -159,7 +160,7 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
    public static Path resolveSystemKey(Settings settings, Environment env) {
        String location = settings.get(FILE_SETTING);
        if (location == null) {
-            return ShieldPlugin.resolveConfigFile(env, FILE_NAME);
+            return XPackPlugin.resolveConfigFile(env, FILE_NAME);
        }
        return env.binFile().getParent().resolve(location);
    }
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/RestShieldInfoAction.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/RestShieldInfoAction.java
@ -37,7 +37,7 @@ public class RestShieldInfoAction extends BaseRestHandler {
        super(settings, client);
        this.clusterName = clusterName;
        this.shieldLicenseState = licenseState;
-        this.shieldEnabled = ShieldPlugin.shieldEnabled(settings);
+        this.shieldEnabled = ShieldPlugin.enabled(settings);
        controller.registerHandler(GET, "/_shield", this);
        controller.registerHandler(HEAD, "/_shield", this);
    }
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/realm/RestClearRealmCacheAction.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/realm/RestClearRealmCacheAction.java
@ -20,7 +20,7 @@ import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.rest.action.support.RestBuilderListener;
 import org.elasticsearch.shield.action.realm.ClearRealmCacheRequest;
 import org.elasticsearch.shield.action.realm.ClearRealmCacheResponse;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 import static org.elasticsearch.rest.RestRequest.Method.POST;
@ -41,7 +41,7 @@ public class RestClearRealmCacheAction extends BaseRestHandler {
        ClearRealmCacheRequest req = new ClearRealmCacheRequest().realms(realms).usernames(usernames);
-        new ShieldClient(client).clearRealmCache(req, new RestBuilderListener<ClearRealmCacheResponse>(channel) {
+        new SecurityClient(client).clearRealmCache(req, new RestBuilderListener<ClearRealmCacheResponse>(channel) {
            @Override
            public RestResponse buildResponse(ClearRealmCacheResponse response, XContentBuilder builder) throws Exception {
                response.toXContent(builder, ToXContent.EMPTY_PARAMS);
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestAddRoleAction.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestAddRoleAction.java
@ -19,7 +19,7 @@ import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.rest.action.support.RestBuilderListener;
 import org.elasticsearch.shield.action.role.AddRoleRequest;
 import org.elasticsearch.shield.action.role.AddRoleResponse;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 /**
 * Rest endpoint to add a Role to the shield index
@ -38,7 +38,7 @@ public class RestAddRoleAction extends BaseRestHandler {
        AddRoleRequest addRoleReq = new AddRoleRequest(request.content());
        addRoleReq.name(request.param("id"));
-        new ShieldClient(client).addRole(addRoleReq, new RestBuilderListener<AddRoleResponse>(channel) {
+        new SecurityClient(client).addRole(addRoleReq, new RestBuilderListener<AddRoleResponse>(channel) {
            @Override
            public RestResponse buildResponse(AddRoleResponse addRoleResponse, XContentBuilder builder) throws Exception {
                return new BytesRestResponse(RestStatus.OK,
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestClearRolesCacheAction.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestClearRolesCacheAction.java
@ -20,7 +20,7 @@ import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.rest.action.support.RestBuilderListener;
 import org.elasticsearch.shield.action.role.ClearRolesCacheRequest;
 import org.elasticsearch.shield.action.role.ClearRolesCacheResponse;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 import static org.elasticsearch.rest.RestRequest.Method.POST;
@ -42,7 +42,7 @@ public class RestClearRolesCacheAction extends BaseRestHandler {
        ClearRolesCacheRequest req = new ClearRolesCacheRequest().roles(roles);
-        new ShieldClient(client).clearRolesCache(req, new RestBuilderListener<ClearRolesCacheResponse>(channel) {
+        new SecurityClient(client).clearRolesCache(req, new RestBuilderListener<ClearRolesCacheResponse>(channel) {
            @Override
            public RestResponse buildResponse(ClearRolesCacheResponse response, XContentBuilder builder) throws Exception {
                response.toXContent(builder, ToXContent.EMPTY_PARAMS);
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestDeleteRoleAction.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestDeleteRoleAction.java
@ -19,7 +19,7 @@ import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.rest.action.support.RestBuilderListener;
 import org.elasticsearch.shield.action.role.DeleteRoleRequest;
 import org.elasticsearch.shield.action.role.DeleteRoleResponse;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 /**
 * Rest endpoint to delete a Role from the shield index
@ -37,7 +37,7 @@ public class RestDeleteRoleAction extends BaseRestHandler {
        String role = request.param("id");
        DeleteRoleRequest delRoleRequest = new DeleteRoleRequest(role);
-        new ShieldClient(client).deleteRole(delRoleRequest, new RestBuilderListener<DeleteRoleResponse>(channel) {
+        new SecurityClient(client).deleteRole(delRoleRequest, new RestBuilderListener<DeleteRoleResponse>(channel) {
            @Override
            public RestResponse buildResponse(DeleteRoleResponse response, XContentBuilder builder) throws Exception {
                return new BytesRestResponse(response.found() ? RestStatus.OK : RestStatus.NOT_FOUND,
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestGetRolesAction.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/role/RestGetRolesAction.java
@ -20,7 +20,7 @@ import org.elasticsearch.rest.RestResponse;
 import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.rest.action.support.RestBuilderListener;
 import org.elasticsearch.shield.action.role.GetRolesResponse;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 /**
 * Rest endpoint to retrieve a Role from the shield index
@ -38,7 +38,7 @@ public class RestGetRolesAction extends BaseRestHandler {
    protected void handleRequest(RestRequest request, final RestChannel channel, Client client) throws Exception {
        String[] roles = Strings.splitStringByCommaToArray(request.param("id"));
-        new ShieldClient(client).prepareGetRoles().roles(roles).execute(new RestBuilderListener<GetRolesResponse>(channel) {
+        new SecurityClient(client).prepareGetRoles().roles(roles).execute(new RestBuilderListener<GetRolesResponse>(channel) {
            @Override
            public RestResponse buildResponse(GetRolesResponse getRolesResponse, XContentBuilder builder) throws Exception {
                builder.startObject();
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestAddUserAction.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestAddUserAction.java
@ -20,7 +20,7 @@ import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.rest.action.support.RestBuilderListener;
 import org.elasticsearch.shield.action.user.AddUserRequest;
 import org.elasticsearch.shield.action.user.AddUserResponse;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 /**
 * Rest endpoint to add a User to the shield index
@ -40,7 +40,7 @@ public class RestAddUserAction extends BaseRestHandler {
        addUserReq.username(request.param("username"));
        addUserReq.source(request.content());
-        new ShieldClient(client).addUser(addUserReq, new RestBuilderListener<AddUserResponse>(channel) {
+        new SecurityClient(client).addUser(addUserReq, new RestBuilderListener<AddUserResponse>(channel) {
            @Override
            public RestResponse buildResponse(AddUserResponse addUserResponse, XContentBuilder builder) throws Exception {
                return new BytesRestResponse(RestStatus.OK,
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestDeleteUserAction.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestDeleteUserAction.java
@ -19,7 +19,7 @@ import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.rest.action.support.RestBuilderListener;
 import org.elasticsearch.shield.action.user.DeleteUserRequest;
 import org.elasticsearch.shield.action.user.DeleteUserResponse;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 /**
 * Rest action to delete a user from the shield index
@ -37,7 +37,7 @@ public class RestDeleteUserAction extends BaseRestHandler {
        String user = request.param("username");
        DeleteUserRequest delUserRequest = new DeleteUserRequest(user);
-        new ShieldClient(client).deleteUser(delUserRequest, new RestBuilderListener<DeleteUserResponse>(channel) {
+        new SecurityClient(client).deleteUser(delUserRequest, new RestBuilderListener<DeleteUserResponse>(channel) {
            @Override
            public RestResponse buildResponse(DeleteUserResponse response, XContentBuilder builder) throws Exception {
                return new BytesRestResponse(response.found() ? RestStatus.OK : RestStatus.NOT_FOUND,
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestGetUsersAction.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/rest/action/user/RestGetUsersAction.java
@ -21,7 +21,7 @@ import org.elasticsearch.rest.RestStatus;
 import org.elasticsearch.rest.action.support.RestBuilderListener;
 import org.elasticsearch.shield.User;
 import org.elasticsearch.shield.action.user.GetUsersResponse;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 /**
 * Rest action to retrieve a user from the shield index
@ -39,7 +39,7 @@ public class RestGetUsersAction extends BaseRestHandler {
    protected void handleRequest(RestRequest request, final RestChannel channel, Client client) throws Exception {
        String[] users = Strings.splitStringByCommaToArray(request.param("username"));
-        new ShieldClient(client).prepareGetUsers().users(users).execute(new RestBuilderListener<GetUsersResponse>(channel) {
+        new SecurityClient(client).prepareGetUsers().users(users).execute(new RestBuilderListener<GetUsersResponse>(channel) {
            @Override
            public RestResponse buildResponse(GetUsersResponse getUsersResponse, XContentBuilder builder) throws Exception {
                builder.startObject();
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/AbstractShieldModule.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/support/AbstractShieldModule.java
@ -22,7 +22,7 @@ public abstract class AbstractShieldModule extends AbstractModule {
    public AbstractShieldModule(Settings settings) {
        this.settings = settings;
        this.clientMode = !"node".equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey()));
-        this.shieldEnabled = ShieldPlugin.shieldEnabled(settings);
+        this.shieldEnabled = ShieldPlugin.enabled(settings);
    }
    @Override
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/BulkUpdateTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/BulkUpdateTests.java
@ -16,6 +16,7 @@ import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.test.ShieldSettingsSource;
 import org.elasticsearch.test.rest.client.http.HttpResponse;
 import org.elasticsearch.xpack.XPackPlugin;
 import java.io.IOException;
@ -30,7 +31,7 @@ public class BulkUpdateTests extends ShieldIntegTestCase {
        return Settings.builder()
                .put(super.nodeSettings(nodeOrdinal))
                .put(NetworkModule.HTTP_ENABLED.getKey(), true)
-                .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, randomBoolean())
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), randomBoolean())
                .build();
    }
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRealmsCacheTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRealmsCacheTests.java
@ -21,7 +21,7 @@ import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.authc.support.SecuredStringTests;
 import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.test.ShieldSettingsSource;
 import org.elasticsearch.test.rest.client.http.HttpRequestBuilder;
@ -140,11 +140,11 @@ public class ClearRealmsCacheTests extends ShieldIntegTestCase {
        public abstract void executeRequest() throws Exception;
        static void executeTransportRequest(ClearRealmCacheRequest request) throws Exception {
-            ShieldClient shieldClient = new ShieldClient(client());
+            SecurityClient securityClient = securityClient(client());
            final CountDownLatch latch = new CountDownLatch(1);
            final AtomicReference<Throwable> error = new AtomicReference<>();
-            shieldClient.clearRealmCache(request, new ActionListener<ClearRealmCacheResponse>() {
+            securityClient.clearRealmCache(request, new ActionListener<ClearRealmCacheResponse>() {
                @Override
                public void onResponse(ClearRealmCacheResponse response) {
                    assertThat(response.getNodes().length, equalTo(internalCluster().getNodeNames().length));
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRolesCacheTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/ClearRolesCacheTests.java
@ -21,7 +21,7 @@ import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
 import org.elasticsearch.shield.authz.RoleDescriptor;
 import org.elasticsearch.shield.authz.esnative.ESNativeRolesStore;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.test.ShieldSettingsSource;
 import org.elasticsearch.test.junit.annotations.TestLogging;
@ -57,7 +57,7 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase {
    @Before
    public void setupForTest() throws Exception {
        // Clear the realm cache for all realms since we use a SUITE scoped cluster
-        ShieldClient client = new ShieldClient(internalCluster().transportClient());
+        SecurityClient client = securityClient(internalCluster().transportClient());
        client.prepareClearRealmCache().get();
        for (ESNativeUsersStore store : internalCluster().getInstances(ESNativeUsersStore.class)) {
@ -78,7 +78,7 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase {
            });
        }
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
        // create roles
        for (String role : roles) {
            c.prepareAddRole().name(role)
@ -109,13 +109,13 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase {
    public void testModifyingViaApiClearsCache() throws Exception {
        Client client = internalCluster().transportClient();
-        ShieldClient shieldClient = new ShieldClient(client);
+        SecurityClient securityClient = securityClient(client);
        int modifiedRolesCount = randomIntBetween(1, roles.length);
        List<String> toModify = randomSubsetOf(modifiedRolesCount, roles);
        logger.debug("--> modifying roles {} to have run_as", toModify);
        for (String role : toModify) {
-            AddRoleResponse response = shieldClient.prepareAddRole().name(role)
+            AddRoleResponse response = securityClient.prepareAddRole().name(role)
                    .cluster("none")
                    .addIndices(new String[] { "*" }, new String[] { "ALL" }, null, null)
                    .runAs(role)
@ -124,7 +124,7 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase {
            logger.debug("--> updated role [{}] with run_as", role);
        }
-        assertRolesAreCorrect(shieldClient, toModify);
+        assertRolesAreCorrect(securityClient, toModify);
    }
    public void testModifyingDocumentsDirectly() throws Exception {
@ -144,7 +144,7 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase {
        // in this test, the poller runs too frequently to check the cache still has roles without run as
        // clear the cache and we should definitely see the latest values!
-        ShieldClient shieldClient = new ShieldClient(client);
+        SecurityClient securityClient = securityClient(client);
        final boolean useHttp = randomBoolean();
        final boolean clearAll = randomBoolean();
        logger.debug("--> starting to clear roles. using http [{}] clearing all [{}]", useHttp, clearAll);
@ -163,18 +163,18 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase {
                    .execute();
            assertThat(response.getStatusCode(), is(RestStatus.OK.getStatus()));
        } else {
-            shieldClient.prepareClearRolesCache().roles(rolesToClear).get();
+            securityClient.prepareClearRolesCache().roles(rolesToClear).get();
        }
-        assertRolesAreCorrect(shieldClient, toModify);
+        assertRolesAreCorrect(securityClient, toModify);
    }
    public void testDeletingRoleDocumentDirectly() throws Exception {
        Client client = internalCluster().transportClient();
-        ShieldClient shieldClient = new ShieldClient(client);
+        SecurityClient securityClient = securityClient(client);
        final String role = randomFrom(roles);
-        List<RoleDescriptor> foundRoles = shieldClient.prepareGetRoles().roles(role).get().roles();
+        List<RoleDescriptor> foundRoles = securityClient.prepareGetRoles().roles(role).get().roles();
        assertThat(foundRoles.size(), is(1));
        logger.debug("--> deleting role [{}]", role);
        DeleteResponse response = client.prepareDelete(ShieldTemplateService.SHIELD_ADMIN_INDEX_NAME,
@ -184,15 +184,15 @@ public class ClearRolesCacheTests extends ShieldIntegTestCase {
        assertBusy(new Runnable() {
            @Override
            public void run() {
-                assertThat(shieldClient.prepareGetRoles().roles(role).get().roles().isEmpty(), is(true));
+                assertThat(securityClient.prepareGetRoles().roles(role).get().roles().isEmpty(), is(true));
            }
        });
    }
-    private void assertRolesAreCorrect(ShieldClient shieldClient, List<String> toModify) {
+    private void assertRolesAreCorrect(SecurityClient securityClient, List<String> toModify) {
        for (String role : roles) {
            logger.debug("--> getting role [{}]", role);
-            GetRolesResponse roleResponse = shieldClient.prepareGetRoles().roles(role).get();
+            GetRolesResponse roleResponse = securityClient.prepareGetRoles().roles(role).get();
            assertThat(roleResponse.isExists(), is(true));
            final String[] runAs = roleResponse.roles().get(0).getRunAs();
            if (toModify.contains(role)) {
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentAndFieldLevelSecurityTests.java
@ -12,6 +12,7 @@ import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.xpack.XPackPlugin;
 import java.util.Collections;
@ -75,7 +76,7 @@ public class DocumentAndFieldLevelSecurityTests extends ShieldIntegTestCase {
    public Settings nodeSettings(int nodeOrdinal) {
        return Settings.builder()
                .put(super.nodeSettings(nodeOrdinal))
-                .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true)
                .build();
    }
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityRandomTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityRandomTests.java
@ -14,6 +14,7 @@ import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.xpack.XPackPlugin;
 import java.util.ArrayList;
 import java.util.Collections;
@ -74,7 +75,7 @@ public class DocumentLevelSecurityRandomTests extends ShieldIntegTestCase {
    public Settings nodeSettings(int nodeOrdinal) {
        return Settings.builder()
                .put(super.nodeSettings(nodeOrdinal))
-                .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true)
                .build();
    }
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java
@ -28,6 +28,7 @@ import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.xpack.XPackPlugin;
 import java.util.Collections;
@ -87,7 +88,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
    public Settings nodeSettings(int nodeOrdinal) {
        return Settings.builder()
                .put(super.nodeSettings(nodeOrdinal))
-                .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true)
                .build();
    }
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityRandomTests.java
@ -14,6 +14,7 @@ import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.xpack.XPackPlugin;
 import java.util.ArrayList;
 import java.util.Collections;
@ -111,7 +112,7 @@ public class FieldLevelSecurityRandomTests extends ShieldIntegTestCase {
    public Settings nodeSettings(int nodeOrdinal) {
        return Settings.builder()
                .put(super.nodeSettings(nodeOrdinal))
-                .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true)
                .build();
    }
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java
@ -28,6 +28,7 @@ import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.test.ESIntegTestCase;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.xpack.XPackPlugin;
 import java.util.Collections;
@ -116,7 +117,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
    public Settings nodeSettings(int nodeOrdinal) {
        return Settings.builder()
                .put(super.nodeSettings(nodeOrdinal))
-                .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true)
                .build();
    }
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/IndicesPermissionsWithAliasesWildcardsAndRegexsTests.java
@ -12,6 +12,7 @@ import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.xpack.XPackPlugin;
 import java.util.Collections;
@ -60,7 +61,7 @@ public class IndicesPermissionsWithAliasesWildcardsAndRegexsTests extends Shield
    public Settings nodeSettings(int nodeOrdinal) {
        return Settings.builder()
                .put(super.nodeSettings(nodeOrdinal))
-                .put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true)
                .build();
    }
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginEnabledDisabledTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginEnabledDisabledTests.java
@ -66,7 +66,7 @@ public class ShieldPluginEnabledDisabledTests extends ShieldIntegTestCase {
        logger.info("******* shield is " + (enabled ? "enabled" : "disabled"));
        return Settings.settingsBuilder()
                .put(super.nodeSettings(nodeOrdinal))
-                .put(ShieldPlugin.ENABLED_SETTING_NAME, enabled)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), enabled)
                .put(NetworkModule.HTTP_ENABLED.getKey(), true)
                .build();
    }
@ -75,7 +75,7 @@ public class ShieldPluginEnabledDisabledTests extends ShieldIntegTestCase {
    protected Settings transportClientSettings() {
        return Settings.settingsBuilder()
                .put(super.transportClientSettings())
-                .put(ShieldPlugin.ENABLED_SETTING_NAME, enabled)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), enabled)
                .build();
    }
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginSettingsTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/ShieldPluginSettingsTests.java
@ -7,6 +7,7 @@ package org.elasticsearch.shield;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.XPackPlugin;
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.equalTo;
@ -14,8 +15,9 @@ import static org.hamcrest.CoreMatchers.notNullValue;
 import static org.hamcrest.Matchers.arrayContaining;
 public class ShieldPluginSettingsTests extends ESTestCase {
-    private static final String TRIBE_T1_SHIELD_ENABLED = "tribe.t1." + ShieldPlugin.ENABLED_SETTING_NAME;
+
-    private static final String TRIBE_T2_SHIELD_ENABLED = "tribe.t2." + ShieldPlugin.ENABLED_SETTING_NAME;
+    private static final String TRIBE_T1_SHIELD_ENABLED = "tribe.t1." + XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME);
    private static final String TRIBE_T2_SHIELD_ENABLED = "tribe.t2." + XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME);
    public void testShieldIsMandatoryOnTribes() {
        Settings settings = Settings.builder().put("tribe.t1.cluster.name", "non_existing")
@ -26,8 +28,8 @@ public class ShieldPluginSettingsTests extends ESTestCase {
        Settings additionalSettings = shieldPlugin.additionalSettings();
-        assertThat(additionalSettings.getAsArray("tribe.t1.plugin.mandatory", null), arrayContaining(ShieldPlugin.NAME));
+        assertThat(additionalSettings.getAsArray("tribe.t1.plugin.mandatory", null), arrayContaining(XPackPlugin.NAME));
-        assertThat(additionalSettings.getAsArray("tribe.t2.plugin.mandatory", null), arrayContaining(ShieldPlugin.NAME));
+        assertThat(additionalSettings.getAsArray("tribe.t2.plugin.mandatory", null), arrayContaining(XPackPlugin.NAME));
    }
    public void testAdditionalMandatoryPluginsOnTribes() {
@ -41,14 +43,14 @@ public class ShieldPluginSettingsTests extends ESTestCase {
            Settings.builder().put(settings).put(shieldPlugin.additionalSettings()).build();
            fail("shield cannot change the value of a setting that is already defined, so a exception should be thrown");
        } catch (IllegalStateException e) {
-            assertThat(e.getMessage(), containsString("shield"));
+            assertThat(e.getMessage(), containsString(XPackPlugin.NAME));
            assertThat(e.getMessage(), containsString("plugin.mandatory"));
        }
    }
    public void testMandatoryPluginsOnTribesShieldAlreadyMandatory() {
        Settings settings = Settings.builder().put("tribe.t1.cluster.name", "non_existing")
-                .putArray("tribe.t1.plugin.mandatory", "test_plugin", ShieldPlugin.NAME).build();
+                .putArray("tribe.t1.plugin.mandatory", "test_plugin", XPackPlugin.NAME).build();
        ShieldPlugin shieldPlugin = new ShieldPlugin(settings);
@ -59,7 +61,7 @@ public class ShieldPluginSettingsTests extends ESTestCase {
        assertThat(finalMandatoryPlugins, notNullValue());
        assertThat(finalMandatoryPlugins.length, equalTo(2));
        assertThat(finalMandatoryPlugins[0], equalTo("test_plugin"));
-        assertThat(finalMandatoryPlugins[1], equalTo(ShieldPlugin.NAME));
+        assertThat(finalMandatoryPlugins[1], equalTo(XPackPlugin.NAME));
    }
    public void testShieldIsEnabledByDefaultOnTribes() {
@ -93,7 +95,7 @@ public class ShieldPluginSettingsTests extends ESTestCase {
        Settings settings = Settings.builder().put("tribe.t1.cluster.name", "non_existing")
                .put(TRIBE_T1_SHIELD_ENABLED, false)
                .put("tribe.t2.cluster.name", "non_existing")
-                .putArray("tribe.t1.plugin.mandatory", "test_plugin", ShieldPlugin.NAME).build();
+                .putArray("tribe.t1.plugin.mandatory", "test_plugin", XPackPlugin.NAME).build();
        ShieldPlugin shieldPlugin = new ShieldPlugin(settings);
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java
@ -42,6 +42,7 @@ import org.elasticsearch.transport.Transport;
 import org.elasticsearch.transport.TransportInfo;
 import org.elasticsearch.transport.TransportMessage;
 import org.elasticsearch.transport.TransportRequest;
 import org.elasticsearch.xpack.XPackPlugin;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 import org.joda.time.format.ISODateTimeFormat;
@ -166,13 +167,15 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase {
                    public Settings nodeSettings(int nodeOrdinal) {
                        Settings.Builder builder = Settings.builder()
                                .put(super.nodeSettings(nodeOrdinal))
-                                .put(ShieldPlugin.ENABLED_SETTING_NAME, useShield);
+                                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), useShield);
-                        // For tests we forcefully configure Shield's custom query cache because the test framework randomizes the query
+
-                        // cache impl,
+                        // For tests we forcefully configure Shield's custom query cache because the test framework
-                        // but if shield is disabled then we don't need to forcefully set the query cache
+                        // randomizes the query cache impl but if shield is disabled then we don't need to forcefully
                        // set the query cache
                        if (useShield == false) {
                            builder.remove(IndexModule.INDEX_QUERY_CACHE_TYPE_SETTING.getKey());
                        }
                        return builder.build();
                    }
            };
@ -188,7 +191,7 @@ public class IndexAuditTrailTests extends ShieldIntegTestCase {
            Settings.Builder builder = Settings.builder()
                    .put(settings)
-                    .put(ShieldPlugin.ENABLED_SETTING_NAME, useShield)
+                    .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), useShield)
                    .put(remoteSettings(NetworkAddress.formatAddress(inet.address().getAddress()), inet.address().getPort(), cluster2Name))
                    .put("shield.audit.index.client.shield.user", DEFAULT_USER_NAME + ":" + DEFAULT_PASSWORD);
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ESNativeTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authc/esnative/ESNativeTests.java
@ -22,7 +22,7 @@ import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.authz.RoleDescriptor;
 import org.elasticsearch.shield.authz.esnative.ESNativeRolesStore;
 import org.elasticsearch.shield.authz.permission.Role;
-import org.elasticsearch.shield.client.ShieldClient;
+import org.elasticsearch.shield.client.SecurityClient;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.test.ShieldSettingsSource;
 import org.junit.After;
@ -43,7 +43,7 @@ import static org.hamcrest.Matchers.isOneOf;
 public class ESNativeTests extends ShieldIntegTestCase {
    public void testDeletingNonexistingUserAndRole() throws Exception {
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
        DeleteUserResponse resp = c.prepareDeleteUser().user("joe").get();
        assertFalse("user shouldn't be found", resp.found());
        DeleteRoleResponse resp2 = c.prepareDeleteRole().role("role").get();
@ -51,7 +51,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
    }
    public void testGettingUserThatDoesntExist() throws Exception {
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
        GetUsersResponse resp = c.prepareGetUsers().users("joe").get();
        assertFalse("user should not exist", resp.isExists());
        GetRolesResponse resp2 = c.prepareGetRoles().roles("role").get();
@ -59,7 +59,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
    }
    public void testAddAndGetUser() throws Exception {
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
        logger.error("--> creating user");
        c.prepareAddUser()
                .username("joe")
@ -117,7 +117,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
    }
    public void testAddAndGetRole() throws Exception {
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
        logger.error("--> creating role");
        c.prepareAddRole()
                .name("test_role")
@ -171,7 +171,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
    }
    public void testAddUserAndRoleThenAuth() throws Exception {
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
        logger.error("--> creating role");
        c.prepareAddRole()
                .name("test_role")
@ -204,7 +204,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
    }
    public void testUpdatingUserAndAuthentication() throws Exception {
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
        logger.error("--> creating user");
        c.prepareAddUser()
                .username("joe")
@ -248,7 +248,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
    }
    public void testCreateDeleteAuthenticate() {
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
        logger.error("--> creating user");
        c.prepareAddUser()
                .username("joe")
@ -285,7 +285,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
    public void testCreateAndUpdateRole() {
        final boolean authenticate = randomBoolean();
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
        logger.error("--> creating role");
        c.prepareAddRole()
                .name("test_role")
@ -340,7 +340,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
    }
    public void testAuthenticateWithDeletedRole() {
-        ShieldClient c = new ShieldClient(client());
+        SecurityClient c = securityClient();
        logger.error("--> creating role");
        c.prepareAddRole()
                .name("test_role")
@ -373,7 +373,7 @@ public class ESNativeTests extends ShieldIntegTestCase {
    @Before
    public void ensureStoresStarted() throws Exception {
        // Clear the realm cache for all realms since we use a SUITE scoped cluster
-        ShieldClient client = new ShieldClient(client());
+        SecurityClient client = securityClient();
        client.prepareClearRealmCache().get();
        for (ESNativeUsersStore store : internalCluster().getInstances(ESNativeUsersStore.class)) {
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java
@ -19,6 +19,7 @@ import org.elasticsearch.shield.authz.privilege.IndexPrivilege;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.threadpool.ThreadPool;
 import org.elasticsearch.watcher.ResourceWatcherService;
 import org.elasticsearch.xpack.XPackPlugin;
 import java.io.BufferedWriter;
 import java.io.OutputStream;
@ -52,8 +53,9 @@ public class FileRolesStoreTests extends ESTestCase {
    public void testParseFile() throws Exception {
        Path path = getDataPath("roles.yml");
-        Map<String, Role> roles = FileRolesStore.parseFile(path, logger,
+        Map<String, Role> roles = FileRolesStore.parseFile(path, logger, Settings.builder()
-                Settings.builder().put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, true).build());
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), true)
                .build());
        assertThat(roles, notNullValue());
        assertThat(roles.size(), is(10));
@ -208,8 +210,9 @@ public class FileRolesStoreTests extends ESTestCase {
    public void testParseFileWithFLSAndDLSDisabled() throws Exception {
        Path path = getDataPath("roles.yml");
        CapturingLogger logger = new CapturingLogger(CapturingLogger.Level.ERROR);
-        Map<String, Role> roles = FileRolesStore.parseFile(path,
+        Map<String, Role> roles = FileRolesStore.parseFile(path, logger, Settings.builder()
-                logger, Settings.builder().put(ShieldPlugin.DLS_FLS_ENABLED_SETTING, false).build());
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.DLS_FLS_FEATURE), false)
                .build());
        assertThat(roles, notNullValue());
        assertThat(roles.size(), is(7));
        assertThat(roles.get("role_fields"), nullValue());
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldIntegTestCase.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/test/ShieldIntegTestCase.java
@ -15,9 +15,11 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.shield.InternalClient;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.client.SecurityClient;
 import org.elasticsearch.test.ESIntegTestCase.SuppressLocalMode;
 import org.elasticsearch.test.transport.AssertingLocalTransport;
 import org.elasticsearch.test.transport.MockTransportService;
 import org.elasticsearch.xpack.XPackClient;
 import org.elasticsearch.xpack.XPackPlugin;
 import org.junit.AfterClass;
 import org.junit.Before;
@ -267,6 +269,7 @@ public abstract class ShieldIntegTestCase extends ESIntegTestCase {
    }
    private class CustomShieldSettingsSource extends ShieldSettingsSource {
        private CustomShieldSettingsSource(boolean sslTransportEnabled, Path configDir, Scope scope) {
            super(maxNumberOfNodes(), sslTransportEnabled, configDir, scope);
        }
@ -339,4 +342,12 @@ public abstract class ShieldIntegTestCase extends ESIntegTestCase {
    protected InternalClient internalClient(String node) {
        return internalCluster().getInstance(InternalClient.class, node);
    }
    protected SecurityClient securityClient() {
        return securityClient(client());
    }
    public static SecurityClient securityClient(Client client) {
        return randomBoolean() ? new XPackClient(client).security() : new SecurityClient(client);
    }
 }
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/transport/ShieldServerTransportServiceTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/transport/ShieldServerTransportServiceTests.java
@ -9,6 +9,7 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.shield.transport.ShieldServerTransportService;
 import org.elasticsearch.test.ShieldIntegTestCase;
 import org.elasticsearch.xpack.XPackPlugin;
 import java.util.Map;
@ -21,7 +22,7 @@ public class ShieldServerTransportServiceTests extends ShieldIntegTestCase {
    protected Settings transportClientSettings() {
        return Settings.settingsBuilder()
                .put(super.transportClientSettings())
-                .put(ShieldPlugin.ENABLED_SETTING_NAME, true)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), true)
                .build();
    }
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackClient.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackClient.java
@ -0,0 +1,57 @@
 /*
 * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
 * or more contributor license agreements. Licensed under the Elastic License;
 * you may not use this file except in compliance with the Elastic License.
 */
 package org.elasticsearch.xpack;
 import org.elasticsearch.client.Client;
 import org.elasticsearch.shield.authc.support.SecuredString;
 import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
 import org.elasticsearch.shield.client.SecurityClient;
 import org.elasticsearch.watcher.client.WatcherClient;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.BASIC_AUTH_HEADER;
 import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
 /**
 *
 */
 public class XPackClient {
    private final Client client;
    private final SecurityClient securityClient;
    private final WatcherClient watcherClient;
    public XPackClient(Client client) {
        this.client = client;
        this.securityClient = new SecurityClient(client);
        this.watcherClient = new WatcherClient(client);
    }
    public SecurityClient security() {
        return securityClient;
    }
    public WatcherClient watcher() {
        return watcherClient;
    }
    public XPackClient withHeaders(Map<String, String> headers) {
        return new XPackClient(client.filterWithHeader(headers));
    }
    /**
     * Returns a client that will call xpack APIs on behalf of the given user.
     *
     * @param username The username of the user
     * @param passwd    The password of the user. This char array can be cleared after calling this method.
     */
    public XPackClient withAuth(String username, char[] passwd) {
       return withHeaders(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue(username, new SecuredString(passwd))));
    }
 }
--- a/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
+++ b/elasticsearch/x-pack/src/main/java/org/elasticsearch/xpack/XPackPlugin.java
@ -7,13 +7,13 @@ package org.elasticsearch.xpack;
 import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.action.ActionModule;
 import org.elasticsearch.client.Client;
 import org.elasticsearch.common.component.LifecycleComponent;
 import org.elasticsearch.common.inject.Module;
 import org.elasticsearch.common.logging.ESLogger;
 import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.network.NetworkModule;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.index.IndexModule;
 import org.elasticsearch.license.plugin.LicensePlugin;
 import org.elasticsearch.marvel.MarvelPlugin;
@ -22,6 +22,7 @@ import org.elasticsearch.script.ScriptModule;
 import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.watcher.WatcherPlugin;
 import java.nio.file.Path;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.ArrayList;
@ -29,9 +30,7 @@ import java.util.Collection;
 public class XPackPlugin extends Plugin {
-    public static final String NAME = "x-pack";
+    public static final String NAME = "xpack";
    private final static ESLogger logger = Loggers.getLogger(XPackPlugin.class);
    // TODO: clean up this library to not ask for write access to all system properties!
    static {
@ -143,4 +142,30 @@ public class XPackPlugin extends Plugin {
        watcherPlugin.onIndexModule(module);
        marvelPlugin.onIndexModule(module);
    }
    public static boolean transportClientMode(Settings settings) {
        return !"node".equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey()));
    }
    public static Path resolveConfigFile(Environment env, String name) {
        return env.configFile().resolve(NAME).resolve(name);
    }
    /**
     * A consistent way to enable disable features using the following setting:
     *
     *          {@code "xpack.<feature>.enabled": true | false}
     *
     *  Also supports the following setting as a fallback (for BWC with 1.x/2.x):
     *
     *          {@code "<feature>.enabled": true | false}
     */
    public static boolean featureEnabled(Settings settings, String featureName, boolean defaultValue) {
        return settings.getAsBoolean(featureEnabledSetting(featureName),
                settings.getAsBoolean(featureName + ".enabled", defaultValue)); // for bwc
    }
    public static String featureEnabledSetting(String featureName) {
        return NAME + "." + featureName + ".enabled";
    }
 }
--- a/elasticsearch/x-pack/src/test/resources/rest-api-spec/test/xpack/10_basic.yaml
+++ b/elasticsearch/x-pack/src/test/resources/rest-api-spec/test/xpack/10_basic.yaml
@ -10,4 +10,4 @@
    - do:
        nodes.info: {}
-    - match:  { nodes.$master.plugins.0.name: x-pack  }
+    - match:  { nodes.$master.plugins.0.name: xpack  }
--- a/elasticsearch/x-pack/watcher/bin/watcher/.in.bat
+++ b/elasticsearch/x-pack/watcher/bin/watcher/.in.bat
@ -76,7 +76,7 @@ REM JAVA_OPTS=%JAVA_OPTS% -XX:HeapDumpPath=$ES_HOME/logs/heapdump.hprof
 REM Disables explicit GC
 set JAVA_OPTS=%JAVA_OPTS% -XX:+DisableExplicitGC
-set ES_CLASSPATH=%ES_CLASSPATH%;%ES_HOME%/lib/elasticsearch-1.4.0-SNAPSHOT.jar;%ES_HOME%/lib/*;%ES_HOME%/lib/sigar/*;%ES_HOME%/plugins/x-pack/*
+set ES_CLASSPATH=%ES_CLASSPATH%;%ES_HOME%/lib/*;%ES_HOME%/lib/sigar/*;%ES_HOME%/plugins/xpack/*
 set ES_PARAMS=-Des.path.home="%ES_HOME%"
 SET HOSTNAME=%COMPUTERNAME%
--- a/elasticsearch/x-pack/watcher/bin/watcher/croneval
+++ b/elasticsearch/x-pack/watcher/bin/watcher/croneval
@ -114,7 +114,7 @@ fi
 export HOSTNAME=`hostname -s`
 # include watcher jars in classpath
-ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/x-pack/*"
+ES_CLASSPATH="$ES_CLASSPATH:$ES_HOME/plugins/xpack/*"
 cd "$ES_HOME" > /dev/null
 $JAVA $ES_JAVA_OPTS -cp "$ES_CLASSPATH" org.elasticsearch.watcher.trigger.schedule.tool.CronEvalTool "$@" $properties
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherPlugin.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/WatcherPlugin.java
@ -22,6 +22,8 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.SettingsModule;
 import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.script.ScriptModule;
 import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.shield.authz.privilege.ClusterPrivilege;
 import org.elasticsearch.watcher.actions.WatcherActionModule;
 import org.elasticsearch.watcher.actions.email.service.EmailService;
 import org.elasticsearch.watcher.actions.email.service.InternalEmailService;
@ -50,8 +52,7 @@ import org.elasticsearch.watcher.rest.action.RestPutWatchAction;
 import org.elasticsearch.watcher.rest.action.RestWatchServiceAction;
 import org.elasticsearch.watcher.rest.action.RestWatcherInfoAction;
 import org.elasticsearch.watcher.rest.action.RestWatcherStatsAction;
-import org.elasticsearch.watcher.shield.ShieldSecretService;
+import org.elasticsearch.watcher.support.secret.SecretService;
 import org.elasticsearch.watcher.shield.WatcherShieldModule;
 import org.elasticsearch.watcher.support.WatcherIndexTemplateRegistry.TemplateConfig;
 import org.elasticsearch.watcher.support.clock.ClockModule;
 import org.elasticsearch.watcher.support.http.HttpClient;
@ -120,8 +121,15 @@ public class WatcherPlugin extends Plugin {
        transportClient = "transport".equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey()));
        enabled = watcherEnabled(settings);
        validAutoCreateIndex(settings);
        // adding the watcher privileges to shield
        if (ShieldPlugin.enabled(settings)) {
            registerClusterPrivilege("manage_watcher", "cluster:admin/watcher/*", "cluster:monitor/watcher/*");
            registerClusterPrivilege("monitor_watcher", "cluster:monitor/watcher/*");
        }
    }
    @Override public String name() {
        return NAME;
    }
@ -152,7 +160,6 @@ public class WatcherPlugin extends Plugin {
                new WatcherActionModule(),
                new HistoryModule(),
                new ExecutionModule(),
                new WatcherShieldModule(settings),
                new SecretModule(settings));
    }
@ -204,7 +211,8 @@ public class WatcherPlugin extends Plugin {
        module.registerSetting(Setting.intSetting("watcher.execution.scroll.size", 0, false, CLUSTER));
        module.registerSetting(Setting.intSetting("watcher.watch.scroll.size", 0, false, CLUSTER));
        module.registerSetting(Setting.boolSetting("watcher.enabled", false, false, CLUSTER));
-        module.registerSetting(ShieldSecretService.ENCRYPT_SENSITIVE_DATA_SETTING);
+        module.registerSetting(SecretService.Secure.ENCRYPT_SENSITIVE_DATA_SETTING);
        // TODO add real settings for these
        module.registerSetting(Setting.simpleString("resource.reload.interval", false, CLUSTER));
        module.registerSetting(Setting.simpleString("resource.reload.enabled", false, CLUSTER));
@ -328,4 +336,16 @@ public class WatcherPlugin extends Plugin {
                "[.watcher-history-YYYY.MM.dd] are allowed to be created", value);
    }
    void registerClusterPrivilege(String name, String... patterns) {
        try {
            ClusterPrivilege.addCustom(name, patterns);
        } catch (Exception se) {
            logger.warn("could not register cluster privilege [{}]", name);
            // we need to prevent bubbling the shield exception here for the tests. In the tests
            // we create multiple nodes in the same jvm and since the custom cluster is a static binding
            // multiple nodes will try to add the same privileges multiple times.
        }
    }
 }
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/ShieldSecretService.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/ShieldSecretService.java
@ -1,41 +0,0 @@
 /*
 * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
 * or more contributor license agreements. Licensed under the Elastic License;
 * you may not use this file except in compliance with the Elastic License.
 */
 package org.elasticsearch.watcher.shield;
 import org.elasticsearch.common.component.AbstractComponent;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.shield.crypto.CryptoService;
 import org.elasticsearch.watcher.support.secret.SecretService;
 /**
 *
 */
 public class ShieldSecretService extends AbstractComponent implements SecretService {
    private final CryptoService cryptoService;
    private final boolean encryptSensitiveData;
    public static final Setting<Boolean> ENCRYPT_SENSITIVE_DATA_SETTING =
            Setting.boolSetting("watcher.shield.encrypt_sensitive_data", false, false, Setting.Scope.CLUSTER);
    @Inject
    public ShieldSecretService(Settings settings, CryptoService cryptoService) {
        super(settings);
        this.encryptSensitiveData = ENCRYPT_SENSITIVE_DATA_SETTING.get(settings);
        this.cryptoService = cryptoService;
    }
    @Override
    public char[] encrypt(char[] text) {
        return encryptSensitiveData ? cryptoService.encrypt(text) : text;
    }
    @Override
    public char[] decrypt(char[] text) {
        return encryptSensitiveData ? cryptoService.decrypt(text) : text;
    }
 }
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherShieldModule.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/shield/WatcherShieldModule.java
@ -1,45 +0,0 @@
 /*
 * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
 * or more contributor license agreements. Licensed under the Elastic License;
 * you may not use this file except in compliance with the Elastic License.
 */
 package org.elasticsearch.watcher.shield;
 import org.elasticsearch.common.inject.AbstractModule;
 import org.elasticsearch.common.logging.ESLogger;
 import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.shield.authz.privilege.ClusterPrivilege;
 /**
 *
 */
 public class WatcherShieldModule extends AbstractModule {
    private final ESLogger logger;
    public WatcherShieldModule(Settings settings) {
        this.logger = Loggers.getLogger(WatcherShieldModule.class, settings);
        if (ShieldPlugin.shieldEnabled(settings)) {
            registerClusterPrivilege("manage_watcher", "cluster:admin/watcher/*", "cluster:monitor/watcher/*");
            registerClusterPrivilege("monitor_watcher", "cluster:monitor/watcher/*");
        }
    }
    void registerClusterPrivilege(String name, String... patterns) {
        try {
            ClusterPrivilege.addCustom(name, patterns);
        } catch (Exception se) {
            logger.warn("could not register cluster privilege [{}]", name);
            // we need to prevent bubbling the shield exception here for the tests. In the tests
            // we create multiple nodes in the same jvm and since the custom cluster is a static binding
            // multiple nodes will try to add the same privileges multiple times.
        }
    }
    @Override
    protected void configure() {
    }
 }
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretModule.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretModule.java
@ -8,7 +8,6 @@ package org.elasticsearch.watcher.support.secret;
 import org.elasticsearch.common.inject.AbstractModule;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.shield.ShieldPlugin;
 import org.elasticsearch.watcher.shield.ShieldSecretService;
 /**
 *
@ -18,17 +17,16 @@ public class SecretModule extends AbstractModule {
    private final boolean shieldEnabled;
    public SecretModule(Settings settings) {
-        shieldEnabled = ShieldPlugin.shieldEnabled(settings);
+        shieldEnabled = ShieldPlugin.enabled(settings);
    }
    @Override
    protected void configure() {
        if (shieldEnabled) {
-            bind(ShieldSecretService.class).asEagerSingleton();
+            bind(SecretService.Secure.class).asEagerSingleton();
-            bind(SecretService.class).to(ShieldSecretService.class);
+            bind(SecretService.class).to(SecretService.Secure.class);
        } else {
-            bind(SecretService.PlainText.class).asEagerSingleton();
+            bind(SecretService.class).toInstance(SecretService.Insecure.INSTANCE);
            bind(SecretService.class).to(SecretService.PlainText.class);
        }
    }
 }
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretService.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SecretService.java
@ -5,6 +5,12 @@
 */
 package org.elasticsearch.watcher.support.secret;
 import org.elasticsearch.common.component.AbstractComponent;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.shield.crypto.CryptoService;
 /**
 *
 */
@ -14,7 +20,12 @@ public interface SecretService {
    char[] decrypt(char[] text);
-    class PlainText implements SecretService {
+    class Insecure implements SecretService {
        public static final Insecure INSTANCE = new Insecure();
        Insecure() {
        }
        @Override
        public char[] encrypt(char[] text) {
@ -26,4 +37,31 @@ public interface SecretService {
            return text;
        }
    }
    /**
     *
     */
    class Secure extends AbstractComponent implements SecretService {
        private final CryptoService cryptoService;
        private final boolean encryptSensitiveData;
        public static final Setting<Boolean> ENCRYPT_SENSITIVE_DATA_SETTING =
                Setting.boolSetting("watcher.shield.encrypt_sensitive_data", false, false, Setting.Scope.CLUSTER);
        @Inject
        public Secure(Settings settings, CryptoService cryptoService) {
            super(settings);
            this.encryptSensitiveData = ENCRYPT_SENSITIVE_DATA_SETTING.get(settings);
            this.cryptoService = cryptoService;
        }
        @Override
        public char[] encrypt(char[] text) {
            return encryptSensitiveData ? cryptoService.encrypt(text) : text;
        }
        @Override
        public char[] decrypt(char[] text) {
            return encryptSensitiveData ? cryptoService.decrypt(text) : text;
        }
    }
 }
--- a/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/watch/Watch.java
+++ b/elasticsearch/x-pack/watcher/src/main/java/org/elasticsearch/watcher/watch/Watch.java
@ -257,7 +257,7 @@ public class Watch implements TriggerEngine.Job, ToXContent {
         * Such that the returned watch will potentially hide this sensitive data behind a "secret". A secret
         * is an abstraction around sensitive data (text). There can be different implementations of how the
         * secret holds the data, depending on the wired up {@link SecretService}. When shield is installed, a
-         * {@link org.elasticsearch.watcher.shield.ShieldSecretService} is used, that potentially encrypts the data
+         * {@link SecretService.Secure} is used, that potentially encrypts the data
         * using Shield's configured system key.
         *
         * This method is only called once - when the user adds a new watch. From that moment on, all representations
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherPluginDisableTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/WatcherPluginDisableTests.java
@ -41,8 +41,10 @@ public class WatcherPluginDisableTests extends ESIntegTestCase {
        return Settings.settingsBuilder()
                .put(super.nodeSettings(nodeOrdinal))
                .put(WatcherPlugin.ENABLED_SETTING, false)
                // disable shield because of query cache check and authentication/authorization
-                .put(ShieldPlugin.ENABLED_SETTING_NAME, false)
+                .put(XPackPlugin.featureEnabledSetting(ShieldPlugin.NAME), false)
                .put(NetworkModule.HTTP_ENABLED.getKey(), true)
                .build();
    }
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/EmailSecretsIntegrationTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/EmailSecretsIntegrationTests.java
@ -12,7 +12,6 @@ import org.elasticsearch.watcher.actions.email.service.EmailTemplate;
 import org.elasticsearch.watcher.actions.email.service.support.EmailServer;
 import org.elasticsearch.watcher.client.WatcherClient;
 import org.elasticsearch.watcher.execution.ActionExecutionMode;
 import org.elasticsearch.watcher.shield.ShieldSecretService;
 import org.elasticsearch.watcher.support.secret.SecretService;
 import org.elasticsearch.watcher.support.xcontent.XContentSource;
 import org.elasticsearch.watcher.test.AbstractWatcherIntegrationTestCase;
@ -100,15 +99,15 @@ public class EmailSecretsIntegrationTests extends AbstractWatcherIntegrationTest
        if (shieldEnabled() && encryptSensitiveData) {
            assertThat(value, not(is((Object) PASSWORD)));
            SecretService secretService = getInstanceFromMaster(SecretService.class);
-            assertThat(secretService, instanceOf(ShieldSecretService.class));
+            assertThat(secretService, instanceOf(SecretService.Secure.class));
            assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD));
        } else {
            assertThat(value, is((Object) PASSWORD));
            SecretService secretService = getInstanceFromMaster(SecretService.class);
            if (shieldEnabled()) {
-                assertThat(secretService, instanceOf(ShieldSecretService.class));
+                assertThat(secretService, instanceOf(SecretService.Secure.class));
            } else {
-                assertThat(secretService, instanceOf(SecretService.PlainText.class));
+                assertThat(secretService, instanceOf(SecretService.Insecure.class));
            }
            assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD));
        }
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/AccountTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/AccountTests.java
@ -160,7 +160,7 @@ public class AccountTests extends ESTestCase {
                .put("smtp.port", server.port())
                .put("smtp.user", USERNAME)
                .put("smtp.password", PASSWORD)
-                .build()), new SecretService.PlainText(), logger);
+                .build()), SecretService.Insecure.INSTANCE, logger);
        Email email = Email.builder()
                .id("_id")
@ -197,7 +197,7 @@ public class AccountTests extends ESTestCase {
                .put("smtp.port", server.port())
                .put("smtp.user", USERNAME)
                .put("smtp.password", PASSWORD)
-                .build()), new SecretService.PlainText(), logger);
+                .build()), SecretService.Insecure.INSTANCE, logger);
        Email email = Email.builder()
                .id("_id")
@ -237,7 +237,7 @@ public class AccountTests extends ESTestCase {
        Account account = new Account(new Account.Config("default", Settings.builder()
                .put("smtp.host", "localhost")
                .put("smtp.port", server.port())
-                .build()), new SecretService.PlainText(), logger);
+                .build()), SecretService.Insecure.INSTANCE, logger);
        Email email = Email.builder()
                .id("_id")
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/AccountsTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/AccountsTests.java
@ -24,7 +24,7 @@ public class AccountsTests extends ESTestCase {
                .put("default_account", "account1");
        addAccountSettings("account1", builder);
-        Accounts accounts = new Accounts(builder.build(), new SecretService.PlainText(), logger);
+        Accounts accounts = new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger);
        Account account = accounts.account("account1");
        assertThat(account, notNullValue());
        assertThat(account.name(), equalTo("account1"));
@ -37,7 +37,7 @@ public class AccountsTests extends ESTestCase {
        Settings.Builder builder = Settings.builder();
        addAccountSettings("account1", builder);
-        Accounts accounts = new Accounts(builder.build(), new SecretService.PlainText(), logger);
+        Accounts accounts = new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger);
        Account account = accounts.account("account1");
        assertThat(account, notNullValue());
        assertThat(account.name(), equalTo("account1"));
@ -52,7 +52,7 @@ public class AccountsTests extends ESTestCase {
        addAccountSettings("account1", builder);
        addAccountSettings("account2", builder);
-        Accounts accounts = new Accounts(builder.build(), new SecretService.PlainText(), logger);
+        Accounts accounts = new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger);
        Account account = accounts.account("account1");
        assertThat(account, notNullValue());
        assertThat(account.name(), equalTo("account1"));
@ -70,7 +70,7 @@ public class AccountsTests extends ESTestCase {
        addAccountSettings("account1", builder);
        addAccountSettings("account2", builder);
-        Accounts accounts = new Accounts(builder.build(), new SecretService.PlainText(), logger);
+        Accounts accounts = new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger);
        Account account = accounts.account("account1");
        assertThat(account, notNullValue());
        assertThat(account.name(), equalTo("account1"));
@ -88,7 +88,7 @@ public class AccountsTests extends ESTestCase {
        addAccountSettings("account1", builder);
        addAccountSettings("account2", builder);
        try {
-            new Accounts(builder.build(), new SecretService.PlainText(), logger);
+            new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger);
            fail("Expected SettingsException");
        } catch (SettingsException e) {
            assertThat(e.getMessage(), is("could not find default email account [unknown]"));
@ -97,7 +97,7 @@ public class AccountsTests extends ESTestCase {
    public void testNoAccount() throws Exception {
        Settings.Builder builder = Settings.builder();
-        Accounts accounts = new Accounts(builder.build(), new SecretService.PlainText(), logger);
+        Accounts accounts = new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger);
        try {
            accounts.account(null);
            fail("no accounts are configured so trying to get the default account should throw an IllegalStateException");
@ -110,7 +110,7 @@ public class AccountsTests extends ESTestCase {
        Settings.Builder builder = Settings.builder()
                .put("default_account", "unknown");
        try {
-            new Accounts(builder.build(), new SecretService.PlainText(), logger);
+            new Accounts(builder.build(), SecretService.Insecure.INSTANCE, logger);
            fail("Expected SettingsException");
        } catch (SettingsException e) {
            assertThat(e.getMessage(), is("could not find default email account [unknown]"));
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/InternalEmailServiceTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/InternalEmailServiceTests.java
@ -33,7 +33,7 @@ public class InternalEmailServiceTests extends ESTestCase {
    @Before
    public void init() throws Exception {
        accounts = mock(Accounts.class);
-        service = new InternalEmailService(Settings.EMPTY, new SecretService.PlainText(),
+        service = new InternalEmailService(Settings.EMPTY, SecretService.Insecure.INSTANCE,
                new ClusterSettings(Settings.EMPTY, Collections.singleton(InternalEmailService.EMAIL_ACCOUNT_SETTING))) {
            @Override
            protected Accounts createAccounts(Settings settings, ESLogger logger) {
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/ManualPublicSmtpServersTester.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/ManualPublicSmtpServersTester.java
@ -7,7 +7,6 @@ package org.elasticsearch.watcher.actions.email.service;
 import org.apache.lucene.util.LuceneTestCase.AwaitsFix;
 import org.elasticsearch.common.cli.Terminal;
 import org.elasticsearch.common.inject.Provider;
 import org.elasticsearch.common.settings.ClusterSettings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.xcontent.ToXContent;
@ -15,7 +14,6 @@ import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.watcher.support.secret.SecretService;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.Collections;
 import java.util.Locale;
@ -124,7 +122,7 @@ public class ManualPublicSmtpServersTester {
    static InternalEmailService startEmailService(Settings.Builder builder) {
        Settings settings = builder.build();
-        InternalEmailService service = new InternalEmailService(settings, new SecretService.PlainText(),
+        InternalEmailService service = new InternalEmailService(settings, SecretService.Insecure.INSTANCE,
                new ClusterSettings(settings, Collections.singleton(InternalEmailService.EMAIL_ACCOUNT_SETTING)));
        service.start();
        return service;
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/attachment/HttpEmailAttachementParserTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/actions/email/service/attachment/HttpEmailAttachementParserTests.java
@ -35,14 +35,14 @@ import static org.mockito.Mockito.when;
 public class HttpEmailAttachementParserTests extends ESTestCase {
-    private SecretService.PlainText secretService;
+    private SecretService.Insecure secretService;
    private HttpAuthRegistry authRegistry;
    private HttpRequestTemplate.Parser httpRequestTemplateParser;
    private HttpClient httpClient;
    @Before
    public void init() throws Exception {
-        secretService = new SecretService.PlainText();
+        secretService = SecretService.Insecure.INSTANCE;
        authRegistry = new HttpAuthRegistry(singletonMap(BasicAuth.TYPE, new BasicAuthFactory(secretService)));
        httpRequestTemplateParser = new HttpRequestTemplate.Parser(authRegistry);
        httpClient = mock(HttpClient.class);
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpClientTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpClientTests.java
@ -54,7 +54,7 @@ public class HttpClientTests extends ESTestCase {
    @Before
    public void init() throws Exception {
-        secretService = new SecretService.PlainText();
+        secretService = SecretService.Insecure.INSTANCE;
        authRegistry = new HttpAuthRegistry(singletonMap(BasicAuth.TYPE, new BasicAuthFactory(secretService)));
        webServer = startWebServer(9200, 9300);
        webPort = webServer.getPort();
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpReadTimeoutTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpReadTimeoutTests.java
@ -14,7 +14,6 @@ import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.watcher.support.http.auth.HttpAuthRegistry;
 import org.elasticsearch.watcher.support.secret.SecretService;
 import org.junit.After;
 import org.junit.Before;
@ -27,13 +26,12 @@ import static org.mockito.Mockito.mock;
 /**
 */
 public class HttpReadTimeoutTests extends ESTestCase {
    private MockWebServer webServer;
    private SecretService secretService;
    private int webPort;
    @Before
    public void init() throws Exception {
        secretService = new SecretService.PlainText();
        for (webPort = 9200; webPort < 9300; webPort++) {
            try {
                webServer = new MockWebServer();
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpRequestTemplateTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/support/http/HttpRequestTemplateTests.java
@ -136,7 +136,8 @@ public class HttpRequestTemplateTests extends ESTestCase {
        HttpRequestTemplate template = builder.build();
-        HttpAuthRegistry registry = new HttpAuthRegistry(singletonMap(BasicAuth.TYPE, new BasicAuthFactory(new SecretService.PlainText())));
+        HttpAuthRegistry registry = new HttpAuthRegistry(singletonMap(BasicAuth.TYPE,
                new BasicAuthFactory(SecretService.Insecure.INSTANCE)));
        HttpRequestTemplate.Parser parser = new HttpRequestTemplate.Parser(registry);
        XContentBuilder xContentBuilder = template.toXContent(jsonBuilder(), ToXContent.EMPTY_PARAMS);
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/AbstractWatcherIntegrationTestCase.java
@ -61,6 +61,7 @@ import org.elasticsearch.watcher.trigger.TriggerService;
 import org.elasticsearch.watcher.trigger.schedule.ScheduleModule;
 import org.elasticsearch.watcher.watch.Watch;
 import org.elasticsearch.xpack.TimeWarpedXPackPlugin;
 import org.elasticsearch.xpack.XPackClient;
 import org.elasticsearch.xpack.XPackPlugin;
 import org.hamcrest.Matcher;
 import org.jboss.netty.util.internal.SystemPropertyUtil;
@ -349,9 +350,8 @@ public abstract class AbstractWatcherIntegrationTestCase extends ESIntegTestCase
    }
    protected WatcherClient watcherClient() {
-        return shieldEnabled ?
+        Client client = shieldEnabled ? internalCluster().transportClient() : client();
-                new WatcherClient(internalCluster().transportClient()) :
+        return randomBoolean() ? new XPackClient(client).watcher() : new WatcherClient(client);
                new WatcherClient(client());
    }
    protected ScriptServiceProxy scriptService() {
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/integration/HttpSecretsIntegrationTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/test/integration/HttpSecretsIntegrationTests.java
@ -14,7 +14,6 @@ import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.xcontent.support.XContentMapValues;
 import org.elasticsearch.watcher.client.WatcherClient;
 import org.elasticsearch.watcher.execution.ActionExecutionMode;
 import org.elasticsearch.watcher.shield.ShieldSecretService;
 import org.elasticsearch.watcher.support.http.HttpRequestTemplate;
 import org.elasticsearch.watcher.support.http.auth.basic.ApplicableBasicAuth;
 import org.elasticsearch.watcher.support.http.auth.basic.BasicAuth;
@ -118,15 +117,15 @@ public class HttpSecretsIntegrationTests extends AbstractWatcherIntegrationTestC
        if (shieldEnabled() && encryptSensitiveData) {
            assertThat(value, not(is((Object) PASSWORD)));
            SecretService secretService = getInstanceFromMaster(SecretService.class);
-            assertThat(secretService, instanceOf(ShieldSecretService.class));
+            assertThat(secretService, instanceOf(SecretService.Secure.class));
            assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD));
        } else {
            assertThat(value, is((Object) PASSWORD));
            SecretService secretService = getInstanceFromMaster(SecretService.class);
            if (shieldEnabled()) {
-                assertThat(secretService, instanceOf(ShieldSecretService.class));
+                assertThat(secretService, instanceOf(SecretService.Secure.class));
            } else {
-                assertThat(secretService, instanceOf(SecretService.PlainText.class));
+                assertThat(secretService, instanceOf(SecretService.Insecure.class));
            }
            assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD));
        }
@ -190,15 +189,15 @@ public class HttpSecretsIntegrationTests extends AbstractWatcherIntegrationTestC
        if (shieldEnabled() && encryptSensitiveData) {
            assertThat(value, not(is((Object) PASSWORD)));
            SecretService secretService = getInstanceFromMaster(SecretService.class);
-            assertThat(secretService, instanceOf(ShieldSecretService.class));
+            assertThat(secretService, instanceOf(SecretService.Secure.class));
            assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD));
        } else {
            assertThat(value, is((Object) PASSWORD));
            SecretService secretService = getInstanceFromMaster(SecretService.class);
            if (shieldEnabled()) {
-                assertThat(secretService, instanceOf(ShieldSecretService.class));
+                assertThat(secretService, instanceOf(SecretService.Secure.class));
            } else {
-                assertThat(secretService, instanceOf(SecretService.PlainText.class));
+                assertThat(secretService, instanceOf(SecretService.Insecure.class));
            }
            assertThat(new String(secretService.decrypt(((String) value).toCharArray())), is(PASSWORD));
        }
--- a/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/watch/WatchTests.java
+++ b/elasticsearch/x-pack/watcher/src/test/java/org/elasticsearch/watcher/watch/WatchTests.java
@ -177,7 +177,7 @@ public class WatchTests extends ESTestCase {
        ScheduleRegistry scheduleRegistry = registry(schedule);
        TriggerEngine triggerEngine = new ParseOnlyScheduleTriggerEngine(Settings.EMPTY, scheduleRegistry, clock);
        TriggerService triggerService = new TriggerService(Settings.EMPTY, singleton(triggerEngine));
-        SecretService secretService = new SecretService.PlainText();
+        SecretService secretService = SecretService.Insecure.INSTANCE;
        ExecutableInput input = randomInput();
        InputRegistry inputRegistry = registry(input);
@ -227,7 +227,7 @@ public class WatchTests extends ESTestCase {
        ScheduleRegistry scheduleRegistry = registry(randomSchedule());
        TriggerEngine triggerEngine = new ParseOnlyScheduleTriggerEngine(Settings.EMPTY, scheduleRegistry, clock);
        TriggerService triggerService = new TriggerService(Settings.EMPTY, singleton(triggerEngine));
-        SecretService secretService = new SecretService.PlainText();
+        SecretService secretService = SecretService.Insecure.INSTANCE;
        ExecutableCondition condition = randomCondition();
        ConditionRegistry conditionRegistry = registry(condition);
        ExecutableInput input = randomInput();
@ -258,7 +258,7 @@ public class WatchTests extends ESTestCase {
        ScheduleRegistry scheduleRegistry = registry(schedule);
        TriggerEngine triggerEngine = new ParseOnlyScheduleTriggerEngine(Settings.EMPTY, scheduleRegistry, SystemClock.INSTANCE);
        TriggerService triggerService = new TriggerService(Settings.EMPTY, singleton(triggerEngine));
-        SecretService secretService = new SecretService.PlainText();
+        SecretService secretService = SecretService.Insecure.INSTANCE;
        ConditionRegistry conditionRegistry = registry(new ExecutableAlwaysCondition(logger));
        InputRegistry inputRegistry = registry(new ExecutableNoneInput(logger));