Bug 2271398

Summary: keycloak-httpd-client-install doesn't work without python3-lxml but it's not dependency and not documented
Product: Red Hat Satellite Reporter: Lukáš Hellebrandt <lhellebr>
Component: AuthenticationAssignee: Adam Lazik <alazik>
Status: CLOSED CURRENTRELEASE QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.15.0CC: alazik, aruzicka, ekohlvan, mhulan, osousa, rlavi
Target Milestone: UnspecifiedKeywords: Documentation, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-04-16 09:53:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukáš Hellebrandt 2024-03-25 12:42:05 UTC 
Description of problem:
keycloak-httpd-client-install doesn't work without python3-lxml rpm installed, the error message is:
```
from lxml import etree
ModuleNotFoundError: No module named 'lxml'
```

keycloak-httpd-client-install doesn't have python3-lxml as a requirement.

Our documentation doesn't mention python3-lxml needs to be installed manually:
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.14/html/installing_satellite_server_in_a_connected_network_environment/configuring_external_authentication_satellite#Configuring_Project_with_Keycloak_Authentication_keycloak-general

This KB article shows the solution:
https://access.redhat.com/solutions/7048727

I think this BZ should be flipped either into an RHSSO bug because the package should have a dependency specified, or a Satellite docs bug because we should document the package needs to be installed manually. I will leave it up to triage.

Version-Release number of selected component (if applicable):
All

How reproducible:
Deterministic

Steps to Reproduce:
1. Follow the linked docs

Actual results:
Error, docs can't be followed and the KB article needs to be followed to continue

Expected results:
python3-lxml is either installed automatically as a dependency or the docs mentions its installation
Comment 1 Odilon Sousa 2024-03-25 15:02:56 UTC 
Hi @lhellebr 

On Satellite we package python-lxml, but we only package with our supported version of Python, for 6.15 is python3.11, you can run dnf info python3.11-lxml and the package will be present in the list.

For python3-lxml, this is the packaging built with the base python from the RHEL release, it would be necessary to add python3-lxml to the requirements of keycloak-httpd-client-install if that's the package/module requiring lxml, we don't control keycloak-httpd-client-install or mod_auth_openidc at Satellite Packaging.
Comment 2 Adam Ruzicka 2024-03-27 09:09:35 UTC 
Filed https://issues.redhat.com/browse/RHEL-30559 against rhel to have the dependency added. In the meantime, let's reuse the bz for resolving this in our docs.
Comment 3 Adam Lazik 2024-03-28 12:01:14 UTC 
Hi, created PR to add python3-lxml to the step with installing packages: https://github.com/theforeman/foreman-documentation/pull/2918
Comment 4 Ewoud Kohl van Wijngaarden 2024-04-03 10:12:07 UTC 
Which version (In reply to Lukáš Hellebrandt from comment #0)
> Description of problem:
> keycloak-httpd-client-install doesn't work without python3-lxml rpm
> installed, the error message is:
> ```
> from lxml import etree
> ModuleNotFoundError: No module named 'lxml'
> ```
> 
> keycloak-httpd-client-install doesn't have python3-lxml as a requirement.

Which version do you have installed? There's a keycloak-httpd-client-install in RHEL appstream (1.0 for RHEL 8), but we also ship one ourselves (1.2.2) which does contain the dependency.

> Our documentation doesn't mention python3-lxml needs to be installed
> manually:

Because it shouldn't be needed.

> I think this BZ should be flipped either into an RHSSO bug because the
> package should have a dependency specified, or a Satellite docs bug because
> we should document the package needs to be installed manually. I will leave
> it up to triage.

There should be a bug against RHEL for the base version, but our version is correct. At least in upstream.

If you didn't enable the DNF module, then you don't get our version. I also only tested upstream,but it could be an issue in the Satellite repos.
Comment 5 Ewoud Kohl van Wijngaarden 2024-04-03 10:13:55 UTC 
(In reply to Odilon Sousa from comment #1)
> For python3-lxml, this is the packaging built with the base python from the
> RHEL release, it would be necessary to add python3-lxml to the requirements
> of keycloak-httpd-client-install if that's the package/module requiring
> lxml, we don't control keycloak-httpd-client-install or mod_auth_openidc at
> Satellite Packaging.

In upstream we do have a newer version of keycloak-httpd-client-install:
https://github.com/theforeman/foreman-packaging/tree/rpm/develop/packages/foreman/keycloak-httpd-client-install
Comment 6 Ewoud Kohl van Wijngaarden 2024-04-03 14:06:51 UTC 
Digging deeper we have:

* RHEL 7 ships https://github.com/jdennis/keycloak-httpd-client-install version 0.8
* RHEL 8 ships https://github.com/jdennis/keycloak-httpd-client-install version 1.0
* RHEL 9 ships https://github.com/jdennis/keycloak-httpd-client-install version 1.1
* Fedora also ships https://src.fedoraproject.org/rpms/keycloak-httpd-client-install version 1.1

In upstream we use https://github.com/jdennis/keycloak-httpd-client-install version 1.2

This fork has effectively two patches:

* https://github.com/jdennis/keycloak-httpd-client-install/commit/6dd6b7d9c7241a2d2054a6cabd96b0ff2b77e760 include keycloak-rest as a binary
* https://github.com/jdennis/keycloak-httpd-client-install/commit/d60f325eb85bfdf41cbbcd7209d75cd7cca059e4 Python 2 compatibility

The former is also included in Fedora & RHEL, the latter is irrelevant on RHEL 8+.

That only leaves the difference between RHEL 8 & 9, which is 1.0 vs 1.1:

https://github.com/jdennis/keycloak-httpd-client-install/compare/RELEASE_1_0...RELEASE_1_1 doesn't show anything that looks needed. My suspicion is that in upstream we added keycloak-httpd-client-install for EL7 support (0.8 doesn't support mod-auth_openidc) and then continued building it for newer releases, unaware that we could rely on the base OS.

I see a few follow up actions:
* Open a bug against RHEL 8
* Change the Satellite documentation to install python3-lxml, referencing the above bug to note it was only for RHEL 8
* Either once the bug is resolved or once we drop RHEL 8 we stop installing python3-lxml in the documentation
* Upstream we consider how to move away from our custom package
Comment 7 Ewoud Kohl van Wijngaarden 2024-04-08 16:34:26 UTC 
(In reply to Ewoud Kohl van Wijngaarden from comment #6)
> In upstream we use https://github.com/jdennis/keycloak-httpd-client-install
> version 1.2

This should be https://github.com/latchset/keycloak-httpd-client-install

> I see a few follow up actions:
> * Open a bug against RHEL 8

https://issues.redhat.com/browse/RHEL-31496
Comment 9 Adam Lazik 2024-04-16 09:53:23 UTC 
The documentation has been updated with the python3-lxml package:
6.14: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.14/html-single/installing_satellite_server_in_a_connected_network_environment/index#registering-satellite-as-a-keycloak-client_keycloak-general
6.13: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html-single/installing_satellite_server_in_a_connected_network_environment/index#registering-satellite-as-a-keycloak-client_keycloak-general
6.12: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.12/html-single/installing_satellite_server_in_a_connected_network_environment/index#registering-satellite-as-a-keycloak-client_keycloak-general