Ok, now I understand the problem. We connected ok to ROR but it was wide open - did not take into account that Kibana/Elastic on the same machine would be an issue, that is the config advice on ES website to locate Kibana on coordinating node (same server)
I solve the issue by giving Kibana external ES IP to connect to and it is working as designed now.
So now we have
T1 (master node) ROR on
T2 (coordinating node) Kibana on with KBN plugin.
kibana.yml has external IP of T1 as url and now the list is working with restrictions and elasticsearch.log is updated with failed login attempts.
it is going to Prod today 