Hi @dzyubanv, ROR is so nice and simple because it literally doesn't even know about being in a cluster.
Instead, ROR is a simple stateless access control layer for HTTP requests. This means you should install it in whatever ES node where you expect to receive HTTP requests.
NB: exception to being cluster-unaware = ROR can store its settings in the ".readonlyrest" index.
NB: exception to being stateless = some async authz/authc connectors may have some in-memory caching.