diff --git a/shield/src/main/java/org/elasticsearch/shield/action/ShieldActionFilter.java b/shield/src/main/java/org/elasticsearch/shield/action/ShieldActionFilter.java
index 5354d9fc802..20faeeea0e7 100644
--- a/shield/src/main/java/org/elasticsearch/shield/action/ShieldActionFilter.java
+++ b/shield/src/main/java/org/elasticsearch/shield/action/ShieldActionFilter.java
@@ -27,6 +27,7 @@ import org.elasticsearch.shield.crypto.CryptoService;
 import org.elasticsearch.shield.license.LicenseEventsNotifier;
 import org.elasticsearch.shield.license.LicenseService;
 
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -148,7 +149,7 @@ public class ShieldActionFilter extends AbstractComponent implements ActionFilte
         }
     }
 
-    <Response extends ActionResponse> Response sign(Response response) {
+    <Response extends ActionResponse> Response sign(Response response) throws IOException {
 
         if (response instanceof SearchResponse) {
             SearchResponse searchResponse = (SearchResponse) response;
@@ -174,8 +175,12 @@ public class ShieldActionFilter extends AbstractComponent implements ActionFilte
 
         @Override @SuppressWarnings("unchecked")
         public void onResponse(Response response) {
-            response = this.filter.sign(response);
-            innerListener.onResponse(response);
+            try {
+                response = this.filter.sign(response);
+                innerListener.onResponse(response);
+            } catch (IOException e) {
+                onFailure(e);
+            }
         }
 
         @Override
diff --git a/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java b/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java
index d19ccc26d8a..3dd57488b98 100644
--- a/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java
+++ b/shield/src/main/java/org/elasticsearch/shield/audit/index/IndexAuditTrail.java
@@ -660,7 +660,11 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail {
         bulkProcessor = BulkProcessor.builder(client, new BulkProcessor.Listener() {
             @Override
             public void beforeBulk(long executionId, BulkRequest request) {
-                authenticationService.attachUserHeaderIfMissing(request, auditUser.user());
+                try {
+                    authenticationService.attachUserHeaderIfMissing(request, auditUser.user());
+                } catch (IOException e) {
+                    throw new ElasticsearchException("failed to attach user header", e);
+                }
             }
 
             @Override
diff --git a/shield/src/main/java/org/elasticsearch/shield/authc/AuthenticationService.java b/shield/src/main/java/org/elasticsearch/shield/authc/AuthenticationService.java
index 550eb942906..a563c3438fd 100644
--- a/shield/src/main/java/org/elasticsearch/shield/authc/AuthenticationService.java
+++ b/shield/src/main/java/org/elasticsearch/shield/authc/AuthenticationService.java
@@ -10,6 +10,8 @@ import org.elasticsearch.rest.RestRequest;
 import org.elasticsearch.shield.User;
 import org.elasticsearch.transport.TransportMessage;
 
+import java.io.IOException;
+
 /**
  * Responsible for authenticating the Users behind requests
  */
@@ -46,7 +48,7 @@ public interface AuthenticationService {
      *                                          case where there was no user associated with the request, if the defautl
  *                                              token could not be authenticated.
      */
-    User authenticate(String action, TransportMessage message, User fallbackUser);
+    User authenticate(String action, TransportMessage message, User fallbackUser) throws IOException;
 
     /**
      * Checks if there's alreay a user header attached to the given message. If missing, a new header is
@@ -55,6 +57,6 @@ public interface AuthenticationService {
      * @param message   The message
      * @param user      The user to be attached if the header is missing
      */
-    void attachUserHeaderIfMissing(TransportMessage message, User user);
+    void attachUserHeaderIfMissing(TransportMessage message, User user) throws IOException;
 
 }
diff --git a/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java b/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
index eb0591ffea0..38b0d80c13b 100644
--- a/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
+++ b/shield/src/main/java/org/elasticsearch/shield/authc/InternalAuthenticationService.java
@@ -105,7 +105,7 @@ public class InternalAuthenticationService extends AbstractComponent implements
     }
 
     @Override
-    public User authenticate(String action, TransportMessage message, User fallbackUser) {
+    public User authenticate(String action, TransportMessage message, User fallbackUser) throws IOException {
         User user = message.getFromContext(USER_KEY);
         if (user != null) {
             return user;
@@ -127,7 +127,7 @@ public class InternalAuthenticationService extends AbstractComponent implements
     }
 
     @Override
-    public void attachUserHeaderIfMissing(TransportMessage message, User user) {
+    public void attachUserHeaderIfMissing(TransportMessage message, User user) throws IOException {
         if (message.hasHeader(USER_KEY)) {
             return;
         }
diff --git a/shield/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactory.java b/shield/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactory.java
index c4803baa1a0..a7a37ad5296 100644
--- a/shield/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactory.java
+++ b/shield/src/main/java/org/elasticsearch/shield/authc/activedirectory/ActiveDirectorySessionFactory.java
@@ -119,7 +119,6 @@ public class ActiveDirectorySessionFactory extends SessionFactory {
             return new LdapSession(connectionLogger, connection, dn, groupResolver, timeout);
         } catch (LDAPException e) {
             connection.close();
-            // TODO think more about this exception...
             throw authenticationError("unable to authenticate user [{}] to active directory domain [{}]", e, userName, domainName);
         }
     }
diff --git a/shield/src/main/java/org/elasticsearch/shield/authc/ldap/LdapRealm.java b/shield/src/main/java/org/elasticsearch/shield/authc/ldap/LdapRealm.java
index 57f79205b8a..f66e8011492 100644
--- a/shield/src/main/java/org/elasticsearch/shield/authc/ldap/LdapRealm.java
+++ b/shield/src/main/java/org/elasticsearch/shield/authc/ldap/LdapRealm.java
@@ -5,6 +5,7 @@
  */
 package org.elasticsearch.shield.authc.ldap;
 
+import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.rest.RestController;
@@ -16,6 +17,8 @@ import org.elasticsearch.shield.authc.support.DnRoleMapper;
 import org.elasticsearch.shield.ssl.ClientSSLService;
 import org.elasticsearch.watcher.ResourceWatcherService;
 
+import java.io.IOException;
+
 /**
  * Authenticates username/password tokens against ldap, locates groups and maps them to roles.
  */
@@ -46,12 +49,16 @@ public class LdapRealm extends AbstractLdapRealm {
 
         @Override
         public LdapRealm create(RealmConfig config) {
-            SessionFactory sessionFactory = sessionFactory(config, clientSSLService);
-            DnRoleMapper roleMapper = new DnRoleMapper(TYPE, config, watcherService, null);
-            return new LdapRealm(config, sessionFactory, roleMapper);
+            try {
+                SessionFactory sessionFactory = sessionFactory(config, clientSSLService);
+                DnRoleMapper roleMapper = new DnRoleMapper(TYPE, config, watcherService, null);
+                return new LdapRealm(config, sessionFactory, roleMapper);
+            } catch (IOException e) {
+                throw new ElasticsearchException("failed to create realm [{}/{}]", e, LdapRealm.TYPE, config.name());
+            }
         }
 
-        static SessionFactory sessionFactory(RealmConfig config, ClientSSLService clientSSLService) {
+        static SessionFactory sessionFactory(RealmConfig config, ClientSSLService clientSSLService) throws IOException {
             Settings searchSettings = config.settings().getAsSettings("user_search");
             if (!searchSettings.names().isEmpty()) {
                 if (config.settings().getAsArray(LdapSessionFactory.USER_DN_TEMPLATES_SETTING).length > 0) {
diff --git a/shield/src/main/java/org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactory.java b/shield/src/main/java/org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactory.java
index fe581371c77..33fce6902db 100644
--- a/shield/src/main/java/org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactory.java
+++ b/shield/src/main/java/org/elasticsearch/shield/authc/ldap/LdapUserSearchSessionFactory.java
@@ -7,7 +7,6 @@ package org.elasticsearch.shield.authc.ldap;
 
 import com.google.common.primitives.Ints;
 import com.unboundid.ldap.sdk.*;
-import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.TimeValue;
@@ -43,7 +42,7 @@ public class LdapUserSearchSessionFactory extends SessionFactory {
     private final String userAttribute;
     private final ServerSet serverSet;
 
-    public LdapUserSearchSessionFactory(RealmConfig config, ClientSSLService sslService) {
+    public LdapUserSearchSessionFactory(RealmConfig config, ClientSSLService sslService) throws IOException {
         super(config);
         Settings settings = config.settings();
         userSearchBaseDn = settings.get("user_search.base_dn");
@@ -55,8 +54,6 @@ public class LdapUserSearchSessionFactory extends SessionFactory {
         serverSet = serverSet(settings, sslService);
         connectionPool = connectionPool(config.settings(), serverSet, timeout);
         groupResolver = groupResolver(settings);
-
-
     }
 
     static void filterOutSensitiveSettings(String realmName, ShieldSettingsFilter filter) {
@@ -65,7 +62,7 @@ public class LdapUserSearchSessionFactory extends SessionFactory {
         filter.filterOut("shield.authc.realms." + realmName + "." + HOSTNAME_VERIFICATION_SETTING);
     }
 
-    static LDAPConnectionPool connectionPool(Settings settings, ServerSet serverSet, TimeValue timeout) {
+    static LDAPConnectionPool connectionPool(Settings settings, ServerSet serverSet, TimeValue timeout) throws IOException {
         SimpleBindRequest bindRequest = bindRequest(settings);
         int initialSize = settings.getAsInt("user_search.pool.initial_size", DEFAULT_CONNECTION_POOL_INITIAL_SIZE);
         int size = settings.getAsInt("user_search.pool.size", DEFAULT_CONNECTION_POOL_SIZE);
@@ -88,8 +85,7 @@ public class LdapUserSearchSessionFactory extends SessionFactory {
             }
             return pool;
         } catch (LDAPException e) {
-            // TODO consider changing this to IOException and bubble it up
-            throw new ElasticsearchException("unable to connect to any LDAP servers", e);
+            throw new IOException("unable to connect to any LDAP servers", e);
         }
     }
 
diff --git a/shield/src/main/java/org/elasticsearch/shield/crypto/CryptoService.java b/shield/src/main/java/org/elasticsearch/shield/crypto/CryptoService.java
index 962716e6a28..ff8471fef3c 100644
--- a/shield/src/main/java/org/elasticsearch/shield/crypto/CryptoService.java
+++ b/shield/src/main/java/org/elasticsearch/shield/crypto/CryptoService.java
@@ -6,6 +6,7 @@
 package org.elasticsearch.shield.crypto;
 
 import javax.crypto.SecretKey;
+import java.io.IOException;
 
 /**
  * Service that provides cryptographic methods based on a shared system key
@@ -16,11 +17,11 @@ public interface CryptoService {
      * Signs the given text and returns the signed text (original text + signature)
      * @param text the string to sign
      */
-    String sign(String text);
+    String sign(String text) throws IOException;
 
     /**
      * Unsigns the given signed text, verifies the original text with the attached signature and if valid returns
-     * the unsigned (original) text. If signature verification fails a {@link SignatureException} is thrown.
+     * the unsigned (original) text. If signature verification fails a {@link IllegalArgumentException} is thrown.
      * @param text the string to unsign and verify
      */
     String unsignAndVerify(String text);
@@ -30,11 +31,11 @@ public interface CryptoService {
      * @param text the string to sign
      * @param key the key to sign the text with
      */
-    String sign(String text, SecretKey key);
+    String sign(String text, SecretKey key) throws IOException;
 
     /**
      * Unsigns the given signed text, verifies the original text with the attached signature and if valid returns
-     * the unsigned (original) text. If signature verification fails a {@link SignatureException} is thrown.
+     * the unsigned (original) text. If signature verification fails a {@link IllegalArgumentException} is thrown.
      * @param text the string to unsign and verify
      * @param key the key to unsign the text with
      */
@@ -121,8 +122,8 @@ public interface CryptoService {
          * service. This provides the old keys back to the clients so that they may perform decryption and re-encryption
          * of data after a key has been changed
          *
-         * @param oldSystemKey
-         * @param oldEncryptionKey
+         * @param oldSystemKey the pre-existing system key
+         * @param oldEncryptionKey the pre-existing encryption key
          */
         void onKeyChange(SecretKey oldSystemKey, SecretKey oldEncryptionKey);
     }
diff --git a/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java b/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java
index 8a560b9df7d..9b114b8afb2 100644
--- a/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java
+++ b/shield/src/main/java/org/elasticsearch/shield/crypto/InternalCryptoService.java
@@ -139,12 +139,12 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
     }
 
     @Override
-    public String sign(String text) {
+    public String sign(String text) throws IOException {
         return sign(text, this.systemKey);
     }
 
     @Override
-    public String sign(String text, SecretKey key) {
+    public String sign(String text, SecretKey key) throws IOException {
         if (key == null) {
             return text;
         }
@@ -310,8 +310,7 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
     private byte[] decryptInternal(byte[] bytes, SecretKey key) {
         if (bytes.length < ivLength) {
             logger.error("received data for decryption with size [{}] that is less than IV length [{}]", bytes.length, ivLength);
-            // TODO consider changing to IllegalArgumentException
-            throw new ElasticsearchException("invalid data to decrypt");
+            throw new IllegalArgumentException("invalid data to decrypt");
         }
 
         byte[] iv = new byte[ivLength];
@@ -337,15 +336,10 @@ public class InternalCryptoService extends AbstractLifecycleComponent<InternalCr
         }
     }
 
-    private static String signInternal(String text, SecretKey key) {
+    private static String signInternal(String text, SecretKey key) throws IOException {
         Mac mac = createMac(key);
         byte[] sig = mac.doFinal(text.getBytes(Charsets.UTF_8));
-        try {
-            return Base64.encodeBytes(sig, 0, sig.length, Base64.URL_SAFE);
-        } catch (IOException e) {
-            // TODO consider bubbling the IOException up
-            throw new IllegalArgumentException("unable to encode signed data", e);
-        }
+        return Base64.encodeBytes(sig, 0, sig.length, Base64.URL_SAFE);
     }
 
 
diff --git a/shield/src/main/java/org/elasticsearch/shield/transport/ClientTransportFilter.java b/shield/src/main/java/org/elasticsearch/shield/transport/ClientTransportFilter.java
index 579af0a6948..8c23d344b3d 100644
--- a/shield/src/main/java/org/elasticsearch/shield/transport/ClientTransportFilter.java
+++ b/shield/src/main/java/org/elasticsearch/shield/transport/ClientTransportFilter.java
@@ -10,6 +10,8 @@ import org.elasticsearch.shield.User;
 import org.elasticsearch.shield.authc.AuthenticationService;
 import org.elasticsearch.transport.TransportRequest;
 
+import java.io.IOException;
+
 /**
  * This interface allows clients, that connect to an elasticsearch cluster, to execute
  * additional logic before an operation is sent.
@@ -23,7 +25,7 @@ public interface ClientTransportFilter {
      * thrown by this method will stop the request from being sent and the error will
      * be sent back to the sender.
      */
-    void outbound(String action, TransportRequest request);
+    void outbound(String action, TransportRequest request) throws IOException;
 
     /**
      * The client transport filter that should be used in transport clients
@@ -48,7 +50,7 @@ public interface ClientTransportFilter {
         }
 
         @Override
-        public void outbound(String action, TransportRequest request) {
+        public void outbound(String action, TransportRequest request) throws IOException {
             /**
                 this will check if there's a user associated with the request. If there isn't,
                 the system user will be attached. There cannot be a request outgoing from this
diff --git a/shield/src/main/java/org/elasticsearch/shield/transport/ServerTransportFilter.java b/shield/src/main/java/org/elasticsearch/shield/transport/ServerTransportFilter.java
index f752c9e8fa2..b349dca1fc4 100644
--- a/shield/src/main/java/org/elasticsearch/shield/transport/ServerTransportFilter.java
+++ b/shield/src/main/java/org/elasticsearch/shield/transport/ServerTransportFilter.java
@@ -19,6 +19,7 @@ import org.jboss.netty.channel.Channel;
 import org.jboss.netty.handler.ssl.SslHandler;
 
 import javax.net.ssl.SSLPeerUnverifiedException;
+import java.io.IOException;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 
@@ -37,7 +38,7 @@ public interface ServerTransportFilter {
      * thrown by this method will stop the request from being handled and the error will
      * be sent back to the sender.
      */
-    void inbound(String action, TransportRequest request, TransportChannel transportChannel);
+    void inbound(String action, TransportRequest request, TransportChannel transportChannel) throws IOException;
 
     /**
      * The server trasnport filter that should be used in nodes as it ensures that an incoming
@@ -59,7 +60,7 @@ public interface ServerTransportFilter {
         }
 
         @Override
-        public void inbound(String action, TransportRequest request, TransportChannel transportChannel) {
+        public void inbound(String action, TransportRequest request, TransportChannel transportChannel) throws IOException {
             /*
              here we don't have a fallback user, as all incoming request are
              expected to have a user attached (either in headers or in context)
@@ -108,7 +109,7 @@ public interface ServerTransportFilter {
         }
 
         @Override
-        public void inbound(String action, TransportRequest request, TransportChannel transportChannel) {
+        public void inbound(String action, TransportRequest request, TransportChannel transportChannel) throws IOException {
             // TODO is ']' sufficient to mark as shard action?
             boolean isInternalOrShardAction = action.startsWith("internal:") || action.endsWith("]");
             if (isInternalOrShardAction) {
diff --git a/shield/src/test/java/org/elasticsearch/integration/LicensingTests.java b/shield/src/test/java/org/elasticsearch/integration/LicensingTests.java
index f725e8cf73e..e7a60c95060 100644
--- a/shield/src/test/java/org/elasticsearch/integration/LicensingTests.java
+++ b/shield/src/test/java/org/elasticsearch/integration/LicensingTests.java
@@ -6,7 +6,6 @@
 package org.elasticsearch.integration;
 
 import com.google.common.collect.ImmutableSet;
-import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
 import org.elasticsearch.action.admin.cluster.node.stats.NodesStatsResponse;
@@ -41,7 +40,6 @@ import static org.hamcrest.Matchers.*;
 /**
  *
  */
-@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch-shield/issues/947")
 public class LicensingTests extends ShieldIntegrationTest {
 
     public static final String ROLES =
diff --git a/shield/src/test/java/org/elasticsearch/integration/MultipleIndicesPermissionsTests.java b/shield/src/test/java/org/elasticsearch/integration/MultipleIndicesPermissionsTests.java
index 9987714ccce..cb231762696 100644
--- a/shield/src/test/java/org/elasticsearch/integration/MultipleIndicesPermissionsTests.java
+++ b/shield/src/test/java/org/elasticsearch/integration/MultipleIndicesPermissionsTests.java
@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.integration;
 
-import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.action.index.IndexResponse;
 import org.elasticsearch.action.search.MultiSearchResponse;
@@ -28,7 +27,6 @@ import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertHitC
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoFailures;
 import static org.hamcrest.Matchers.is;
 
-@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch-shield/issues/947")
 public class MultipleIndicesPermissionsTests extends ShieldIntegrationTest {
 
     protected static final String USERS_PASSWD_HASHED = new String(Hasher.BCRYPT.hash(new SecuredString("passwd".toCharArray())));
diff --git a/shield/src/test/java/org/elasticsearch/integration/PermissionPrecedenceTests.java b/shield/src/test/java/org/elasticsearch/integration/PermissionPrecedenceTests.java
index 49578d07b27..581669bf83e 100644
--- a/shield/src/test/java/org/elasticsearch/integration/PermissionPrecedenceTests.java
+++ b/shield/src/test/java/org/elasticsearch/integration/PermissionPrecedenceTests.java
@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.integration;
 
-import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.action.admin.indices.template.get.GetIndexTemplatesResponse;
 import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateResponse;
@@ -32,7 +31,6 @@ import static org.hamcrest.Matchers.hasSize;
  * actions that are normally categorized as index actions as cluster actions - for example,
  * index template actions.
  */
-@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch-shield/issues/947")
 public class PermissionPrecedenceTests extends ShieldIntegrationTest {
 
     protected static final String USERS_PASSWD_HASHED = new String(Hasher.BCRYPT.hash(new SecuredString("test123".toCharArray())));
diff --git a/shield/src/test/java/org/elasticsearch/integration/ScrollIdSigningTests.java b/shield/src/test/java/org/elasticsearch/integration/ScrollIdSigningTests.java
index 4e309990be9..7224802ca2e 100644
--- a/shield/src/test/java/org/elasticsearch/integration/ScrollIdSigningTests.java
+++ b/shield/src/test/java/org/elasticsearch/integration/ScrollIdSigningTests.java
@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.integration;
 
-import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.ExceptionsHelper;
 import org.elasticsearch.action.index.IndexRequestBuilder;
@@ -23,7 +22,6 @@ import static org.elasticsearch.test.ShieldTestsUtils.assertAuthorizationExcepti
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertHitCount;
 import static org.hamcrest.Matchers.*;
 
-@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch-shield/issues/947")
 public class ScrollIdSigningTests extends ShieldIntegrationTest {
 
     @Test
diff --git a/shield/src/test/java/org/elasticsearch/integration/SearchGetAndSuggestPermissionsTests.java b/shield/src/test/java/org/elasticsearch/integration/SearchGetAndSuggestPermissionsTests.java
index 78d4717c92a..30214ac15a2 100644
--- a/shield/src/test/java/org/elasticsearch/integration/SearchGetAndSuggestPermissionsTests.java
+++ b/shield/src/test/java/org/elasticsearch/integration/SearchGetAndSuggestPermissionsTests.java
@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.integration;
 
-import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.action.get.MultiGetResponse;
 import org.elasticsearch.action.index.IndexResponse;
@@ -28,7 +27,6 @@ import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertNoFa
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
 
-@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch-shield/issues/947")
 public class SearchGetAndSuggestPermissionsTests extends ShieldIntegrationTest {
 
     protected static final String USERS_PASSWD_HASHED = new String(Hasher.BCRYPT.hash(new SecuredString("passwd".toCharArray())));
diff --git a/shield/src/test/java/org/elasticsearch/integration/ShieldCachePermissionTests.java b/shield/src/test/java/org/elasticsearch/integration/ShieldCachePermissionTests.java
index 9dcf5603dd4..a16656f531a 100644
--- a/shield/src/test/java/org/elasticsearch/integration/ShieldCachePermissionTests.java
+++ b/shield/src/test/java/org/elasticsearch/integration/ShieldCachePermissionTests.java
@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.integration;
 
-import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.Version;
 import org.elasticsearch.action.index.IndexRequest;
 import org.elasticsearch.action.search.SearchPhaseExecutionException;
@@ -25,7 +24,6 @@ import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basic
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.is;
 
-@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch-shield/issues/947")
 public class ShieldCachePermissionTests extends ShieldIntegrationTest {
 
     static final String READ_ONE_IDX_USER = "read_user";
@@ -104,7 +102,8 @@ public class ShieldCachePermissionTests extends ShieldIntegrationTest {
                     .execute().actionGet();
             fail("search phase exception should have been thrown! response was:\n" + response.toString());
         } catch (SearchPhaseExecutionException e) {
-            assertThat(e.toString(), containsString("AuthorizationException"));
+            assertThat(e.toString(), containsString("ElasticsearchSecurityException[action"));
+            assertThat(e.toString(), containsString("unauthorized"));
         }
     }
 
@@ -128,7 +127,8 @@ public class ShieldCachePermissionTests extends ShieldIntegrationTest {
                     .execute().actionGet();
             fail("search phase exception should have been thrown! response was:\n" + response.toString());
         } catch (SearchPhaseExecutionException e) {
-            assertThat(e.toString(), containsString("AuthorizationException"));
+            assertThat(e.toString(), containsString("ElasticsearchSecurityException[action"));
+            assertThat(e.toString(), containsString("unauthorized"));
         }
     }
 }
diff --git a/shield/src/test/java/org/elasticsearch/integration/ShieldClearScrollTests.java b/shield/src/test/java/org/elasticsearch/integration/ShieldClearScrollTests.java
index cbd9096e4b6..e77d5357ae0 100644
--- a/shield/src/test/java/org/elasticsearch/integration/ShieldClearScrollTests.java
+++ b/shield/src/test/java/org/elasticsearch/integration/ShieldClearScrollTests.java
@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.integration;
 
-import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.action.bulk.BulkRequestBuilder;
 import org.elasticsearch.action.bulk.BulkResponse;
@@ -28,7 +27,6 @@ import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertThro
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.is;
 
-@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch-shield/issues/947")
 public class ShieldClearScrollTests extends ShieldIntegrationTest {
 
     protected static final String USERS_PASSWD_HASHED = new String(Hasher.BCRYPT.hash(new SecuredString("change_me".toCharArray())));
diff --git a/shield/src/test/java/org/elasticsearch/integration/ldap/GroupMappingTests.java b/shield/src/test/java/org/elasticsearch/integration/ldap/GroupMappingTests.java
index 6109b4e3f79..087945460fc 100644
--- a/shield/src/test/java/org/elasticsearch/integration/ldap/GroupMappingTests.java
+++ b/shield/src/test/java/org/elasticsearch/integration/ldap/GroupMappingTests.java
@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.integration.ldap;
 
-import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.test.junit.annotations.Network;
 import org.junit.Test;
 
@@ -16,7 +15,6 @@ import java.io.IOException;
  * The super class will provide appropriate group mappings via configGroupMappings()
  */
 @Network
-@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch-shield/issues/947")
 public class GroupMappingTests extends AbstractAdLdapRealmTests {
 
     @Test
diff --git a/shield/src/test/java/org/elasticsearch/integration/ldap/MultiGroupMappingTests.java b/shield/src/test/java/org/elasticsearch/integration/ldap/MultiGroupMappingTests.java
index 2e2d4834d3b..3147522aa7b 100644
--- a/shield/src/test/java/org/elasticsearch/integration/ldap/MultiGroupMappingTests.java
+++ b/shield/src/test/java/org/elasticsearch/integration/ldap/MultiGroupMappingTests.java
@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.integration.ldap;
 
-import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.test.junit.annotations.Network;
 import org.junit.Test;
 
@@ -15,7 +14,6 @@ import java.io.IOException;
  * This tests the mapping of multiple groups to a role
  */
 @Network
-@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch-shield/issues/947")
 public class MultiGroupMappingTests extends AbstractAdLdapRealmTests {
 
     @Override
diff --git a/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java b/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java
index 11e977925d2..74a8729bb5b 100644
--- a/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java
+++ b/shield/src/test/java/org/elasticsearch/shield/audit/index/IndexAuditTrailTests.java
@@ -40,6 +40,7 @@ import org.joda.time.format.ISODateTimeFormat;
 import org.junit.After;
 import org.junit.Test;
 
+import java.io.IOException;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.util.List;
@@ -111,11 +112,11 @@ public class IndexAuditTrailTests extends ShieldIntegrationTest {
         return remoteIndexing ? remoteClient : client();
     }
 
-    private void initialize(String... excludes) {
+    private void initialize(String... excludes) throws IOException {
         initialize(null, excludes);
     }
 
-    private void initialize(String[] includes, String[] excludes) {
+    private void initialize(String[] includes, String[] excludes) throws IOException {
         rollover = randomFrom(HOURLY, DAILY, WEEKLY, MONTHLY);
         numReplicas = numberOfReplicas();
         numShards = numberOfShards();
diff --git a/shield/src/test/java/org/elasticsearch/shield/authz/AnalyzeTests.java b/shield/src/test/java/org/elasticsearch/shield/authz/AnalyzeTests.java
index 1e80af9a342..b516b08cce2 100644
--- a/shield/src/test/java/org/elasticsearch/shield/authz/AnalyzeTests.java
+++ b/shield/src/test/java/org/elasticsearch/shield/authz/AnalyzeTests.java
@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.shield.authz;
 
-import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.shield.authc.support.Hasher;
 import org.elasticsearch.shield.authc.support.SecuredString;
@@ -17,7 +16,6 @@ import static org.elasticsearch.shield.authc.support.UsernamePasswordToken.basic
 import static org.elasticsearch.test.ShieldTestsUtils.assertAuthorizationException;
 import static org.hamcrest.CoreMatchers.containsString;
 
-@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch-shield/issues/947")
 public class AnalyzeTests extends ShieldIntegrationTest {
 
     protected static final String USERS_PASSWD_HASHED = new String(Hasher.BCRYPT.hash(new SecuredString("test123".toCharArray())));
diff --git a/shield/src/test/java/org/elasticsearch/shield/authz/IndexAliasesTests.java b/shield/src/test/java/org/elasticsearch/shield/authz/IndexAliasesTests.java
index 7ff3ba0e981..502db4816c9 100644
--- a/shield/src/test/java/org/elasticsearch/shield/authz/IndexAliasesTests.java
+++ b/shield/src/test/java/org/elasticsearch/shield/authz/IndexAliasesTests.java
@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.shield.authz;
 
-import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.action.admin.indices.alias.Alias;
 import org.elasticsearch.action.admin.indices.alias.get.GetAliasesRequestBuilder;
@@ -24,7 +23,6 @@ import static org.elasticsearch.test.ShieldTestsUtils.assertAuthorizationExcepti
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
 import static org.hamcrest.CoreMatchers.*;
 
-@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch-shield/issues/947")
 public class IndexAliasesTests extends ShieldIntegrationTest {
 
     protected static final String USERS_PASSWD_HASHED = new String(Hasher.BCRYPT.hash(new SecuredString("test123".toCharArray())));
diff --git a/shield/src/test/java/org/elasticsearch/shield/authz/indicesresolver/IndicesResolverIntegrationTests.java b/shield/src/test/java/org/elasticsearch/shield/authz/indicesresolver/IndicesResolverIntegrationTests.java
index 3dc32790c91..27a64fcf5e9 100644
--- a/shield/src/test/java/org/elasticsearch/shield/authz/indicesresolver/IndicesResolverIntegrationTests.java
+++ b/shield/src/test/java/org/elasticsearch/shield/authz/indicesresolver/IndicesResolverIntegrationTests.java
@@ -5,7 +5,6 @@
  */
 package org.elasticsearch.shield.authz.indicesresolver;
 
-import org.apache.lucene.util.LuceneTestCase;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.action.ActionRequestBuilder;
 import org.elasticsearch.action.admin.indices.alias.Alias;
@@ -25,7 +24,6 @@ import java.util.List;
 import static org.elasticsearch.test.ShieldTestsUtils.assertAuthorizationException;
 import static org.hamcrest.CoreMatchers.*;
 
-@LuceneTestCase.AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch-shield/issues/947")
 public class IndicesResolverIntegrationTests extends ShieldIntegrationTest {
 
     @Override
@@ -173,7 +171,7 @@ public class IndicesResolverIntegrationTests extends ShieldIntegrationTest {
                 .add(Requests.searchRequest())
                 .add(Requests.searchRequest("test4")).get();
         assertReturnedIndices(multiSearchResponse.getResponses()[0].getResponse(), "test1", "test2", "test3");
-        assertThat(multiSearchResponse.getResponses()[1].getFailure().toString(), equalTo("[test4] no such index"));
+        assertThat(multiSearchResponse.getResponses()[1].getFailure().toString(), equalTo("[test4] IndexNotFoundException[no such index]"));
     }
 
     @Test(expected = IndexNotFoundException.class)
diff --git a/shield/src/test/java/org/elasticsearch/shield/crypto/InternalCryptoServiceTests.java b/shield/src/test/java/org/elasticsearch/shield/crypto/InternalCryptoServiceTests.java
index f0daaef5ef6..d02542f37fe 100644
--- a/shield/src/test/java/org/elasticsearch/shield/crypto/InternalCryptoServiceTests.java
+++ b/shield/src/test/java/org/elasticsearch/shield/crypto/InternalCryptoServiceTests.java
@@ -17,6 +17,7 @@ import org.junit.Before;
 import org.junit.Test;
 
 import javax.crypto.SecretKey;
+import java.io.IOException;
 import java.io.OutputStream;
 import java.nio.file.Files;
 import java.nio.file.Path;
@@ -347,13 +348,17 @@ public class InternalCryptoServiceTests extends ElasticsearchTestCase {
         service.register(new CryptoService.Listener() {
             @Override
             public void onKeyChange(SecretKey oldSystemKey, SecretKey oldEncryptionKey) {
-                assertThat(oldSystemKey, notNullValue());
-                final String unsigned = service.unsignAndVerify(signed, oldSystemKey);
-                assertThat(unsigned, equalTo(text));
-                final String newSigned = service.sign(unsigned);
-                assertThat(newSigned, not(equalTo(signed)));
-                assertThat(newSigned, not(equalTo(text)));
-                latch.countDown();
+                try {
+                    assertThat(oldSystemKey, notNullValue());
+                    final String unsigned = service.unsignAndVerify(signed, oldSystemKey);
+                    assertThat(unsigned, equalTo(text));
+                    final String newSigned = service.sign(unsigned);
+                    assertThat(newSigned, not(equalTo(signed)));
+                    assertThat(newSigned, not(equalTo(text)));
+                    latch.countDown();
+                } catch (IOException e) {
+                    logger.error("caught exception in key change listener", e);
+                }
             }
         });
 
diff --git a/watcher/src/main/java/org/elasticsearch/watcher/shield/ShieldIntegration.java b/watcher/src/main/java/org/elasticsearch/watcher/shield/ShieldIntegration.java
index b63419ab4b9..8e072163763 100644
--- a/watcher/src/main/java/org/elasticsearch/watcher/shield/ShieldIntegration.java
+++ b/watcher/src/main/java/org/elasticsearch/watcher/shield/ShieldIntegration.java
@@ -5,6 +5,7 @@
  */
 package org.elasticsearch.watcher.shield;
 
+import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.common.inject.Inject;
 import org.elasticsearch.common.inject.Injector;
 import org.elasticsearch.common.settings.Settings;
@@ -15,6 +16,8 @@ import org.elasticsearch.shield.authc.AuthenticationService;
 import org.elasticsearch.transport.TransportMessage;
 import org.elasticsearch.watcher.WatcherVersion;
 
+import java.io.IOException;
+
 /**
  *
  */
@@ -48,7 +51,11 @@ public class ShieldIntegration {
 
     public void bindWatcherUser(TransportMessage message) {
         if (authcService != null) {
-            ((AuthenticationService) authcService).attachUserHeaderIfMissing(message, ((WatcherUserHolder) userHolder).user);
+            try {
+                ((AuthenticationService) authcService).attachUserHeaderIfMissing(message, ((WatcherUserHolder) userHolder).user);
+            } catch (IOException e) {
+                throw new ElasticsearchException("failed to attach watcher user to request", e);
+            }
         }
     }