kubeflow icon indicating copy to clipboard operation
kubeflow copied to clipboard
verified publisher icon kubeflow

Email validation regex is too restrictive

Open reem opened this issue 5 years ago • 13 comments

/kind bug

What steps did you take and what happened:

Attempted to add a contributor with an email address on a .network domain. Received "Contributor doesn't look like a valid email address"

What did you expect to happen:

User is added as normal.

Anything else you would like to add:

This regex: https://github.com/kubeflow/kubeflow/blob/master/components/centraldashboard/app/api_workgroup.ts#L11-L12

Is used to validate emails, and is too simple. It demands that your TLD contains only 2 or 3 characters, which rejects many valid domains.

Environment:

  • Kubeflow version: (version number can be found at the bottom left corner of the Kubeflow dashboard):
  • kfctl version: (use kfctl version):
  • Kubernetes platform: (e.g. minikube)
  • Kubernetes version: (use kubectl version):
  • OS (e.g. from /etc/os-release):

reem avatar May 07 '20 17:05 reem

Issue Label Bot is not confident enough to auto-label this issue. See dashboard for more details.

issue-label-bot[bot] avatar May 07 '20 17:05 issue-label-bot[bot]

Did you try adding the user directly by creating appropriate RBAC and ISTIORBAC resources?

jlewi avatar May 09 '20 18:05 jlewi

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Aug 08 '20 02:08 stale[bot]

This is still an issue in the latest kubeflow release, the regex is still rejecting completely valid emails, issue is not stale. Adding the users directly is a very involved workaround for end users to have to go through.

reem avatar Jan 07 '21 20:01 reem

Now that pipelines are scoped by user/namespace, this has become a pretty strong blocker for granting access to important namespaces for these users.

reem avatar Jan 07 '21 20:01 reem

/reopen /lifecycle frozen

Hi @reem! The contributor UI is not a very well-maintained component. Its backend (KFAM) is following a road to deprecation.

So I have 2 suggestions: First, did this approach work for you?

Did you try adding the user directly by creating appropriate RBAC and ISTIORBAC resources?

It's not UI-driven, but enables you to understand the necessary permissions and possibly build tooling on top of that.

Another way would be to make a contribution to relax this validation check, if the UI is useful for your case.

cc @kubeflow/wg-notebooks-leads

yanniszark avatar Jan 08 '21 10:01 yanniszark

@yanniszark: Reopened this issue.

In response to this:

/reopen /lifecycle frozen

Hi @reem! The contributor UI is not a very well-maintained component. Its backend (KFAM) is following a road to deprecation.

So I have 2 suggestions: First, did this approach work for you?

Did you try adding the user directly by creating appropriate RBAC and ISTIORBAC resources?

It's not UI-driven, but enables you to understand the necessary permissions and possibly build tooling on top of that.

Another way would be to make a contribution to relax this validation check, if the UI is useful for your case.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Jan 08 '21 10:01 k8s-ci-robot

There's a conflict between this regex pattern and manual-profile-creation. "manual-profile-creation" have no validation on email. It's just a string.

on centraldashboard's "Manage Contributors" page, I can't remove manually-created contributor(static user) from namespace because of this regex.

kim-sardine avatar Feb 06 '21 15:02 kim-sardine

@kim-sardine Could you maybe raise a new issue about this, as this issue is regarding the regex being too restrictive. The problem of no email validation happening in the profile CR is quite different.

davidspek avatar Jun 04 '21 12:06 davidspek

@yanniszark @DavidSpek I see that the PR with the fix was closed by a stale bot. Can we reopen and finish it? I also have same issue with the .life TLD in my org

sergeyshevch avatar Jan 27 '23 10:01 sergeyshevch

I'd like to see this bug fixed also. Can we re-open the PR?

sfrolich avatar Mar 05 '24 22:03 sfrolich

@sfrolich if you are interested in raising a PR to effectively make the validation the same as the HTML <input type"email"> email validation, I am happy to review.

The HTML spec lists its regex here: https://html.spec.whatwg.org/multipage/input.html#valid-e-mail-address

/^[a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/

I will put it in the 1.8.1 tracker issue, so I don't forget:

  • https://github.com/kubeflow/kubeflow/issues/7453

thesuperzapper avatar Mar 05 '24 22:03 thesuperzapper

Also, for those needing a solution before we fix this, you can bypass this restriction by manually creating the Profile, see the docs for more info:

  • https://www.kubeflow.org/docs/components/central-dash/profiles/#manage-contributors-manually

thesuperzapper avatar Mar 05 '24 23:03 thesuperzapper