I have a funny feeling this might be https://gerrit.wikimedia.org/r/#/c/345637/ but it was a long time ago - that adds various references to zone_primary_or_admin, but it isn't defined for liberty or mitaka, only ocata:
alex@alex-laptop:~/Development/Wikimedia/Operations-Puppet (production)$ git grep zone_primary_or_admin
modules/openstack/files/liberty/designate/policy.json: "create_recordset": "rule:zone_primary_or_admin",
modules/openstack/files/liberty/designate/policy.json: "update_recordset": "rule:zone_primary_or_admin",
modules/openstack/files/liberty/designate/policy.json: "delete_recordset": "rule:zone_primary_or_admin",
modules/openstack/files/mitaka/designate/policy.json: "create_recordset": "rule:zone_primary_or_admin",
modules/openstack/files/mitaka/designate/policy.json: "update_recordset": "rule:zone_primary_or_admin",
modules/openstack/files/mitaka/designate/policy.json: "delete_recordset": "rule:zone_primary_or_admin",
modules/openstack/files/ocata/designate/policy.json: "zone_primary_or_admin": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)",
modules/openstack/files/ocata/designate/policy.json: "create_recordset": "rule:zone_primary_or_admin",
modules/openstack/files/ocata/designate/policy.json: "update_recordset": "rule:zone_primary_or_admin",
modules/openstack/files/ocata/designate/policy.json: "delete_recordset": "rule:zone_primary_or_admin",