A flexible authorization plugin for the Mosquitto MQTT Broker (v2.0+) that delegates access control decisions to Casbin.

This plugin implements the Mosquitto Plugin Interface v5. It is designed to be authentication-agnostic, meaning it focuses solely on Authorization and can work alongside password files, TLS certificate authentication, or anonymous access.

• Granular Access Control: Manage permissions using Casbin's powerful policy engine (ACL, RBAC, ABAC).
• Authentication Agnostic: Automatically resolves the user identity from:
  1. MQTT Username (Password auth or TLS use_identity_as_username)
  2. TLS Certificate Common Name (CN) (if no username is present)
  3. Fallback to "anonymous"

To build this plugin, you need a C++17 compatible compiler and the following:

• CMake (>= 3.19)
• Mosquitto (Development headers for v2.0+)
• OpenSSL

mkdir build && cd build
cmake ..
make

This will produce the shared library file: mosquitto-casbin.so.

1. Configure Mosquitto (mosquitto.conf) Add the following lines to your mosquitto.conf to load the plugin and point it to your Casbin files.

# Load the plugin
plugin /path/to/build/mosquitto-casbin.so

# Path to the Casbin Model definition
auth_opt_casbin_model  /etc/mosquitto/casbin/model.conf

# Path to the Casbin Policy file
auth_opt_casbin_policy /etc/mosquitto/casbin/policy.csv

2. Configure Casbin The plugin maps MQTT events to a Casbin Request tuple (sub, obj, act) as follows:

sub (Subject): The Client Identity (Username, Cert CN, or "anonymous").

obj (Object): The MQTT Topic (e.g., sensors/temp).

act (Action): The operation type: read, write, or subscribe.

• mosquitto-auth-plug reference design
• Mosquitto Plugin API
• Casbin-CPP Repository