diff --git a/.kitchen.yml b/.kitchen.yml
index 66dc571ad..09be3858a 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -102,3 +102,12 @@ suites:
     run_list:
       - recipe[java]
       - recipe[elasticsearch_test::default_with_plugins]
+
+  - name: shieldwatcher # install licensed plugins for testing
+    require_chef_omnibus: true
+    run_list:
+      - recipe[java]
+      - recipe[elasticsearch_test::shieldwatcher]
+    attributes:
+      elasticsearch:
+        install_type: package
diff --git a/libraries/provider_plugin.rb b/libraries/provider_plugin.rb
index f388539f7..03a8fa410 100644
--- a/libraries/provider_plugin.rb
+++ b/libraries/provider_plugin.rb
@@ -32,11 +32,11 @@ def manage_plugin(arguments)
 
     # shell_out! automatically raises on error, logs command output
     # required for package installs that show up with parent dir owned by root
-    shell_out!("mkdir -p #{es_conf.path_plugins[es_install.type]}") unless ::File.exist?(es_conf.path_plugins[es_install.type])
-    shell_out!("chown #{es_user.username}:#{es_user.groupname} #{es_conf.path_plugins[es_install.type]}")
-
-    shell_out!("#{es_conf.path_bin[es_install.type]}/plugin #{arguments.chomp(' ')}".chomp(' ').split(' '), user: es_user.username, group: es_user.groupname)
+    plugin_dir_exists = ::File.exist?(es_conf.path_plugins[es_install.type])
+    shell_out_as_user!("mkdir -p #{es_conf.path_plugins[es_install.type]}", run_context) unless plugin_dir_exists
 
+    command_array = "#{es_conf.path_bin[es_install.type]}/plugin #{arguments.chomp(' ')}".chomp(' ').split(' ')
+    shell_out_as_user!(command_array, run_context)
     new_resource.updated_by_last_action(true)
   end
 
@@ -72,4 +72,19 @@ def assert_state_is_valid(es_user, es_install, es_conf)
 
     return true
   end
+
+  def shell_out_as_user!(command, run_ctx)
+    es_install = find_es_resource(run_ctx, :elasticsearch_install, new_resource)
+
+    # See this link for an explanation:
+    # https://www.elastic.co/guide/en/elasticsearch/plugins/2.1/plugin-management.html
+    if es_install.type == :package
+      # package installations should install plugins as root
+      shell_out!(command)
+    else
+      # non-package installations should install plugins as the ES user
+      es_user = find_es_resource(run_ctx, :elasticsearch_user, new_resource)
+      shell_out!(command, user: es_user.username, group: es_user.groupname)
+    end
+  end
 end # provider
diff --git a/test/fixtures/cookbooks/elasticsearch_test/recipes/shieldwatcher.rb b/test/fixtures/cookbooks/elasticsearch_test/recipes/shieldwatcher.rb
new file mode 100644
index 000000000..fc64474d7
--- /dev/null
+++ b/test/fixtures/cookbooks/elasticsearch_test/recipes/shieldwatcher.rb
@@ -0,0 +1,11 @@
+# Cookbook Name:: elasticsearch_test
+# Recipe:: shieldwatcher
+
+include_recipe "#{cookbook_name}::default_with_plugins"
+
+# test these since they need to write to 'bin' directory
+%w(license shield watcher).each do |plugin_name|
+  elasticsearch_plugin plugin_name do
+    notifies :restart, 'elasticsearch_service[elasticsearch]', :delayed
+  end
+end
diff --git a/test/integration/helpers/serverspec/plugin_examples.rb b/test/integration/helpers/serverspec/plugin_examples.rb
index f0ded27c4..0a0f17d63 100644
--- a/test/integration/helpers/serverspec/plugin_examples.rb
+++ b/test/integration/helpers/serverspec/plugin_examples.rb
@@ -1,10 +1,11 @@
 require_relative 'spec_helper'
 
 shared_examples_for 'elasticsearch plugin' do |plugin_name, args = {}|
-  expected_user = args[:user] || 'elasticsearch'
+  expected_user = args[:user] || (package? ? 'root' : 'elasticsearch')
   expected_group = args[:group] || expected_user || 'elasticsearch'
-  expected_home = args[:home] || (package? ? "/usr/share/#{expected_user}" : "/usr/local/#{expected_user}")
+  expected_home = args[:home] || (package? ? '/usr/share/elasticsearch' : '/usr/local/elasticsearch')
   expected_plugin = args[:plugin] || (package? ? "#{expected_home}/plugins/#{plugin_name}" : "#{expected_home}/plugins/#{plugin_name}")
+  expected_response_code = args[:response_code] || 200
 
   describe file(expected_plugin) do
     it { should be_directory }
@@ -13,6 +14,6 @@
   end
 
   describe command("curl -s -o /dev/null -w \"%{http_code}\" http://127.0.0.1:9200/_plugin/#{plugin_name}/") do
-    its(:stdout) { should match(/200/) }
+    its(:stdout) { should match(/#{expected_response_code}/) }
   end
 end
diff --git a/test/integration/helpers/serverspec/service_examples.rb b/test/integration/helpers/serverspec/service_examples.rb
index 4a81ca856..f7c7d5b5f 100644
--- a/test/integration/helpers/serverspec/service_examples.rb
+++ b/test/integration/helpers/serverspec/service_examples.rb
@@ -1,12 +1,14 @@
 require_relative 'spec_helper'
 
 shared_examples_for 'elasticsearch service' do |service_name = 'elasticsearch', args = {}|
+  content_match = args[:content] || 'elasticsearch'
+
   describe service(service_name) do
     it { should be_enabled }
     it { should be_running }
   end
 
   describe command('curl http://localhost:9200') do
-    its(:stdout) { should match(/elasticsearch/) }
+    its(:stdout) { should match(/#{content_match}/) }
   end
 end
diff --git a/test/integration/shieldwatcher/serverspec/default_spec.rb b/test/integration/shieldwatcher/serverspec/default_spec.rb
new file mode 100644
index 000000000..10a1c8666
--- /dev/null
+++ b/test/integration/shieldwatcher/serverspec/default_spec.rb
@@ -0,0 +1,15 @@
+require_relative 'spec_helper'
+
+describe 'standard elasticsearch install and configure' do
+  it_behaves_like 'elasticsearch user'
+  it_behaves_like 'elasticsearch install'
+  it_behaves_like 'elasticsearch configure'
+
+  # because shield, these now should return failures
+  it_behaves_like 'elasticsearch plugin', 'head', response_code: 401
+  it_behaves_like 'elasticsearch service', 'elasticsearch', content: 'missing authentication'
+end
+
+describe package('elasticsearch') do
+  it { should be_installed }
+end