Zixuan Liu

> It's like if proxy only check authentication Correct. > Why the broker doesn't check the authorization part ? This broker can check the client role and proxy role. Does...

Go and Java design are different. In the Go, we have a gorotinue to check the timeout. Maybe your application needs to wait for 60 seconds, is it right? I'm...

It looks like you want to reduce the maximum retry time and retry interval. > The problem I see with this change is that it allows misconfigured clients that retry...

Ok, I see. We need to reduce the retry interval, not limit the max retry time, this is the root cause. https://github.com/cenkalti/backoff/blob/v4/exponential.go#L39-L50 provides an example, could you checkout? BTW, the...

[spotless](https://github.com/diffplug/spotless) +1, LGTM

> Broker performs authorization for both proxy's principal name and original principal name and both principal names must be present in namespace authorization policy. When using a proxy, the broker...

Sounds good, but if someone uses the proxy to control access, this will break the user behavior. ``` user1->proxy1- \ topic-1 / user2->proxy2- ``` the pulsar manager uses multiple proxies...

> How does it matter? `ServiceConfiguration::proxyRoles` is a list of proxy roles and broker can have multiple proxy roles to allow access. **`ServiceConfiguration::proxyRoles` checks if the authentication principal is a...

You are right. By the way, we should also implement `org.apache.pulsar.broker.service.persistent.PersistentDispatcherSingleActiveConsumer#addUnAckedMessages`.

> It seems we have been leaked some resources for long, really? Need more eyes. @nicoloboschi @hangc0276 @nodece Looks like it. We should take care of it.