We already have a cluster with 3 master nodes , 5 data nodes, 3 client nodes, 1 node for monitoring(kibana and marvel to monitor the cluster - not part of the cluster ). We currently don't have shield. We are planning to implement Shield. For now, we are planning to use only basic auth. Just create a admin and user role and share the user basic auth credentials to teams that consume the data in elastic search(so that they can make only GET calls). We will keep the admin credentials within a closed group. Can someone please me understand which nodes require shield installation and what are the factors / attributes that have to be considered?