How to get a NodeClient inside a X-Pack plugin?

Good idea, thanks @Marcel-Hillmann. Worked like a charm until

{
        "error": {
            "root_cause": [
                {
                    "type": "security_exception",
                    "reason": "action [indices:data/read/search] is unauthorized for user [_system]",
                    "header": {
                        "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
                    }
                }
            ],
            "type": "security_exception",
            "reason": "action [indices:data/read/search] is unauthorized for user [_system]",
            "header": {
                "WWW-Authenticate": "Basic realm=\"security\" charset=\"UTF-8\""
            }
        },
        "status": 403
    }

The _system user is used by xpack internally. It seems
Looking at the documentation

tells us:

Using the Java Node Client with secured clusters is not recommended or supported.

I added the _system user via the user_roles file to the superuser group, didn't change anything. Interestingly the Authorization: Basic header I add isn't used in the request even though the internal-callback is.

{
    Map<String, String> headers = new HashMap<String, String>();
    headers.put("internal-callback", "internal-callback");
    headers.put("Authorization", "Basic ");
    Client authClient = client.filterWithHeader(headers);
    SearchRequestBuilder request = authClient.prepareSearch("admin-stuff").setTypes("grp").setQuery(QueryBuilders.matchAllQuery());
}

Resulting in log output:

[2018-11-14T12:33:54,975][INFO ][i.z.s.p.e.j.JWTSecurityRealm] TOKEN:{Authorization=Bearer JWT-TOKEN}
[2018-11-14T12:33:55,085][WARN ][i.z.s.p.e.j.JWTSecurityRealm] REALM: org.elasticsearch.client.node.NodeClient@588d630d
[2018-11-14T12:33:55,092][INFO ][i.z.s.p.e.j.JWTSecurityRealm] {"query":{"match_all":{"boost":1.0}}}
[2018-11-14T12:33:55,093][INFO ][i.z.s.p.e.j.JWTSecurityRealm] TOKEN:{Authorization=Bearer JWT-TOKEN, internal-callback=internal-callback}