diff --git a/qa/rolling-upgrade/build.gradle b/qa/rolling-upgrade/build.gradle
index 7905da74c70..5a014e08c6f 100644
--- a/qa/rolling-upgrade/build.gradle
+++ b/qa/rolling-upgrade/build.gradle
@@ -99,6 +99,19 @@ test.enabled = false // no unit tests for rolling upgrades, only the rest integr
 
 check.dependsOn(integTest)
 
+dependencies {
+    testCompile project(path: ':x-plugins:elasticsearch', configuration: 'runtime')
+}
+
+// copy x-pack plugin info so it is on the classpath and security manager has the right permissions
+String outputDir = "generated-resources/${project.name}"
+task copyXPackPluginProps(type: Copy) {
+    from project(':x-plugins:elasticsearch').file('src/main/plugin-metadata')
+    from project(':x-plugins:elasticsearch').tasks.pluginProperties
+    into outputDir
+}
+project.sourceSets.test.output.dir(outputDir, builtBy: copyXPackPluginProps)
+
 repositories {
     maven {
         url "https://oss.sonatype.org/content/repositories/snapshots/"
diff --git a/qa/rolling-upgrade/src/test/resources/rest-api-spec/test/mixed_cluster/20_security.yaml b/qa/rolling-upgrade/src/test/resources/rest-api-spec/test/mixed_cluster/20_security.yaml
new file mode 100644
index 00000000000..e849403417a
--- /dev/null
+++ b/qa/rolling-upgrade/src/test/resources/rest-api-spec/test/mixed_cluster/20_security.yaml
@@ -0,0 +1,31 @@
+---
+"Verify user and role in mixed cluster":
+  - do:
+      headers:
+        Authorization: "Basic bmF0aXZlX3VzZXI6Y2hhbmdlbWU="
+      cluster.health:
+        wait_for_status: yellow
+        wait_for_nodes: 2
+        timeout: 25s
+  - match: { timed_out: false }
+
+  - do:
+      xpack.security.get_user:
+        username: "native_user"
+  - match: { native_user.username:  "native_user" }
+  - match: { native_user.roles.0:  "native_role" }
+
+  - do:
+      xpack.security.get_role:
+        name: "native_role"
+  - match: { native_role.cluster.0:  "all" }
+  - match: { native_role.indices.0.names.0: "test_index" }
+  - match: { native_role.indices.0.privileges.0:  "all" }
+
+  - do:
+      xpack.security.clear_cached_roles:
+        name: "native_role"
+
+  - do:
+      xpack.security.clear_cached_realms:
+        realms: "_all"
diff --git a/qa/rolling-upgrade/src/test/resources/rest-api-spec/test/old_cluster/20_security.yaml b/qa/rolling-upgrade/src/test/resources/rest-api-spec/test/old_cluster/20_security.yaml
new file mode 100644
index 00000000000..a2c98e54793
--- /dev/null
+++ b/qa/rolling-upgrade/src/test/resources/rest-api-spec/test/old_cluster/20_security.yaml
@@ -0,0 +1,59 @@
+---
+"Create user and role":
+  - do:
+     cluster.health:
+        wait_for_status: green
+        wait_for_nodes: 2
+        timeout: 25s
+
+  - do:
+     xpack.security.put_user:
+       username: "native_user"
+       body:  >
+           {
+             "password" : "changeme",
+             "roles" : [ "native_role" ]
+           }
+  - match: { user: { created: true } }
+
+  - do:
+      xpack.security.put_role:
+        name: "native_role"
+        body:  >
+            {
+              "cluster": ["all"],
+              "indices": [
+                {
+                  "names": "test_index",
+                  "privileges": ["all"]
+                }
+              ]
+            }
+  - match: { role: { created: true } }
+
+  # validate that the user and role work in the cluster by executing a health request and getting a valid response back
+  - do:
+      headers:
+        Authorization: "Basic bmF0aXZlX3VzZXI6Y2hhbmdlbWU="
+      cluster.health: {}
+  - match: { timed_out: false }
+
+  - do:
+      xpack.security.clear_cached_roles:
+        name: "native_role"
+
+  - do:
+      xpack.security.clear_cached_realms:
+        realms: "_all"
+
+  - do:
+      cluster.health:
+        index: ".monitoring-*" # include monitoring-data-* and monitoring-es-*
+        wait_for_active_shards: 4 # 1 primary and 1 replica each for the two monitoring indices
+        timeout: 25s
+
+  - do:
+      cluster.health:
+        index: ".security"
+        wait_for_active_shards: 2 # 1 primary and 1 replica since we have two nodes
+        timeout: 25s
diff --git a/qa/rolling-upgrade/src/test/resources/rest-api-spec/test/upgraded_cluster/20_security.yaml b/qa/rolling-upgrade/src/test/resources/rest-api-spec/test/upgraded_cluster/20_security.yaml
new file mode 100644
index 00000000000..889efb3d1f5
--- /dev/null
+++ b/qa/rolling-upgrade/src/test/resources/rest-api-spec/test/upgraded_cluster/20_security.yaml
@@ -0,0 +1,23 @@
+---
+"Verify user and role in upgraded cluster":
+  - do:
+      headers:
+        Authorization: "Basic bmF0aXZlX3VzZXI6Y2hhbmdlbWU="
+      cluster.health:
+        wait_for_status: green
+        wait_for_nodes: 2
+        timeout: 25s
+  - match: { timed_out: false }
+
+  - do:
+      xpack.security.get_user:
+        username: "native_user"
+  - match: { native_user.username:  "native_user" }
+  - match: { native_user.roles.0:  "native_role" }
+
+  - do:
+      xpack.security.get_role:
+        name: "native_role"
+  - match: { native_role.cluster.0:  "all" }
+  - match: { native_role.indices.0.names.0: "test_index" }
+  - match: { native_role.indices.0.privileges.0:  "all" }