holy fucking shit. I read whole your reply over again and i found this issue:
First, I used
GET _opendistro/_security/api/account
to check which role is mapped to my account. I see all custom roles I created include own_index.
Then I tried to remove “*” from hosts in roles mapping
PUT _opendistro/_security/api/rolesmapping/wtf
{
"backend_roles" : [ "wtf" ],
"hosts" : [ "" ],
"users" : [ "wtf" ]
}
Then I see that role is not mapped to the user which has a problem. Then I set all of them to null. Then my desire read-only user no longer can delete it. You know the problem from the early time but I haven’t enough smart to understand what u said.
Thank you so much again @Anthony 
