Open Closed

[DisableAuditing] not working on Controller and Controller Action #3901


User avatar
0
jeflux created
  • ABP Framework version: v5.3.4
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace: N/A
  • Steps to reproduce the issue:" -1. Add Health Controller -2. Hit Health Controller

We're running a microservices template. We have multiple health checks to ensure each service is reachable. Our Kubernetes environment, by default, was hitting the home path which would load the Swagger docs page. This resulted in loads of ELK logging. Our solution was to implemented a super lightweight Health controller that just returns a simple 200 response. While we have successfully reduced ELK logging, we noticed that ABP Audit logs are being created for each health check (many services getting health checks 2x per minute).

We've reviewed the Audit Logging documentation, but we cannot get the [DisableAuditing] attribute to work. Here is our lightweight Health Controller:

using Microsoft.AspNetCore.Mvc;
using Volo.Abp;
using Volo.Abp.AspNetCore.Mvc;
using Volo.Abp.Auditing;

namespace Acme.InvitationService.Controllers
{
    [RemoteService(Name = "DemoService")]
    [Area("demoService")]
    [ControllerName("Health")]
    [Route("api/demo-service/health")]
    [DisableAuditing]
    public class HealthController : AbpController
    {
        [DisableAuditing]
        [HttpGet]
        [ApiExplorerSettings(IgnoreApi = true)]
        public ActionResult Index()
        {
            return Ok("DemoService is reachable!");
        }
    }
}

You can see that we've put the attribute at the Controller and Action level (and have tried both separately). We have configured IsEnabledForGetRequests to true in the AbpAuditingOptions and would prefer to not turn this off as we're in a highly-regulated industry.

Any help identifying what we're doing wrong will be appreciated. Or, some guidance on how to debug what's going wrong. Thank you!


5 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you try the IgnoredUrls?

    
    Configure<AbpAspNetCoreAuditingOptions>(options =>
    {
        options.IgnoredUrls.AddIfNotContains("xxx");
    });
    
  • User Avatar
    0
    jeflux created

    AbpAspNetCoreAuditingOptions

    This does work. Thank you!

    However, was I misunderstanding how it should work? Should the [DisableAuditing] attribute work in the controller example I posted? Does IsEnabledForGetRequests=true ignore that attribute?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    There is the audit logic.

    https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Auditing/AbpAuditingMiddleware.cs#L39

  • User Avatar
    0
    jeflux created

    hi

    There is the audit logic.

    https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/Auditing/AbpAuditingMiddleware.cs#L39

    I've read through the logic, but I still don't understand why the [DisableAuditing] attribute has no effect. The documentation leads me to believe that the attribute should exclude the controller/action from audting: https://docs.abp.io/en/abp/5.3/Audit-Logging#enable-disable-for-controllers-actions

    By adding the path to the ignored URL collection, this does work. And I can see in the logic why that works.

    When I don't have the path ignored (and IsEnabledForGetRequests is true), it appears to me that the ShouldWriteAuditLogAsync() method in the logic you reference should return false by checking for the [DisableAuditing] attribute, but it's returning true either from something in AuditingOptions.AlwaysLogSelectors or just getting the default true response of the method.

    Is there an "AlwaysLogSelector" that overrides the DisableAuditing attribute?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    s there an "AlwaysLogSelector" that overrides the DisableAuditing attribute?

    No. There is only [Auditing] attribute.

    I will recheck the logic of the AbpAuditingMiddleware, Thanks.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09